Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vulnhub Walkthrough

UNTCSC
September 26, 2019
0
29

Vulnhub Walkthrough

UNTCSC

September 26, 2019
Tweet

More Decks by UNTCSC

See All by UNTCSC
Network Simulation
unt_csc
0
38
Password Hashing Fall 2020
unt_csc
0
27
Resume and Interview Workshop
unt_csc
0
29
Security: Why do we Care
unt_csc
0
33
Welcome back fall 2020
unt_csc
0
25
Secure Coding
unt_csc
0
45
UNTCSC Spring 2020 Welcome Back
unt_csc
0
39
Password Guessing
unt_csc
0
19
Network Security
unt_csc
0
19

Featured

See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Thoughts on Productivity
jonyablonski
67
4.3k
Embracing the Ebb and Flow
colly
84
4.5k
Unsuck your backbone
ammeep
668
57k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Building Your Own Lightsaber
phodgson
103
6.1k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
Git: the NoSQL Database
bkeepers
PRO
427
64k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
Building Flexible Design Systems
yeseniaperezcruz
327
38k

Transcript

  1. QUAOAR: VULNHUB WALKTHROUGH

  2. GETTING STARTED  ENSURE YOU HAVE A HYPERVISOR INSTALLED ON

    A MACHINE YOU CAN ACCESS  VMware and VirtualBox are among the most notable option  DOWNLOAD KALI LINUX AND QUAOAR VIRTUAL MACHINES  https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image- download/  https://www.vulnhub.com/entry/hackfest2016-quaoar,180/  USE RECOMMENDED SETTINGS ON SETUP, ENSURE BOTH NETWORK TYPES ARE NAT

  3. RECON  BOOT UP BOTH THE KALI LINUX AND QUAOAR

    VMs  NOTICE THE [VICTIM ADDRESS] IS GIVEN TO US ON QUAOAR  CAN NOW START PROBING THE VICTIM

  4. RECON  RUN NMAP OVER [VICTIM ADDRESS]  NETWORK MAPPER

     OPEN-SOURCE VULNERABILTY AND NETWORK SCANNER  IDENTIFY WHAT DEVICES ARE RUNNING ON A SYSTEM  PORT SCANNING  OS DETECTION  SERVICE DISCOVERY  SECURITY AUDITING  nmap –sS –v –A [VICTIM ADDRESS]  -sS: TCP SYN SCAN, STEALH MODE  -v: VERBOSE OUTPUT  -A: OS, VERSION, TRACEROUTE, SCRIPT SCAN ENABLED

  5. RECON  TAKEAWAYS FROM THE NMAP SCAN  PORT 80

    IS OPEN. HTTP  SITES /ROBOT.TXT FILE HAS INFO  WEB ROBOTS READ THIS PAGE TO KNOW IF THEY ARE “ALLOWED” TO SCRAPE THE PAGE OR NOT  NAVIGATE TO HTTP://[VICTIM ADDRESS]/ROBOTS.TXT  NOTICE THAT /WORDPRESS IS AN ALLOWED PATH  CAN INVESTIGATE IF YOU WANT BUT FIRST TOOL THAT COMES TO MIND IS WPSCAN

  6. RECON  WPScan  BLACK BOX WordPress VULNERABILITY SCANNER USED

    TO FIND SECURITY ISSUES  RUN wpscan –-url [victim address]/wordpress  MUST INCLUDE THE /WORDPRESS PATH SINCE THE WORDPRESS SITE STARTS THERE  NOTICE ALL THE VULNERABILITIES, WITH LINKS TO THEIR EXPLOITS

  7. RECON  WPScan CONT.  LETS TRY TO GET THE

    USERNAMES AND PASSWORDS WITH WPScan  RUN wpscan –-url [victim address]/wordpress –e u  -e u: ENUMERATE THE USERS  USERS ADMIN AND WPUSER ARE FOUND  SINCE ADMIN ACCOUNT IS STILL ACTIVATED, I WONDER IF THEY ARE STILL RUNNING DEFAULT A DEFAULT CONFIGURATION ON THE WORDPRESS SITE  ADMIN/ADMIN WAS STILL THE USER/PASSWORD

