Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vulnhub Walkthrough

UNTCSC
September 26, 2019
0
18

Vulnhub Walkthrough

UNTCSC

September 26, 2019
Tweet

More Decks by UNTCSC

See All by UNTCSC
Network Simulation
unt_csc
0
38
Password Hashing Fall 2020
unt_csc
0
24
Resume and Interview Workshop
unt_csc
0
22
Security: Why do we Care
unt_csc
0
26
Welcome back fall 2020
unt_csc
0
16
Secure Coding
unt_csc
0
30
UNTCSC Spring 2020 Welcome Back
unt_csc
0
25
Password Guessing
unt_csc
0
19
Network Security
unt_csc
0
15

Featured

See All Featured
Faster Mobile Websites
deanohume
300
30k
10 Git Anti Patterns You Should be Aware of
lemiorhan
649
58k
How to train your dragon (web standard)
notwaldorf
75
5.2k
Build your cross-platform service in a week with App Engine
jlugia
226
17k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
660
120k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
23
1.7k
GitHub's CSS Performance
jonrohan
1025
450k
Optimising Largest Contentful Paint
csswizardry
13
2.4k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Designing for humans not robots
tammielis
247
25k
We Have a Design System, Now What?
morganepeng
43
6.8k

Transcript

  1. QUAOAR: VULNHUB WALKTHROUGH

  2. GETTING STARTED  ENSURE YOU HAVE A HYPERVISOR INSTALLED ON

    A MACHINE YOU CAN ACCESS  VMware and VirtualBox are among the most notable option  DOWNLOAD KALI LINUX AND QUAOAR VIRTUAL MACHINES  https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image- download/  https://www.vulnhub.com/entry/hackfest2016-quaoar,180/  USE RECOMMENDED SETTINGS ON SETUP, ENSURE BOTH NETWORK TYPES ARE NAT

  3. RECON  BOOT UP BOTH THE KALI LINUX AND QUAOAR

    VMs  NOTICE THE [VICTIM ADDRESS] IS GIVEN TO US ON QUAOAR  CAN NOW START PROBING THE VICTIM

  4. RECON  RUN NMAP OVER [VICTIM ADDRESS]  NETWORK MAPPER

     OPEN-SOURCE VULNERABILTY AND NETWORK SCANNER  IDENTIFY WHAT DEVICES ARE RUNNING ON A SYSTEM  PORT SCANNING  OS DETECTION  SERVICE DISCOVERY  SECURITY AUDITING  nmap –sS –v –A [VICTIM ADDRESS]  -sS: TCP SYN SCAN, STEALH MODE  -v: VERBOSE OUTPUT  -A: OS, VERSION, TRACEROUTE, SCRIPT SCAN ENABLED

  5. RECON  TAKEAWAYS FROM THE NMAP SCAN  PORT 80

    IS OPEN. HTTP  SITES /ROBOT.TXT FILE HAS INFO  WEB ROBOTS READ THIS PAGE TO KNOW IF THEY ARE “ALLOWED” TO SCRAPE THE PAGE OR NOT  NAVIGATE TO HTTP://[VICTIM ADDRESS]/ROBOTS.TXT  NOTICE THAT /WORDPRESS IS AN ALLOWED PATH  CAN INVESTIGATE IF YOU WANT BUT FIRST TOOL THAT COMES TO MIND IS WPSCAN

  6. RECON  WPScan  BLACK BOX WordPress VULNERABILITY SCANNER USED

    TO FIND SECURITY ISSUES  RUN wpscan –-url [victim address]/wordpress  MUST INCLUDE THE /WORDPRESS PATH SINCE THE WORDPRESS SITE STARTS THERE  NOTICE ALL THE VULNERABILITIES, WITH LINKS TO THEIR EXPLOITS

