I am back, In this post I would like to describe the attack to Quaoar box provided by vulnhub.com.
In the previous post that during our scanning phase, i found that there is a wordpress page on the quaoar machine
/index (Status: 200)
/upload (Status: 301)
/wordpress (Status: 301)
/robots (Status: 200)
/INSTALL (Status: 200)
/LICENSE (Status: 200)
/COPYING (Status: 200)
/CHANGELOG (Status: 200)
/server-status (Status: 403)
If we open the page you can see a fully functional wordpress platform
We can go further do analyses manually using burpsuite or using the most favourite application for analysing wordpress is wpscan. Let start wpscan application to check.
We can see that the wpscan found alot of vulnerability on the wpscan as show in the above console view.
During the scan, I also include to enumerate user of the wordpress. It found 2 user as below
We can now do brute force the wordpress, I would try brute forcing it using burpsuite intruder, I would explain the step by step on how to setup it.
- Open burpsuite and activate proxy
- Go to wordpress login page
- Set the browser to proxy to burpsuite
- Input username admin and password check
- Burp will catch the http request as below
- You can send the http request to intruder as show above
- In the intruder tab go to sub tab position
- Select sniper from attack type dropdown
- Press clear button at the right
- At the payload you can see our password “check”, hightlight it and
- press add button
- Go to payload tab
- At the payload options, select Passwords list
- Press Add button
- You can directly start the attack by pressing the start attack button
- There are another setting such as the number of threads and throttles, this setting would change the behaviour of the request engine which impacting the traffic pattern catched by the security device in between such as F5 WAF
- When the attack is running you can see the response of each bruteforce as below image
- The easiest one to check potential success password is by sorting the response length where it mean there different response from other password.
- Here, We can see that the correct password is admin
Lets try another tools to do the brute force, let see how effective the tools
We are using wpscan for bruteforcing the password, You can follow the step as below
As shown above, simplest way to do bruteforcing is using wpscan but at another side burpsuite has advance request engine that can be customed to evade the security device detection
based on the testing above, you can use both application to do bruteforcing since the result is very accurate but please also consider the penetration environment that you are facing