Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vulnhub Walkthrough

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for UNTCSC UNTCSC
September 26, 2019
0
37

Vulnhub Walkthrough

Avatar for UNTCSC

UNTCSC

September 26, 2019
Tweet

More Decks by UNTCSC

See All by UNTCSC
Network Simulation
Avatar for UNTCSC unt_csc
0
67
Password Hashing Fall 2020
Avatar for UNTCSC unt_csc
0
60
Resume and Interview Workshop
Avatar for UNTCSC unt_csc
0
58
Security: Why do we Care
Avatar for UNTCSC unt_csc
0
62
Welcome back fall 2020
Avatar for UNTCSC unt_csc
0
39
Secure Coding
Avatar for UNTCSC unt_csc
0
86
UNTCSC Spring 2020 Welcome Back
Avatar for UNTCSC unt_csc
0
68
Password Guessing
Avatar for UNTCSC unt_csc
0
35
Network Security
Avatar for UNTCSC unt_csc
0
48

Featured

See All Featured
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
122
21k
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
25
1.7k
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
Avatar for Umar Saidu Auna auna
0
53
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
29
4.1k
We Have a Design System, Now What?
Avatar for Morgane Peng morganepeng
54
8k
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.6k
Designing for Performance
Avatar for Lara Hogan lara
610
70k
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
230k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
Sam Torres - BigQuery for SEOs
Avatar for Tech SEO Connect techseoconnect
PRO
0
190
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
269
14k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
359
30k

Transcript

  1. QUAOAR: VULNHUB WALKTHROUGH

  2. GETTING STARTED  ENSURE YOU HAVE A HYPERVISOR INSTALLED ON

    A MACHINE YOU CAN ACCESS  VMware and VirtualBox are among the most notable option  DOWNLOAD KALI LINUX AND QUAOAR VIRTUAL MACHINES  https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image- download/  https://www.vulnhub.com/entry/hackfest2016-quaoar,180/  USE RECOMMENDED SETTINGS ON SETUP, ENSURE BOTH NETWORK TYPES ARE NAT

  3. RECON  BOOT UP BOTH THE KALI LINUX AND QUAOAR

    VMs  NOTICE THE [VICTIM ADDRESS] IS GIVEN TO US ON QUAOAR  CAN NOW START PROBING THE VICTIM

  4. RECON  RUN NMAP OVER [VICTIM ADDRESS]  NETWORK MAPPER

     OPEN-SOURCE VULNERABILTY AND NETWORK SCANNER  IDENTIFY WHAT DEVICES ARE RUNNING ON A SYSTEM  PORT SCANNING  OS DETECTION  SERVICE DISCOVERY  SECURITY AUDITING  nmap –sS –v –A [VICTIM ADDRESS]  -sS: TCP SYN SCAN, STEALH MODE  -v: VERBOSE OUTPUT  -A: OS, VERSION, TRACEROUTE, SCRIPT SCAN ENABLED

  5. RECON  TAKEAWAYS FROM THE NMAP SCAN  PORT 80

    IS OPEN. HTTP  SITES /ROBOT.TXT FILE HAS INFO  WEB ROBOTS READ THIS PAGE TO KNOW IF THEY ARE “ALLOWED” TO SCRAPE THE PAGE OR NOT  NAVIGATE TO HTTP://[VICTIM ADDRESS]/ROBOTS.TXT  NOTICE THAT /WORDPRESS IS AN ALLOWED PATH  CAN INVESTIGATE IF YOU WANT BUT FIRST TOOL THAT COMES TO MIND IS WPSCAN

  6. RECON  WPScan  BLACK BOX WordPress VULNERABILITY SCANNER USED

    TO FIND SECURITY ISSUES  RUN wpscan –-url [victim address]/wordpress  MUST INCLUDE THE /WORDPRESS PATH SINCE THE WORDPRESS SITE STARTS THERE  NOTICE ALL THE VULNERABILITIES, WITH LINKS TO THEIR EXPLOITS

