Quaoar CTF : WalkThrough

Posted on

Quaoar is a CTF challenge for 2016. It is an easy challenge. You can download it in here: https://www.vulnhub.com/entry/hackfest2016-quaoar,180/

The Following article will show the walkthrough for Quaoar virtual machine challenge.

Let’s start:

I turned on the VMware and started Quaoar:


The IP address for my Quaoar VM is 192.168.0.122.
To find the vulnerable machines through your attacking machine: http://www.anonhack.in/2018/06/part-2-finding-the-ip-address-of-your-victim-in-your-vmware-hacking-lab-network/

As per the above screenshot suggests we need to get SHELL, ROOT and POST EXPLOITATION flag.

  1. An nmap scan gave me pretty much idea about the services.
    1. nmap -sV 192.168.0.122
    3.   I checked the webpage on this address, It looks like
  2.  I used Dirb for my next step to check all the existing directories and it gave me something useful.
    1. dirb http://192.168.0.122
      1. The website uses wordpress CMS
      2. The website uses Lepton CMS — I didn’t find it of much use here!
  3. I checked the authors for wordpress                              Found admin as the author or the user for the wordpress!
  4. Now, I visited 192.168.0.122/wordpress/wp-admin for the login panel of wordpress and randomly tried the username as admin and password as admin and it worked! 
  5. I Visited Appearences-> Editor and Changed the main index file and added the code of c99 shell on it! So The 1st statement of GETTING A SHELL end here!
  6. Now, I can walk through directories internally and check for the flags.So I went to home directory to check the user directory and found the first flag
    1. The First Flag that I found was in /home/wpadmin/flag.txt directory
  7. The second statement in the very first screenshot says “Get Root Access “. So Now I looked through the scans of nmap and tried to find any vulnerability related to remote execution for getting a root access to the system but got no luck! So I went on and took a look at wp-config file since it contains the database information or could contain any other login details and for DB_user and DB_Password.  user: root password: rootpassword!
  8. I used this credential for the ssh login and found another flag!
    1. ssh root@192.168.0.122
    2. So Got the Root Access!
  9. Now the Third flag is POST EXPLOITATION that means it could be anywhere in the OS now that we are in the root! So to find it I have tried find / -name flag and also tried grep -i for Keywords such as post, exploit, flag but got no luck!
    1. Finally tried a regex command to find the md5 hashes in the files in different directories and finally found the 3rd flag!
      1.  egrep -r ” [a-z0-9]{32,32}” /etc/

There can be more than one way to solve the Quaoar Virtual Machine Challenge. The Privilege escalation where we have used wp-config file for password obtaining instead of wp-config file we can look for the kernel exploitation code for this VM since it is also vulnerable! You can find the exploit code for this challenge here > https://www.kernel-exploits.com/ .

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: