Hello!  I’m back with another CTF writeup.  This one was quite easy, so I’ll spend some time focusing on some of the techniques I used.  This boot2root was called Quaoar and it was from hackfest2016.  Let’s get started!

As always, we begin with an nmap scan to identify open ports.

Perfect!  Lots of open ports to begin enumeration.  I always like to start with webservers as they usually contain a lot of details.

Hmm.. not much interesting on the website or the source.  Let’s see what dirb picks up.

Oh boy that’s a lot of stuff.  Let’s begin with /upload/

Hm… not much interesting here.  A lot of the links seem to be statically coded with IP addresses?  I’m not sure if that’s a bug or intentional.  Not a lot works.

A couple of things of interest.  Let’s table these because we can’t find much on the Lepton page that actually works.  Luckily, there’s a wordpress site.  Let’s take a gander.

I can’t find anything useful… let’s check out the admin page

I always like to try defaults like admin/password and admin/admin.  This time…

It was admin/admin!  woot


Time for a shell.  I used the php-reverse-shell and this tutorial to get a malicious plugin.

And there we go.  Time to get root.  Normally, I run the linuxprivchecker.py script, but this time I decided to do manual enumeration.

The first things I check are the following: users, processes, network connections.

Well we see one user.  Let’s check their home directory.

and there is our first flag.  Excellent!

The network connections turned up something interesting.  MySQL appears to be listening locally only.  Let’s keep that in mind.  Normally, Word-Press keeps MySQL credentials in the configuration file.

Normally, you should create a separate MySQL account for managing the database.  In this case, it looks like they used root.  Let’s try and use the password we found to su to root.

And there’s the # we love so much.  For the flag, we check the typical directory /root.

And there’s the second flag.  (I could never find out why my characters were doubling after using python -c ‘import pty; pty.spawn(“/bin/bash”)’  I assume it has something to do with the pty shell.)

The VM description talked about a 3rd flag found via post-exploitation.  I poured through the database and all the files on the system.  I couldn’t find a third flag.  I wonder if it has to do with the statically configured IP addresses on the other web server?

Until next time!

Leave a Reply

Your email address will not be published. Required fields are marked *