Sunday, June 10, 2012

[Learning] Holynix level two

watch the HD video online:
" Similar to the de-ice pentest CDs and pWnOS, Holynix is an Linux vmware image that was deliberately built to have security holes for the purposes of penetration testing."
                                                                                                                                        --------- Holynix team
Backtrack 5 R2
Holynix level 2

vulnerability & exploit:
1, phpMyAdmin 2.6.4-pl1 Remote Directory Traversal Exploit
2, Linux Kernel 2.6.17 - vmsplice Local Root Exploit

Attacking tools:
1, netdiscover
2, nmap
3, DirBuster
4, Exploit-DB
5, John The Ripper
6, Metasploit

Attacking process:
1, Reconnaissance & Enumeration:
use netdiscover to sweep the active hosts in the network:
netdiscover -i wlan0 -r

use NMAP to probe the opening ports and services:
nmap -sS -sV -O -v
found the following services:
[1] HTTP service running on port 80
[2] SSH service running on port 22
[3] FTP service running on port 21
[1] DNS service running on port 53

use DNS zone transfer to harvest FTP username:
dig AXFR @ 

use DirBuster to enumerate web directories:
java -jar DirBuster -u
found the following directories:
[1] /phpMyAdmin/
[2] /setup_guide/todo

2, exploit vulnerable services:
[1] exploit phpMyAdmin Remote Directory Traversal vulnerability to get FTP users' password ("/etc/pure-ftpd/pureftpd.passwd")
[2] use JTR to crack those passwords 
[3] login to the FTP server with cracked account and upload php attacking payload and reverse connect to attacker machine (got low privilege) 
[4] broswering the server system directories and collect information (found "my_key.eml" under directory "amckinley")
[5] use new account login to the server via SSH (upgrade to user privilege)
[6] exploit "Linux Kernel 2.6.17 - vmsplice Local Root Exploit" to get root privilege

No comments:

Post a Comment