Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vulnhub Walkthrough

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for UNTCSC UNTCSC
September 26, 2019
44
0

Vulnhub Walkthrough

Avatar for UNTCSC

UNTCSC

September 26, 2019

More Decks by UNTCSC

See All by UNTCSC
Network Simulation
Avatar for UNTCSC unt_csc
0
77
Password Hashing Fall 2020
Avatar for UNTCSC unt_csc
0
65
Resume and Interview Workshop
Avatar for UNTCSC unt_csc
0
63
Security: Why do we Care
Avatar for UNTCSC unt_csc
0
77
Welcome back fall 2020
Avatar for UNTCSC unt_csc
0
44
Secure Coding
Avatar for UNTCSC unt_csc
0
96
UNTCSC Spring 2020 Welcome Back
Avatar for UNTCSC unt_csc
0
72
Password Guessing
Avatar for UNTCSC unt_csc
0
42
Network Security
Avatar for UNTCSC unt_csc
0
57

Featured

See All Featured
Marketing Yourself as an Engineer | Alaka | Gurzu
Avatar for Gurzu gurzu
0
210
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
51
52k
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
Avatar for Sophie Logan marketingsoph
0
160
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
10k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.5k
Exploring the relationship between traditional SERPs and Gen AI search
Avatar for Ray Grieselhuber raygrieselhuber
PRO
2
4k
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
Avatar for Katarina Dahlin katarinadahlin
PRO
1
3.6k
Darren the Foodie - Storyboard
Avatar for Kevinho.art khoart
PRO
3
3.4k
Utilizing Notion as your number one productivity tool
Avatar for Mfonobong Umondia mfonobong
4
310
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.9k
From π to Pie charts
Avatar for Rasagy Sharma rasagy
0
200
AI: The stuff that nobody shows you
Avatar for John Nunemaker jnunemaker
PRO
8
690

Transcript

  1. QUAOAR: VULNHUB WALKTHROUGH

  2. GETTING STARTED  ENSURE YOU HAVE A HYPERVISOR INSTALLED ON

    A MACHINE YOU CAN ACCESS  VMware and VirtualBox are among the most notable option  DOWNLOAD KALI LINUX AND QUAOAR VIRTUAL MACHINES  https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image- download/  https://www.vulnhub.com/entry/hackfest2016-quaoar,180/  USE RECOMMENDED SETTINGS ON SETUP, ENSURE BOTH NETWORK TYPES ARE NAT

  3. RECON  BOOT UP BOTH THE KALI LINUX AND QUAOAR

    VMs  NOTICE THE [VICTIM ADDRESS] IS GIVEN TO US ON QUAOAR  CAN NOW START PROBING THE VICTIM

  4. RECON  RUN NMAP OVER [VICTIM ADDRESS]  NETWORK MAPPER

     OPEN-SOURCE VULNERABILTY AND NETWORK SCANNER  IDENTIFY WHAT DEVICES ARE RUNNING ON A SYSTEM  PORT SCANNING  OS DETECTION  SERVICE DISCOVERY  SECURITY AUDITING  nmap –sS –v –A [VICTIM ADDRESS]  -sS: TCP SYN SCAN, STEALH MODE  -v: VERBOSE OUTPUT  -A: OS, VERSION, TRACEROUTE, SCRIPT SCAN ENABLED

  5. RECON  TAKEAWAYS FROM THE NMAP SCAN  PORT 80

    IS OPEN. HTTP  SITES /ROBOT.TXT FILE HAS INFO  WEB ROBOTS READ THIS PAGE TO KNOW IF THEY ARE “ALLOWED” TO SCRAPE THE PAGE OR NOT  NAVIGATE TO HTTP://[VICTIM ADDRESS]/ROBOTS.TXT  NOTICE THAT /WORDPRESS IS AN ALLOWED PATH  CAN INVESTIGATE IF YOU WANT BUT FIRST TOOL THAT COMES TO MIND IS WPSCAN

  6. RECON  WPScan  BLACK BOX WordPress VULNERABILITY SCANNER USED

    TO FIND SECURITY ISSUES  RUN wpscan –-url [victim address]/wordpress  MUST INCLUDE THE /WORDPRESS PATH SINCE THE WORDPRESS SITE STARTS THERE  NOTICE ALL THE VULNERABILITIES, WITH LINKS TO THEIR EXPLOITS

