QUAOAR: VULNHUB WALKTHROUGH 

GETTING STARTED  ENSURE YOU HAVE A HYPERVISOR INSTALLED ON A MACHINE YOU CAN ACCESS  VMware and VirtualBox are among the most notable option  DOWNLOAD KALI LINUX AND QUAOAR VIRTUAL MACHINES  https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image- download/  https://www.vulnhub.com/entry/hackfest2016-quaoar,180/  USE RECOMMENDED SETTINGS ON SETUP, ENSURE BOTH NETWORK TYPES ARE NAT 

RECON  BOOT UP BOTH THE KALI LINUX AND QUAOAR VMs  NOTICE THE [VICTIM ADDRESS] IS GIVEN TO US ON QUAOAR  CAN NOW START PROBING THE VICTIM 

RECON  RUN NMAP OVER [VICTIM ADDRESS]  NETWORK MAPPER  OPEN-SOURCE VULNERABILTY AND NETWORK SCANNER  IDENTIFY WHAT DEVICES ARE RUNNING ON A SYSTEM  PORT SCANNING  OS DETECTION  SERVICE DISCOVERY  SECURITY AUDITING  nmap –sS –v –A [VICTIM ADDRESS]  -sS: TCP SYN SCAN, STEALH MODE  -v: VERBOSE OUTPUT  -A: OS, VERSION, TRACEROUTE, SCRIPT SCAN ENABLED 

RECON  TAKEAWAYS FROM THE NMAP SCAN  PORT 80 IS OPEN. HTTP  SITES /ROBOT.TXT FILE HAS INFO  WEB ROBOTS READ THIS PAGE TO KNOW IF THEY ARE “ALLOWED” TO SCRAPE THE PAGE OR NOT  NAVIGATE TO HTTP://[VICTIM ADDRESS]/ROBOTS.TXT  NOTICE THAT /WORDPRESS IS AN ALLOWED PATH  CAN INVESTIGATE IF YOU WANT BUT FIRST TOOL THAT COMES TO MIND IS WPSCAN 

RECON  WPScan  BLACK BOX WordPress VULNERABILITY SCANNER USED TO FIND SECURITY ISSUES  RUN wpscan –-url [victim address]/wordpress  MUST INCLUDE THE /WORDPRESS PATH SINCE THE WORDPRESS SITE STARTS THERE  NOTICE ALL THE VULNERABILITIES, WITH LINKS TO THEIR EXPLOITS 

RECON  WPScan CONT.  LETS TRY TO GET THE USERNAMES AND PASSWORDS WITH WPScan  RUN wpscan –-url [victim address]/wordpress –e u  -e u: ENUMERATE THE USERS  USERS ADMIN AND WPUSER ARE FOUND  SINCE ADMIN ACCOUNT IS STILL ACTIVATED, I WONDER IF THEY ARE STILL RUNNING DEFAULT A DEFAULT CONFIGURATION ON THE WORDPRESS SITE  ADMIN/ADMIN WAS STILL THE USER/PASSWORD 

RECON  LOOK AT THE PLUGINS ON THE WORDPRESS SITE  A QUICK GOOGLE SEARCH OF THEM YIELDS A FILE INCLUSION EXPLOIT ON MAIL MASTA  http://[VICTIM ADDRESS]/wordpress/wp-content/plugins/mail- masta/inc/campaign/count_of_send.php?pl=/etc/passwd  THIS RETURNS THE /ETC/PASSWD FILE FROM THE VICTIM MACHINE  FOUND TWO USERS OF INTEREST  ROOT AND WPADMIN 

GAINING ACCESS  ATTEMPT TO SSH USING ROOT ACCOUNT WITH DEFAULT PASSWORD  SECURE SHELL PROTOCOL  A METHOD FOR SECURE REMOTE LOGIN  RUN ssh root@[victim address]  DEFAULT PASSWORD DOESN’T WORK HERE  WHAT ABOUT THE OTHER USER WE FOUND, WPADMIN?  SUCCESS, THIS ACCOUNT WAS STILL SETUP WITH THE DEFAULT PASSWORD, SAME AS USERNMAE  COULD HAVE USED /usr/share/dirbuster/wordlists# ssh wpadmin@[victim address] 

PRIVILEGE ESCALATION  WE HAVE CONTROL OVER WPADMIN AND NEED TO BEGIN TO SEARCH FOR FLAGS, “IMPORTANT FILES”.  ls ON HOME DIRECTORY YIELDS FIRST FLAG  LETS LOOK AT THE /CRON FILES  CRON FILES ARE VERY USEFUL TO ATTACKERS AS CRON FILES ARE ON EVERY UNIX OPERATING SYSTEM AND ARE USED TO SCHEDULE JOBS  NAVIGATE TO /ETC FILE  ls TO FIND CRON FILES 

PRIVILEGE ESCALATION  cat cron.d  YIELDS THAT A FILE CALLED PHP5 IS SCHEDULED TO RUN ON THIS OS  THIS DOESN’T LEAD ANYWHERE BUT AS SHOWN, THIS IS A GOOD THING TO GET IN THE HABIT OF CHECKING WHEN YOU HAVE ACCESS OF A VICTIM MACHINE  SINCE MANY DEFUALT CONFIGURATIONS HAVE BEEN FOUND, LETS SEE IF /VAR/WWW IS THE DEFAULT DIRECTORY FOR THE WORDPRESS SITE  APPEARS SO 

PRIVILEGE ESCALATION  THERE ARE MANY FILES AND DIRECTORIES IN THIS /VAR/WWW DIRECTORY, HOW DO WE FIND USEFUL DATA?  LETS TRY grep ‘root’ * -R | less  SO MUCH DATA!! WE NEED TO REFINE THIS  RECALL THAT THE VM IS SCHEDULED TO RUN A FILE CALLED PHP5 ON THE ORDRE OF MINUTES  LETS SEE IF WE CAN FIND SOME PHP CONFIGURATION FILES IN THIS DATA 

PRIVILEGE ESCALATION  /WORDPRESS/WP-CONFIG.PHP LOOKS PROMISING  RUN cat wordpress/wp-config.php  REVEALS ROOT USERNAME/PASSWORD  root/rootpassword!  RUN su root AND INPUT THE FOUND PASSWORD  WE HAVE ROOT ACCESS!!  RUN whoami TO ENSURE YOU ARE ROOT  RUN ls TO FIND THE FINAL FLAG 

Q&A  DID ANYONE SEE A DIFFERENT WAY TO GAIN ACCESS?