Pages

Sunday, January 1, 2012

[Learning] Metasploitable - Tikiwiki



Links:
watch the HD video online: http://vimeo.com/f4l13n5now/tikiwiki

Description:
"Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql."                                                                                     -- metasploit team


Attacker:
Backtrack 5 R2
IP: 10.10.10.128/24

Victim:
metasploitable
IP: 10.10.10.129/24


vulnerability & exploit:
1, TikiWiki 1.9.5 Sirius (sort_mode) Information Disclosure Vulnerability
2, TikiWiki tiki-graph_formula Remote PHP Code Execution
3, Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit


Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and services
nmap -sS -sV -O 10.10.10.129 -v

found the following services:
[1] HTTP service running on port 80
[2] MYSQL service running on port 3306
[3] Debian openSSH running on port 22

use DirBuster to discover hidden directories
java -jar DirBuster-0.12.jar -u http://10.10.10.129

found the following directory:
[1] tikiwiki (http://10.10.10.129/tikiwiki)

2, exploit vulnerable services:
[1] exploit tikiwiki service to get Critical Database information (DB user, DB password, DB name and DB type)
[2] exploit tikiwiki service to get www-data privilege and grep SSH key file information
[3] exploit Debian OpenSSH service to get into the victim server as root privilege


Reference:
[1] Metasploitable download link
[2] Tutorial on g0tmi1k's Blog
[3] Metasploitable official website

No comments:

Post a Comment