  7. RECON  WPScan CONT.  LETS TRY TO GET THE

    USERNAMES AND PASSWORDS WITH WPScan  RUN wpscan –-url [victim address]/wordpress –e u  -e u: ENUMERATE THE USERS  USERS ADMIN AND WPUSER ARE FOUND  SINCE ADMIN ACCOUNT IS STILL ACTIVATED, I WONDER IF THEY ARE STILL RUNNING DEFAULT A DEFAULT CONFIGURATION ON THE WORDPRESS SITE  ADMIN/ADMIN WAS STILL THE USER/PASSWORD

  8. RECON  LOOK AT THE PLUGINS ON THE WORDPRESS SITE

     A QUICK GOOGLE SEARCH OF THEM YIELDS A FILE INCLUSION EXPLOIT ON MAIL MASTA  http://[VICTIM ADDRESS]/wordpress/wp-content/plugins/mail- masta/inc/campaign/count_of_send.php?pl=/etc/passwd  THIS RETURNS THE /ETC/PASSWD FILE FROM THE VICTIM MACHINE  FOUND TWO USERS OF INTEREST  ROOT AND WPADMIN

  9. GAINING ACCESS  ATTEMPT TO SSH USING ROOT ACCOUNT WITH

    DEFAULT PASSWORD  SECURE SHELL PROTOCOL  A METHOD FOR SECURE REMOTE LOGIN  RUN ssh root@[victim address]  DEFAULT PASSWORD DOESN’T WORK HERE  WHAT ABOUT THE OTHER USER WE FOUND, WPADMIN?  SUCCESS, THIS ACCOUNT WAS STILL SETUP WITH THE DEFAULT PASSWORD, SAME AS USERNMAE  COULD HAVE USED /usr/share/dirbuster/wordlists# ssh wpadmin@[victim address]

  10. PRIVILEGE ESCALATION  WE HAVE CONTROL OVER WPADMIN AND NEED

    TO BEGIN TO SEARCH FOR FLAGS, “IMPORTANT FILES”.  ls ON HOME DIRECTORY YIELDS FIRST FLAG  LETS LOOK AT THE /CRON FILES  CRON FILES ARE VERY USEFUL TO ATTACKERS AS CRON FILES ARE ON EVERY UNIX OPERATING SYSTEM AND ARE USED TO SCHEDULE JOBS  NAVIGATE TO /ETC FILE  ls TO FIND CRON FILES

  11. PRIVILEGE ESCALATION  cat cron.d  YIELDS THAT A FILE

    CALLED PHP5 IS SCHEDULED TO RUN ON THIS OS  THIS DOESN’T LEAD ANYWHERE BUT AS SHOWN, THIS IS A GOOD THING TO GET IN THE HABIT OF CHECKING WHEN YOU HAVE ACCESS OF A VICTIM MACHINE  SINCE MANY DEFUALT CONFIGURATIONS HAVE BEEN FOUND, LETS SEE IF /VAR/WWW IS THE DEFAULT DIRECTORY FOR THE WORDPRESS SITE  APPEARS SO

  12. PRIVILEGE ESCALATION  THERE ARE MANY FILES AND DIRECTORIES IN

    THIS /VAR/WWW DIRECTORY, HOW DO WE FIND USEFUL DATA?  LETS TRY grep ‘root’ * -R | less  SO MUCH DATA!! WE NEED TO REFINE THIS  RECALL THAT THE VM IS SCHEDULED TO RUN A FILE CALLED PHP5 ON THE ORDRE OF MINUTES  LETS SEE IF WE CAN FIND SOME PHP CONFIGURATION FILES IN THIS DATA

  13. PRIVILEGE ESCALATION  /WORDPRESS/WP-CONFIG.PHP LOOKS PROMISING  RUN cat wordpress/wp-config.php

     REVEALS ROOT USERNAME/PASSWORD  root/rootpassword!  RUN su root AND INPUT THE FOUND PASSWORD  WE HAVE ROOT ACCESS!!  RUN whoami TO ENSURE YOU ARE ROOT  RUN ls TO FIND THE FINAL FLAG

  14. Q&A  DID ANYONE SEE A DIFFERENT WAY TO GAIN

    ACCESS?