[Learning] Metasploitable - Tikiwiki

Links:

watch the HD video online: http://vimeo.com/f4l13n5now/tikiwiki

Description:

"Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql."                                                                                     -- metasploit team

Attacker:

Backtrack 5 R2
IP: 10.10.10.128/24

Victim:
metasploitable
IP: 10.10.10.129/24

vulnerability & exploit:

1, TikiWiki 1.9.5 Sirius (sort_mode) Information Disclosure Vulnerability
2, TikiWiki tiki-graph_formula Remote PHP Code Execution
3, Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit

Attacking process:

1, discover the vulnerable services:
use NMAP to probe the opening ports and services

nmap -sS -sV -O 10.10.10.129 -v

found the following services:

[1] HTTP service running on port 80

[2] MYSQL service running on port 3306

[3] Debian openSSH running on port 22

use DirBuster to discover hidden directories

java -jar DirBuster-0.12.jar -u http://10.10.10.129

found the following directory:

[1] tikiwiki (http://10.10.10.129/tikiwiki)

2, exploit vulnerable services:
[1] exploit tikiwiki service to get Critical Database information (DB user, DB password, DB name and DB type)
[2] exploit tikiwiki service to get www-data privilege and grep SSH key file information
[3] exploit Debian OpenSSH service to get into the victim server as root privilege

Reference:

[1] Metasploitable download link
[2] Tutorial on g0tmi1k's Blog
[3] Metasploitable official website