  7. RECON  WPScan CONT.  LETS TRY TO GET THE

    USERNAMES AND PASSWORDS WITH WPScan  RUN wpscan –-url [victim address]/wordpress –e u  -e u: ENUMERATE THE USERS  USERS ADMIN AND WPUSER ARE FOUND  SINCE ADMIN ACCOUNT IS STILL ACTIVATED, I WONDER IF THEY ARE STILL RUNNING DEFAULT A DEFAULT CONFIGURATION ON THE WORDPRESS SITE  ADMIN/ADMIN WAS STILL THE USER/PASSWORD

  8. RECON  LOOK AT THE PLUGINS ON THE WORDPRESS SITE

     A QUICK GOOGLE SEARCH OF THEM YIELDS A FILE INCLUSION EXPLOIT ON MAIL MASTA  http://[VICTIM ADDRESS]/wordpress/wp-content/plugins/mail- masta/inc/campaign/count_of_send.php?pl=/etc/passwd  THIS RETURNS THE /ETC/PASSWD FILE FROM THE VICTIM MACHINE  FOUND TWO USERS OF INTEREST  ROOT AND WPADMIN

  9. GAINING ACCESS  ATTEMPT TO SSH USING ROOT ACCOUNT WITH

    DEFAULT PASSWORD  SECURE SHELL PROTOCOL  A METHOD FOR SECURE REMOTE LOGIN  RUN ssh root@[victim address]  DEFAULT PASSWORD DOESN’T WORK HERE  WHAT ABOUT THE OTHER USER WE FOUND, WPADMIN?  SUCCESS, THIS ACCOUNT WAS STILL SETUP WITH THE DEFAULT PASSWORD, SAME AS USERNMAE  COULD HAVE USED /usr/share/dirbuster/wordlists# ssh wpadmin@[victim address]

  10. PRIVILEGE ESCALATION  WE HAVE CONTROL OVER WPADMIN AND NEED

    TO BEGIN TO SEARCH FOR FLAGS, “IMPORTANT FILES”.  ls ON HOME DIRECTORY YIELDS FIRST FLAG  LETS LOOK AT THE /CRON FILES  CRON FILES ARE VERY USEFUL TO ATTACKERS AS CRON FILES ARE ON EVERY UNIX OPERATING SYSTEM AND ARE USED TO SCHEDULE JOBS  NAVIGATE TO /ETC FILE  ls TO FIND CRON FILES

  11. PRIVILEGE ESCALATION  cat cron.d  YIELDS THAT A FILE

    CALLED PHP5 IS SCHEDULED TO RUN ON THIS OS  THIS DOESN’T LEAD ANYWHERE BUT AS SHOWN, THIS IS A GOOD THING TO GET IN THE HABIT OF CHECKING WHEN YOU HAVE ACCESS OF A VICTIM MACHINE  SINCE MANY DEFUALT CONFIGURATIONS HAVE BEEN FOUND, LETS SEE IF /VAR/WWW IS THE DEFAULT DIRECTORY FOR THE WORDPRESS SITE  APPEARS SO

  12. PRIVILEGE ESCALATION  THERE ARE MANY FILES AND DIRECTORIES IN

    THIS /VAR/WWW DIRECTORY, HOW DO WE FIND USEFUL DATA?  LETS TRY grep ‘root’ * -R | less  SO MUCH DATA!! WE NEED TO REFINE THIS  RECALL THAT THE VM IS SCHEDULED TO RUN A FILE CALLED PHP5 ON THE ORDRE OF MINUTES  LETS SEE IF WE CAN FIND SOME PHP CONFIGURATION FILES IN THIS DATA

  13. PRIVILEGE ESCALATION  /WORDPRESS/WP-CONFIG.PHP LOOKS PROMISING  RUN cat wordpress/wp-config.php

     REVEALS ROOT USERNAME/PASSWORD  root/rootpassword!  RUN su root AND INPUT THE FOUND PASSWORD  WE HAVE ROOT ACCESS!!  RUN whoami TO ENSURE YOU ARE ROOT  RUN ls TO FIND THE FINAL FLAG

  14. Q&A  DID ANYONE SEE A DIFFERENT WAY TO GAIN

    ACCESS?