 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
etc/passwd - now what? |
 |
 Posted: Wed Jun 20, 2007 12:10 pm |
 |
|
| blaxenet |
| Active user |
 |
|
| Joined: Jun 20, 2007 |
| Posts: 26 |
|
|
|
 |
|
 |
|
Hi Guys,
I have gotten myself onto a server that has /etc/passwd viewable, just wondering what my next step would be.
I've never quite understood this,
Fair enough you can upload a php shell such as C99 or R57.
You can have a fiddle around providing the permissions are set in your favour, go through config files and connect to the D/B's with the passwords.
But is there anything deeper?
Hence why I have asked what's next from /etc/passwd
Thanks everyone 
BlaxeNet
(I am learning how this works!) |
|
|
|
|
|
|
|
|
| Posted: Wed Jun 20, 2007 4:13 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
If you have allready php scripting level and operating system shell level acces to server, then next try to find out operating system and kernel versions and then look for local root exploits. So next you upload that exploit's source code to server and will compile it, or upload allready precompiled exploit. Ultimate goal is to gain root access to server and install backdoor(s). And when you are root, then you can read "etc/shadow" file, so you have changes to crack root password - just for fun. Now, when you have "r00ted" that server, then you can install sniffer and spy network traffic on LAN. If the webserver is connected directly to corporative internal network, then you have possibilities to compromise lots of other computers, rip internal databases etc. But if webserver is located in DMZ, then this needs more work.
This was just one scenario. Rooting is considered as serious cybercrime, so I suggest to stay to low-privileges level |
|
|
|
|
|
|
|
|
| Posted: Wed Jun 20, 2007 4:46 pm |
|
|
| pexli |
| Valuable expert |
 |
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| waraxe wrote: | | Rooting is considered as serious cybercrime, so I suggest to stay to low-privileges level Smile |
Good idea  |
|
|
|
|
|
|
|
|
| Posted: Fri Jun 22, 2007 8:23 am |
|
|
| blaxenet |
| Active user |
|
|
| Joined: Jun 20, 2007 |
| Posts: 26 |
|
|
|
|
|
|
|
Hi Waraxe,
The system (Server 1) I was looking at doesn't have etc/shadow but rather a file called etc/master.passwd so I am presuming this is what I am looking for.
Needless to say, another system (Server 2) I was 'on' last night has etc/shadow so i'll have the chance to 'play' around a bit.
Just a quick rundown for you all-
**Server 1**
Software: Apache/2.2.2 (FreeBSD) mod_ssl/2.2.2 OpenSSL/0.9.7e-p1 DAV/2 PHP/4.4.2
**Server 2**
Software: Apache/2.2.2 (Fedora). PHP/5.1.6
On both of these I have the user 'www' access.
I'm not lazy so i'll do some research later and see how I go with the above recommendation(s) and see if I can advance any further.
Of course, I only want this info for what we call educational purposes
Thanks for the info Waraxe!
BlaxeNet |
|
|
|
|
| Posted: Fri Jun 22, 2007 3:49 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> Shell commands injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 111
Members: 0
Total: 111
