Pages

Saturday, October 29, 2011

[Learning] Metasploitable - Distcc



Links:
watch the HD video online: http://vimeo.com/f4l13n5now/distcc

Description:
"Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql."                                                                                     -- metasploit team

Attacker:
Backtrack 5 R2
IP: 10.10.10.128/24

Victim:
metasploitable
IP: 10.10.10.129/24

vulnerability & exploit:
1, DistCC Daemon Command Execution
2, Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit

Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and services
nmap -sS -sV -p0-65535 -O 10.10.10.129 -v

found the following services:
[1] distccd service running on port 3632
[2] Debian openSSH running on port 22

2, exploit vulnerable services:
[1] exploit distccd service to get in the victim server with limited privilege
[2] grep SSH key file information
[3] exploit Debian OpenSSH service to get into the victim server as root privilege

Reference:
[1] Metasploitable download link
[2] Tutorial on g0tmi1k's Blog
[3] Metasploitable official website

Sunday, October 23, 2011

[Update] pWnOS v1

Two more vulnerabilities:

1, There is another vulnerability can be used to get root privilege locally, here is the exploit:

Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit [3]

2, an RFI vulnerability was found at "/index1.php", the vulnerable URL is:
http://192.168.1.107/index1.php?connect=/etc/password

The bug in index1.php:
...
if($_GET['connect'] != 'true'){
    include($_GET['connect']);        //Here user's input just be used directly
}
...

Saturday, October 22, 2011

[Learning] pWnOS v1



Links:
watch the HD video online: http://vimeo.com/30946182


Description:
 "pWnOS focuses more on exploitation. All of the exploits are found from milw0rm.com so you won't have to scour the Internet for some obscure exploit. There are a couple different paths to root...so if you get one you can keep working to figure out the other."
                                                                                                                                                  -- bond00

Attacker:
Backtrack 5 R2 [VM]
IP: 192.168.1.108

Victim:
pWnOS v1 [VM]
IP: 192.168.1.110


Vulnerability & Exploit:
1, Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit
2, Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
3, Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit

Attacking process:
1, discover the vulnerable services:use NMAP to probe the opening ports and services
nmap -sS -sV -O -A 192.168.1.110 -v
found the following services:
[1] webmin httpd       open on port 10000
[2] Debian openSSH     open on port 22

2, exploit vulnerable services:
[1] exploit webmin service to get password file "/etc/shadow", then found the users:
vmware
obama
osama
yomama
[2] exploit webmin service to get openSSH key files default path: "/home/$USER/.ssh/authorized_keys" (replace $USER with vmware, obama, osama and yomama)
[3] exploit Debian OpenSSH service to get into the victime server
[4] use vmsplice Local Root Exploit to get the root priviledge


Reference:
[1] pWnOS download link (http://0dayclub.com/files/pWnOS%20v1.0.zip)
[2] g0tmi1k's Blog (http://g0tmi1k.blogspot.com/2010/04/video-pwnos.html)
[3] pWnOS forum (http://forums.heorot.net/viewforum.php?f=21)