  8. RECON  LOOK AT THE PLUGINS ON THE WORDPRESS SITE

     A QUICK GOOGLE SEARCH OF THEM YIELDS A FILE INCLUSION EXPLOIT ON MAIL MASTA  http://[VICTIM ADDRESS]/wordpress/wp-content/plugins/mail- masta/inc/campaign/count_of_send.php?pl=/etc/passwd  THIS RETURNS THE /ETC/PASSWD FILE FROM THE VICTIM MACHINE  FOUND TWO USERS OF INTEREST  ROOT AND WPADMIN

  9. GAINING ACCESS  ATTEMPT TO SSH USING ROOT ACCOUNT WITH

    DEFAULT PASSWORD  SECURE SHELL PROTOCOL  A METHOD FOR SECURE REMOTE LOGIN  RUN ssh root@[victim address]  DEFAULT PASSWORD DOESN’T WORK HERE  WHAT ABOUT THE OTHER USER WE FOUND, WPADMIN?  SUCCESS, THIS ACCOUNT WAS STILL SETUP WITH THE DEFAULT PASSWORD, SAME AS USERNMAE  COULD HAVE USED /usr/share/dirbuster/wordlists# ssh wpadmin@[victim address]

  10. PRIVILEGE ESCALATION  WE HAVE CONTROL OVER WPADMIN AND NEED

    TO BEGIN TO SEARCH FOR FLAGS, “IMPORTANT FILES”.  ls ON HOME DIRECTORY YIELDS FIRST FLAG  LETS LOOK AT THE /CRON FILES  CRON FILES ARE VERY USEFUL TO ATTACKERS AS CRON FILES ARE ON EVERY UNIX OPERATING SYSTEM AND ARE USED TO SCHEDULE JOBS  NAVIGATE TO /ETC FILE  ls TO FIND CRON FILES

  11. PRIVILEGE ESCALATION  cat cron.d  YIELDS THAT A FILE

    CALLED PHP5 IS SCHEDULED TO RUN ON THIS OS  THIS DOESN’T LEAD ANYWHERE BUT AS SHOWN, THIS IS A GOOD THING TO GET IN THE HABIT OF CHECKING WHEN YOU HAVE ACCESS OF A VICTIM MACHINE  SINCE MANY DEFUALT CONFIGURATIONS HAVE BEEN FOUND, LETS SEE IF /VAR/WWW IS THE DEFAULT DIRECTORY FOR THE WORDPRESS SITE  APPEARS SO

  12. PRIVILEGE ESCALATION  THERE ARE MANY FILES AND DIRECTORIES IN

    THIS /VAR/WWW DIRECTORY, HOW DO WE FIND USEFUL DATA?  LETS TRY grep ‘root’ * -R | less  SO MUCH DATA!! WE NEED TO REFINE THIS  RECALL THAT THE VM IS SCHEDULED TO RUN A FILE CALLED PHP5 ON THE ORDRE OF MINUTES  LETS SEE IF WE CAN FIND SOME PHP CONFIGURATION FILES IN THIS DATA

  13. PRIVILEGE ESCALATION  /WORDPRESS/WP-CONFIG.PHP LOOKS PROMISING  RUN cat wordpress/wp-config.php

     REVEALS ROOT USERNAME/PASSWORD  root/rootpassword!  RUN su root AND INPUT THE FOUND PASSWORD  WE HAVE ROOT ACCESS!!  RUN whoami TO ENSURE YOU ARE ROOT  RUN ls TO FIND THE FINAL FLAG

  14. Q&A  DID ANYONE SEE A DIFFERENT WAY TO GAIN

    ACCESS?