Pages

Sunday, June 10, 2012

[Learning] Holynix level two


Links:
watch the HD video online:  http://vimeo.com/f4l13n5now/holynix2
Description:
" Similar to the de-ice pentest CDs and pWnOS, Holynix is an Linux vmware image that was deliberately built to have security holes for the purposes of penetration testing."
                                                                                                                                        --------- Holynix team
Attacker:
Backtrack 5 R2
IP: 192.168.1.2/24
Victim:
Holynix level 2
IP: 192.168.1.88/24


vulnerability & exploit:
1, phpMyAdmin 2.6.4-pl1 Remote Directory Traversal Exploit
2, Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit


Attacking tools:
1, netdiscover
2, nmap
3, DirBuster
4, Exploit-DB
5, John The Ripper
6, Metasploit


Attacking process:
1, Reconnaissance & Enumeration:
use netdiscover to sweep the active hosts in the network:
netdiscover -i wlan0 -r 192.168.1.88

use NMAP to probe the opening ports and services:
nmap -sS -sV -O 192.168.1.88 -v
found the following services:
[1] HTTP service running on port 80
[2] SSH service running on port 22
[3] FTP service running on port 21
[1] DNS service running on port 53

use DNS zone transfer to harvest FTP username:
dig AXFR zincftp.com @192.168.1.88 

use DirBuster to enumerate web directories:
java -jar DirBuster -u http://www.zincftp.com/
found the following directories:
[1] /phpMyAdmin/
[2] /setup_guide/todo

2, exploit vulnerable services:
[1] exploit phpMyAdmin Remote Directory Traversal vulnerability to get FTP users' password ("/etc/pure-ftpd/pureftpd.passwd")
[2] use JTR to crack those passwords 
[3] login to the FTP server with cracked account and upload php attacking payload and reverse connect to attacker machine (got low privilege) 
[4] broswering the server system directories and collect information (found "my_key.eml" under directory "amckinley")
[5] use new account login to the server via SSH (upgrade to user privilege)
[6] exploit "Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit" to get root privilege

1 comment: