Here is my writeup about the Quaoar CTF:

First thing I did is running Nmap:

So there is no Vulnerable Service running. Lets look at the Webapplication.

First thing i tested is if there is a robots.txt. And there is one with following Output:

Disallow: Hackers
Allow: /wordpress/

 

So since there is a WordPresssite I checked with wpscan if there are Vulnerable Plugins etc.

wpscan http://192.168.139.130/wordpress/

but nothing found.

So I’m trying to enumarate Users with following command:

wpscan -u http://192.168.139.130/wordpress/ –enumerate u

So admin user is there. Now we can try the default „admin:admin“ to login and we can login successfully.

Now to Upload a shell we can simply use a Metasploit Module named exploit/unix/webapp/wp_admin_shell_upload

After giving IP,Targeturi,Username and Password we get shell back:

Now trying to get all Information possibile we can see in the wp-config.php the root password:

/** MySQL database password */
define(‚DB_PASSWORD‘, ‚rootpassword!‘);

After that we can try to ssh into Quaoar with the root password:

Now we can open up the flag:

 

Thanks to Viper it was very funny to get some time passed 🙂