Jump to content

fapafap

Active Members
  • Posts

    12
  • Joined

  • Last visited

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

fapafap's Achievements

Newbie

Newbie (1/14)

  1. Ah ok thanks, so I was on the right track then in thinking it looked like a local exploit, wish 'other' people would just spit it out :P
  2. So what does that mean though? Network exploitable, and the impact section doesn't have a legend that explains the terms that I can see.
  3. damn, I think that might ruin my chances of getting an answer here, damn you for replying first! ;) (As a side note- isn't the autopwn angle where Hak5 shines the most, so why not the forum follow same basis? :() http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1938 thats another link to the vuln. And I understand how the exploit works, but it seems to me to be a local exploit...?
  4. So after scanning with nexpose, we have this vuln. The exploit is: http://www.securityfocus.com/bid/47950/exploit. How do you actually use it? Its supposed to be remote, but it doesn't have any input params?
  5. Hello, trying to integrate nexpose with metasploite but getting an error after nexpose scan: Connecting to Nexpose instance at localhost:3780 with username root... msf > nexpose_scan -x 192.168.0.6 [*] Scanning 1 addresses with template pentest-audit in sets of 32 [-] Error while running command nexpose_scan: NexposeAPI: Action failed: Nexpose service is not available Call stack: /opt/framework/msf3/lib/rapid7/nexpose.rb:211:in `execute' /opt/framework/msf3/lib/rapid7/nexpose.rb:654:in `execute' /opt/framework/msf3/lib/rapid7/nexpose.rb:265:in `scan_statistics' /opt/framework/msf3/plugins/nexpose.rb:532:in `cmd_nexpose_scan' /opt/framework/msf3/lib/rex/ui/text/dispatcher_shell.rb:380:in `run_command' /opt/framework/msf3/lib/rex/ui/text/dispatcher_shell.rb:342:in `block in run_single' /opt/framework/msf3/lib/rex/ui/text/dispatcher_shell.rb:336:in `each' /opt/framework/msf3/lib/rex/ui/text/dispatcher_shell.rb:336:in `run_single' /opt/framework/msf3/lib/rex/ui/text/shell.rb:199:in `run' /opt/framework/msf3/msfconsole:134:in `<main>' However, in console the following was displayed which showed the scan worked(extract): t) Nexpose 2012-01-01T19:01:07 [192.168.0.6] Closing service: CifsDomain[192.168.0.6:445] (source: CIFS-NT-0002) Nexpose 2012-01-01T19:01:07 [192.168.0.6] Closing service: CifsConnection[METASPLOITABLE/192.168.0.6:445] (source: CIFS-NT-0001) Scan 2012-01-01T19:21:04 [site: Metasploit-1325443802] Scan [Metasploit-1325443802] completed in 30 minutes 46 seconds Nexpose 2012-01-01T19:21:08 WARNING: CMS Old Gen memory usage at 88% capacity (init = 260046848(253952K) used = 685582216(669513K) committed = 771751936(753664K) max = 771751936(753664K)) Scan 2012-01-01T19:21:19 [site: Metasploit-1325443802] Scan [Metasploit-1325443802] discovered 1 live devices, 73 vulnerabilities. Nexpose 2012-01-01T19:21:19 WARNING: CMS Old Gen memory usage at 88% capacity (init = 260046848(253952K) used = 681920544(665938K) committed = 771751936(753664K) max = 771751936(753664K)) Nexpose 2012-01-01T19:21:21 Attempting to stop most recent report generation activity (650.3 MB\736 MB) Nexpose 2012-01-01T19:21:38 WARNING: CMS Old Gen memory usage at 88% capacity (init = 260046848(253952K) used = 681660504(665684K) committed = 771751936(753664K) max = 771751936(753664K)) Nexpose 2012-01-01T19:21:38 Attempting to stop most recent report generation activity (650.1 MB\736 MB) Nexpose 2012-01-01T19:21:40 Attempting to stop most recent report generation activity (650.1 MB\736 MB) ScanMgr 2012-01-01T19:21:59 Scan default:3 is being stopped. ScanIntegrat2012-01-01T19:22:36 Correlating asset information for scan ID default:3 ScanIntegrat2012-01-01T19:22:50 Performing data transformations for scan ID default:3 ScanIntegrat2012-01-01T19:22:56 Updating synopsis for scan ID 3 ScanIntegrat2012-01-01T19:23:09 Full-text indexing device data