6 replies to this topic

[2point0]

Hi everyone, as the title implies recently a friend of mine set up a linux server. As I am currently going to school for network security (first year) and have a minor amount of previous pen testing experience, I jumped at the opportunity to check it out. By no means am I anything close to an expert hacker but I have been reading as much as I can and practicing as ethically as possible. I'm a bit stuck now, I feel that I have a lot of information about the system but I'm not quite sure how to apply it.

Here's what I know:

From NMap...

PORT STATE SERVICE VERSION
25/tcp filtered smtp
80/tcp open http Apache httpd
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1720/tcp filtered H.323/Q.931
2233/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)

I also know there there is currently no firewall set up.

A nessus scan didn't turn up a ton of useful information, at least not that I could see.
From Nessus

The following files are calling the function phpinfo() which
disclose potentially sensitive information to the remote attacker :
/test/phpinfo.php
/test/info.php

I actually retract what I mentioned about useful information. There was a www.websitehere.org/test.php but after I mentioned that I found it my friend deleted it. I did however manage to save a copy and can view the information at any time so let's assume I have access to everything test.php would tell me.

In addition to NMap and Nessus, I ran Nikto and gathered some random info, namely it was pointing out test.php. There were other directories that required authorization to view and from what I could tell, SWL injection was not an option for hacking /phpmyadmin.

With these things in mind, how should I go about getting into this machine? I read up on as much as I could on the services listed on test.php such as:

PHP Version 5.2.3-1ubuntu6
Server APi
PHP Core Configuration
Apache API version
Info on the Apache Environment

and as I said, pretty much anything test.php lists and ways to exploit them. Unfortunately, I've hit a wall.

Despite all the reading I've done I was hoping someone would be kind enough to point me in the right direction as to how I should proceed from here. Any and all help is much appreciated. Thanks!

Edited by 2point0, 16 November 2007 - 03:32 AM.

[xantr3x]

Metasploit. A skiddies wet dream.

[2point0]

Metasploit. A skiddies wet dream.

I'm not really interested in just being a script kiddie with this one.

[xantr3x]

Then hand-code an exploit and execute it yourself. </sarcasm>
You don't need to reinvent the wheel for everything you do. Just make sure you understand the tools you use, and that you know how it works.

[2point0]

Then hand-code an exploit and execute it yourself. </sarcasm>
You don't need to reinvent the wheel for everything you do. Just make sure you understand the tools you use, and that you know how it works.

Ok, I fired up Metasploit and I can't find an effective exploit...

[xantr3x]

Update your exploit library. They don't update the binary, I believe.

[quibits]

Your Nmap scan shows a open ssh server running. you could try a remote login brute force for accounts on the box. some tools are Hydra and Brutus. this is a very loud method and if your friend is monitoring their logs they will see a lot of login attempts. its not uncommon to see 100000 failed login attempts per attack from a network login brute force. Also there is some netbios protocols open. a good way to get more information about the machine is to enumerate any shares available via netbios.