Sign in to follow this  
Followers 0
2point0

Pen Testing for a friend

7 posts in this topic

Hi everyone, as the title implies recently a friend of mine set up a linux server. As I am currently going to school for network security (first year) and have a minor amount of previous pen testing experience, I jumped at the opportunity to check it out. By no means am I anything close to an expert hacker but I have been reading as much as I can and practicing as ethically as possible. I'm a bit stuck now, I feel that I have a lot of information about the system but I'm not quite sure how to apply it.

Here's what I know:

From NMap...

PORT STATE SERVICE VERSION

25/tcp filtered smtp

80/tcp open http Apache httpd

135/tcp filtered msrpc

136/tcp filtered profile

137/tcp filtered netbios-ns

138/tcp filtered netbios-dgm

139/tcp filtered netbios-ssn

445/tcp filtered microsoft-ds

1720/tcp filtered H.323/Q.931

2233/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)

I also know there there is currently no firewall set up.

A nessus scan didn't turn up a ton of useful information, at least not that I could see.

From Nessus

The following files are calling the function phpinfo() which

disclose potentially sensitive information to the remote attacker :

/test/phpinfo.php

/test/info.php

I actually retract what I mentioned about useful information. There was a www.websitehere.org/test.php but after I mentioned that I found it my friend deleted it. I did however manage to save a copy and can view the information at any time so let's assume I have access to everything test.php would tell me.

In addition to NMap and Nessus, I ran Nikto and gathered some random info, namely it was pointing out test.php. There were other directories that required authorization to view and from what I could tell, SWL injection was not an option for hacking /phpmyadmin.

With these things in mind, how should I go about getting into this machine? I read up on as much as I could on the services listed on test.php such as:

PHP Version 5.2.3-1ubuntu6

Server APi

PHP Core Configuration

Apache API version

Info on the Apache Environment

and as I said, pretty much anything test.php lists and ways to exploit them. Unfortunately, I've hit a wall.

Despite all the reading I've done I was hoping someone would be kind enough to point me in the right direction as to how I should proceed from here. Any and all help is much appreciated. Thanks!

Edited by 2point0
0

Share this post


Link to post
Share on other sites
Metasploit. A skiddies wet dream.

I'm not really interested in just being a script kiddie with this one.

0

Share this post


Link to post
Share on other sites

Then hand-code an exploit and execute it yourself. </sarcasm>

You don't need to reinvent the wheel for everything you do. Just make sure you understand the tools you use, and that you know how it works.

0

Share this post


Link to post
Share on other sites
Then hand-code an exploit and execute it yourself. </sarcasm>

You don't need to reinvent the wheel for everything you do. Just make sure you understand the tools you use, and that you know how it works.

Ok, I fired up Metasploit and I can't find an effective exploit...

0

Share this post


Link to post
Share on other sites

Update your exploit library. They don't update the binary, I believe.

0

Share this post


Link to post
Share on other sites

Your Nmap scan shows a open ssh server running. you could try a remote login brute force for accounts on the box. some tools are Hydra and Brutus. this is a very loud method and if your friend is monitoring their logs they will see a lot of login attempts. its not uncommon to see 100000 failed login attempts per attack from a network login brute force. Also there is some netbios protocols open. a good way to get more information about the machine is to enumerate any shares available via netbios.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0