for scan ID 3 ScanIntegrat2012-01-01T19:23:11 Completed integration of results for scan ID default:3 WebContentGe2012-01-01T19:23:22 Queueing web content generation for scan default:3... WebContentGe2012-01-01T19:23:35 Finished queueing web content generation for scan default:3. WebContentGe2012-01-01T19:23:35 Generating web content for site default:3... WebContentGe2012-01-01T19:24:49 Finished generating web content for site default:3 ReportManage2012-01-01T19:24:57 Generating report: Metasploit Export 1325443802 Nexpose 2012-01-01T19:24:57 NeXposeSimpleXMLReportExporter exporting to /opt/rapid7/nexpose/nsc/htroot/reports/00000003/00000003 I know its working then, but not sure why the error? I am running Backtrack5r1. The command sequence went: In metasploit: msf > load nexpose msf > nexpose_connect myusername:mypassword@localhost:port msf > nexpose_scan -x 192.168.0.6 - which is the VM I have metasploitable setup on. Nmap scan on this host shows that its reacheable.
  6. Thanks for your insights. I found a suid'd binary this afternoon which is root/root ------other:rwx :) I feel the net is closing in tonight! Thanks again.
  7. Thanks for replying- n.b noted disclaimer, all this is for learning, and of course anyone hacking does so at their own risk. I traversed right back to root directory- most directories are readable, none lower than the var/www are writeable. I did a search for all SUID programs and they are all in user/bin which are root group. The etc/password file is off limits, I can call some restricted commands such as uname -a, and safe mode is off. I haven't found anything other than an open var/mail file which give me insight into the admins username, but agreed its probably not going to be the same username/password for the FTP/SSH- just based on what I have leared about drupal so far since that installation comes later than setting up your apache etc.. Have we exhausted all of the possibilities?
  8. Hi already have a shell up and it is under wwwdata user. Permissions all seem to be standard throughout the server. There are no SQLi vulns as far as i am aware- it is a drupal based site fully patched up.
  9. Hi I am interested in learning more about the following suggestions: What I have read so far on this (thank you for bringing me onto it!) is that this is really only ever going to be a realistic opportunity where you are in a bulky corporate or personal network where third party programs have dropped miscrient SUID'd programs unchecked by admins- the standard linux distro apps are clearly going to be 99% bug free. For my purposes of hacking the server a website is hosted on makes this not really a high chance of success, and thats before getting into the actual shell coding! Lets say I have access to: /var/www/www.website.com/htdocs/ Can you elaborate from there? How could malicious files give root access from here?
  10. Hi thanks for your reply, I have googled around the topics you have mentioned but cant find any decent information- can you elaborate at all please mate?
  11. first post here. After getting a web-shell up on your target website the next step is to try and root the box and then backdoor it. The only methods I seem to be able to find so far are to search for a local kernel exploit and run it through a backconnection. When your target has a 2011 kernel thats obviously not an option (to 99% of us), but nobody can tell me so far what the alternative course of action (if any) is to still manage to root it. I haven't left this topic alone despite not getting any information on it because I think that there must be other ways to do this, after you have access to the box via the shell and can potentially upload/run malware which surely could include things like rootkits which could circumvent kernel level authentication, or key loggers, or whatever? Ok enough newbie notions, please any knowledgeable hackers enlighten me!
×
×
  • Create New...