This shall be a record of my escapades into the world of ones and zeros.


wwrdpldnadmin | 17 March, 2017 14:05

This is my first public publishing of a pen test. I have been pen testing for about 3 years as a hobby and I enjoy it immensely. I realize that part of pen testing is the ability to write reports that can be handed over to the concerned parties receiving the pen test so I have decided to begin practicing this art. I also decided to start with an easy one so that I could focus on the report and not the actual penetration of the machine.


I chose Quaoar for this purpose as it explicitly stated it was easy.

I launched the ova in vmware player and it present me with instructions and the ip address as The first thing I did was launch zenmap,...yes zenmap. I hear you groan. I like gui's,...bite me.

#nmap -T4 -A -v

Zenmap spit out the following information:

Discovered open port 110/tcp on
Discovered open port 139/tcp on
Discovered open port 22/tcp on
Discovered open port 995/tcp on
Discovered open port 53/tcp on
Discovered open port 445/tcp on
Discovered open port 143/tcp on
Discovered open port 80/tcp on
Discovered open port 993/tcp on

Since I already know this is supposed to be easy and I wanted to focus on the report I decided to go straight to dirbuster without even opening a webpage.

I ran dirbuster and pointed it to and immediately found wordpress. Now anyone who has ever done anything with wordpress knows that it has always been plagued with vulnerabilities. Again, knowing this is supposed to be easy, I go straight to the login page and find the user/password is set to admin/admin.

A quick google search shows a plethora of easy hacks for authenticated admin privileged wordpress control panels, namely, direct coding of template pages.


I navigate to the "twenty thirteen" template page and select the 404.php page. I delete all of the code and paste in


I save the page and navigate to it and issue a cat against /etc/passwd

/etc/passwd output:

list:x:38:38:Mailing List Manager:/var/list:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
colord:x:104:109:colord colour management daemon,,,:/var/lib/colord:/bin/false
avahi:x:106:115:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dovecot:x:109:120:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:110:65534:Dovecot login user,,,:/nonexistent:/bin/false
libvirt-qemu:x:112:106:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
libvirt-dnsmasq:x:113:123:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
postgres:x:115:124:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

I see the only user other than root is wpadmin. I recall SSH was open on port 22. I think about brute forcing wpadmin but I remember, once again, that this is supposed to be easy. So before brute forcing it I ssh as wpadmin.

$ ssh wpadmin@ using wpadmin as the password.

Success! Wow this one really is easy.

The first flag was in the wpadmin home directory.
$ ls
$ cat flag.txt   

I moved to a bash prompt just to make things easier
$ /bin/bash

I verified wpadmin does not have sudo priv so I grab some info on the system.

wpadmin@Quaoar:/$ cat /etc/*release*
wpadmin@Quaoar:/$ cat /proc/version
Linux version 3.2.0-23-generic-pae (buildd@palmer) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu4) ) #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012

I tried a couple privilege escalations but the wpadmin user's privileges were too low to execute them. I began searching through folders for anything useful. When I got to the www folder I found a folder called uploads. It had shown up in the dirbuster scan also but I had put it in the back of my mind. I open the folder and I find the config.php file located there. The file has the connection string for the databse and it showing the connection credentials in clear text. The username/password is root/rootpassword! I start wondering about digging through the database but then I realize,..could this actually be the password for the root user?

I ssh'd back into the box:
root@'s password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Thu Mar 16 13:25:52 EDT 2017

  System load:  0.01              Processes:             106
  Usage of /:   30.1% of 7.21GB   Users logged in:       1
  Memory usage: 38%               IP address for eth0:
  Swap usage:   0%                IP address for virbr0:

  Graph this data and manage this system at https://landscape.canonical.com/

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Sun Jan 15 11:23:45 2017 from desktop-g0lhb7o.snolet.com

Success! Again, Wow, that was easy!

root@Quaoar:~# ls
flag.txt  vmware-tools-distrib
root@Quaoar:~# cat flag.txt

Now, there is supposed to be a third flag. I searched for various terms and came up wanting. I wouldn't think this third flag would be hard to find given that everything else has been ridiculously easy. I look through a couple of walkthroughs from others and I see no one else is finding it either, actually only a couple even mention it. I have sent an email asking for verification that there is a third flag. I have not received an answer as of this posting. I will update it if I receive confirmation that it exists and again if I manage to find it.



Accessible and Valid XHTML 1.0 Strict and CSS
Powered by LifeType - Design by BalearWeb