Skip to main content

VM 30 Quaoar

Walkthru:
http://www.blackroomsec.com/quaoar-write-up/ [wordpress, php reverse vulnerability, multiple open ports 22,53,80,110,139,143,445,993,995]


Notes:
Nmap scan report for 192.168.117.5
Host is up (0.00038s latency).
Not shown: 991 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
53/tcp  open  domain      ISC BIND 9.8.1-P1
80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
110/tcp open  pop3        Dovecot pop3d
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp open  ssl/imap    Dovecot imapd
995/tcp open  ssl/pop3    Dovecot pop3d [ssl/pop3 Dovecot pop3d
]
MAC Address: 08:00:27:34:58:0D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 22 18:02:24 2018 -- 1 IP address (1 host up) scanned in 13.34 seconds

00000000000000000000000000000000000
see enum4linux_192.168.117.5
00000000000000000000000000000000000
nikto shows /wordress
login as admin/admin
added php RS under themes
http://192.168.0.29/wordpress/wp-content/themes/twentyfourteen/404.php
www-data
Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux
/

00000000000000000000000000000000000

And root pwd is in the “wp-config.php” file, I find the root username and password!

00000000000000000000000000000000000
OS a
00000000000000000000000000000000000

Comments

Post a Comment

Popular posts from this blog

VM 9 : PHP Include And Post Exploitation

Walkthrough 1.        https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d 2.        Ine [] 3.        http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/ 4.        http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html Notes: root@kali:~# nmap 10.0.0.12 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-30 12:23 EDT Nmap scan report for 10.0.0.12 Host is up (0.00035s latency). Not shown: 999 filtered ports PORT    STATE SERVICE 80/tcp open   http MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds root@kali:~# Enumerating port 80 Run dirb root@kali:~# dirb http://10.0.0.12/ ----------------- DIRB v2.22 By The Dark Raver...
1 comment
Read more

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote  host.Now that we have a specific username we can use it in order to obtain more information about this user with the command  finger root@host . -  Another effective use of the finger...
Post a Comment
Read more

Penetration Testing Framework 0.57

Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack. http://www.vulnerabilityassessment.co.uk/
Post a Comment
Read more