  7. RECON  WPScan CONT.  LETS TRY TO GET THE

    USERNAMES AND PASSWORDS WITH WPScan  RUN wpscan –-url [victim address]/wordpress –e u  -e u: ENUMERATE THE USERS  USERS ADMIN AND WPUSER ARE FOUND  SINCE ADMIN ACCOUNT IS STILL ACTIVATED, I WONDER IF THEY ARE STILL RUNNING DEFAULT A DEFAULT CONFIGURATION ON THE WORDPRESS SITE  ADMIN/ADMIN WAS STILL THE USER/PASSWORD

  8. RECON  LOOK AT THE PLUGINS ON THE WORDPRESS SITE

     A QUICK GOOGLE SEARCH OF THEM YIELDS A FILE INCLUSION EXPLOIT ON MAIL MASTA  http://[VICTIM ADDRESS]/wordpress/wp-content/plugins/mail- masta/inc/campaign/count_of_send.php?pl=/etc/passwd  THIS RETURNS THE /ETC/PASSWD FILE FROM THE VICTIM MACHINE  FOUND TWO USERS OF INTEREST  ROOT AND WPADMIN

  9. GAINING ACCESS  ATTEMPT TO SSH USING ROOT ACCOUNT WITH

    DEFAULT PASSWORD  SECURE SHELL PROTOCOL  A METHOD FOR SECURE REMOTE LOGIN  RUN ssh root@[victim address]  DEFAULT PASSWORD DOESN’T WORK HERE  WHAT ABOUT THE OTHER USER WE FOUND, WPADMIN?  SUCCESS, THIS ACCOUNT WAS STILL SETUP WITH THE DEFAULT PASSWORD, SAME AS USERNMAE  COULD HAVE USED /usr/share/dirbuster/wordlists# ssh wpadmin@[victim address]

  10. PRIVILEGE ESCALATION  WE HAVE CONTROL OVER WPADMIN AND NEED

    TO BEGIN TO SEARCH FOR FLAGS, “IMPORTANT FILES”.  ls ON HOME DIRECTORY YIELDS FIRST FLAG  LETS LOOK AT THE /CRON FILES  CRON FILES ARE VERY USEFUL TO ATTACKERS AS CRON FILES ARE ON EVERY UNIX OPERATING SYSTEM AND ARE USED TO SCHEDULE JOBS  NAVIGATE TO /ETC FILE  ls TO FIND CRON FILES

  11. PRIVILEGE ESCALATION  cat cron.d  YIELDS THAT A FILE

    CALLED PHP5 IS SCHEDULED TO RUN ON THIS OS  THIS DOESN’T LEAD ANYWHERE BUT AS SHOWN, THIS IS A GOOD THING TO GET IN THE HABIT OF CHECKING WHEN YOU HAVE ACCESS OF A VICTIM MACHINE  SINCE MANY DEFUALT CONFIGURATIONS HAVE BEEN FOUND, LETS SEE IF /VAR/WWW IS THE DEFAULT DIRECTORY FOR THE WORDPRESS SITE  APPEARS SO

  12. PRIVILEGE ESCALATION  THERE ARE MANY FILES AND DIRECTORIES IN

    THIS /VAR/WWW DIRECTORY, HOW DO WE FIND USEFUL DATA?  LETS TRY grep ‘root’ * -R | less  SO MUCH DATA!! WE NEED TO REFINE THIS  RECALL THAT THE VM IS SCHEDULED TO RUN A FILE CALLED PHP5 ON THE ORDRE OF MINUTES  LETS SEE IF WE CAN FIND SOME PHP CONFIGURATION FILES IN THIS DATA

  13. PRIVILEGE ESCALATION  /WORDPRESS/WP-CONFIG.PHP LOOKS PROMISING  RUN cat wordpress/wp-config.php

     REVEALS ROOT USERNAME/PASSWORD  root/rootpassword!  RUN su root AND INPUT THE FOUND PASSWORD  WE HAVE ROOT ACCESS!!  RUN whoami TO ENSURE YOU ARE ROOT  RUN ls TO FIND THE FINAL FLAG

  14. Q&A  DID ANYONE SEE A DIFFERENT WAY TO GAIN

    ACCESS?