fapafap
Active Members-
Posts
12 -
Joined
-
Last visited
Everything posted by fapafap
-
Ah ok thanks, so I was on the right track then in thinking it looked like a local exploit, wish 'other' people would just spit it out :P
-
So what does that mean though? Network exploitable, and the impact section doesn't have a legend that explains the terms that I can see.
-
damn, I think that might ruin my chances of getting an answer here, damn you for replying first! ;) (As a side note- isn't the autopwn angle where Hak5 shines the most, so why not the forum follow same basis? :() http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1938 thats another link to the vuln. And I understand how the exploit works, but it seems to me to be a local exploit...?
-
Hello, trying to integrate nexpose with metasploite but getting an error after nexpose scan: Connecting to Nexpose instance at localhost:3780 with username root... msf > nexpose_scan -x 192.168.0.6 [*] Scanning 1 addresses with template pentest-audit in sets of 32 [-] Error while running command nexpose_scan: NexposeAPI: Action failed: Nexpose service is not available Call stack: /opt/framework/msf3/lib/rapid7/nexpose.rb:211:in `execute' /opt/framework/msf3/lib/rapid7/nexpose.rb:654:in `execute' /opt/framework/msf3/lib/rapid7/nexpose.rb:265:in `scan_statistics' /opt/framework/msf3/plugins/nexpose.rb:532:in `cmd_nexpose_scan' /opt/framework/msf3/lib/rex/ui/text/dispatcher_shell.rb:380:in `run_command' /opt/framework/msf3/lib/rex/ui/text/dispatcher_shell.rb:342:in `block in run_single' /opt/framework/msf3/lib/rex/ui/text/dispatcher_shell.rb:336:in `each' /opt/framework/msf3/lib/rex/ui/text/dispatcher_shell.rb:336:in `run_single' /opt/framework/msf3/lib/rex/ui/text/shell.rb:199:in `run' /opt/framework/msf3/msfconsole:134:in `<main>' However, in console the following was displayed which showed the scan worked(extract): t) Nexpose 2012-01-01T19:01:07 [192.168.0.6] Closing service: CifsDomain[192.168.0.6:445] (source: CIFS-NT-0002) Nexpose 2012-01-01T19:01:07 [192.168.0.6] Closing service: CifsConnection[METASPLOITABLE/192.168.0.6:445] (source: CIFS-NT-0001) Scan 2012-01-01T19:21:04 [site: Metasploit-1325443802] Scan [Metasploit-1325443802] completed in 30 minutes 46 seconds Nexpose 2012-01-01T19:21:08 WARNING: CMS Old Gen memory usage at 88% capacity (init = 260046848(253952K) used = 685582216(669513K) committed = 771751936(753664K) max = 771751936(753664K)) Scan 2012-01-01T19:21:19 [site: Metasploit-1325443802] Scan [Metasploit-1325443802] discovered 1 live devices, 73 vulnerabilities. Nexpose 2012-01-01T19:21:19 WARNING: CMS Old Gen memory usage at 88% capacity (init = 260046848(253952K) used = 681920544(665938K) committed = 771751936(753664K) max = 771751936(753664K)) Nexpose 2012-01-01T19:21:21 Attempting to stop most recent report generation activity (650.3 MB\736 MB) Nexpose 2012-01-01T19:21:38 WARNING: CMS Old Gen memory usage at 88% capacity (init = 260046848(253952K) used = 681660504(665684K) committed = 771751936(753664K) max = 771751936(753664K)) Nexpose 2012-01-01T19:21:38 Attempting to stop most recent report generation activity (650.1 MB\736 MB) Nexpose 2012-01-01T19:21:40 Attempting to stop most recent report generation activity (650.1 MB\736 MB) ScanMgr 2012-01-01T19:21:59 Scan default:3 is being stopped. ScanIntegrat2012-01-01T19:22:36 Correlating asset information for scan ID default:3 ScanIntegrat2012-01-01T19:22:50 Performing data transformations for scan ID default:3 ScanIntegrat2012-01-01T19:22:56 Updating synopsis for scan ID 3 ScanIntegrat2012-01-01T19:23:09 Full-text indexing device data for scan ID 3 ScanIntegrat2012-01-01T19:23:11 Completed integration of results for scan ID default:3 WebContentGe2012-01-01T19:23:22 Queueing web content generation for scan default:3... WebContentGe2012-01-01T19:23:35 Finished queueing web content generation for scan default:3. WebContentGe2012-01-01T19:23:35 Generating web content for site default:3... WebContentGe2012-01-01T19:24:49 Finished generating web content for site default:3 ReportManage2012-01-01T19:24:57 Generating report: Metasploit Export 1325443802 Nexpose 2012-01-01T19:24:57 NeXposeSimpleXMLReportExporter exporting to /opt/rapid7/nexpose/nsc/htroot/reports/00000003/00000003 I know its working then, but not sure why the error? I am running Backtrack5r1. The command sequence went: In metasploit: msf > load nexpose msf > nexpose_connect myusername:mypassword@localhost:port msf > nexpose_scan -x 192.168.0.6 - which is the VM I have metasploitable setup on. Nmap scan on this host shows that its reacheable.
-
Thanks for your insights. I found a suid'd binary this afternoon which is root/root ------other:rwx :) I feel the net is closing in tonight! Thanks again.
-
Thanks for replying- n.b noted disclaimer, all this is for learning, and of course anyone hacking does so at their own risk. I traversed right back to root directory- most directories are readable, none lower than the var/www are writeable. I did a search for all SUID programs and they are all in user/bin which are root group. The etc/password file is off limits, I can call some restricted commands such as uname -a, and safe mode is off. I haven't found anything other than an open var/mail file which give me insight into the admins username, but agreed its probably not going to be the same username/password for the FTP/SSH- just based on what I have leared about drupal so far since that installation comes later than setting up your apache etc.. Have we exhausted all of the possibilities?
-
Hi already have a shell up and it is under wwwdata user. Permissions all seem to be standard throughout the server. There are no SQLi vulns as far as i am aware- it is a drupal based site fully patched up.
-
Hi I am interested in learning more about the following suggestions: What I have read so far on this (thank you for bringing me onto it!) is that this is really only ever going to be a realistic opportunity where you are in a bulky corporate or personal network where third party programs have dropped miscrient SUID'd programs unchecked by admins- the standard linux distro apps are clearly going to be 99% bug free. For my purposes of hacking the server a website is hosted on makes this not really a high chance of success, and thats before getting into the actual shell coding! Lets say I have access to: /var/www/www.website.com/htdocs/ Can you elaborate from there? How could malicious files give root access from here?
-
Hi and thanks for your input too.
-
Hi thanks for your reply, I have googled around the topics you have mentioned but cant find any decent information- can you elaborate at all please mate?
-
first post here. After getting a web-shell up on your target website the next step is to try and root the box and then backdoor it. The only methods I seem to be able to find so far are to search for a local kernel exploit and run it through a backconnection. When your target has a 2011 kernel thats obviously not an option (to 99% of us), but nobody can tell me so far what the alternative course of action (if any) is to still manage to root it. I haven't left this topic alone despite not getting any information on it because I think that there must be other ways to do this, after you have access to the box via the shell and can potentially upload/run malware which surely could include things like rootkits which could circumvent kernel level authentication, or key loggers, or whatever? Ok enough newbie notions, please any knowledgeable hackers enlighten me!