Pentesting pWnOS [1]

Information Gathering & Service Enumeration

Tool : NMAP

Port Opened :

• 22/tcp ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
• 80/tcp http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
• 139/tcp netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
• 445/tcp netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
• 10000/tcp http MiniServ 0.01 (Webmin httpd)

Other Info :

• Mac Address : 08:00:27:E4:D5:34 (Cadmus Computer System)
• OS : Linux 2.6.22

Vulnerability Assessment

Tool : Nessus

Vulnerabilities :

• Debian OpenSSH/OpenSSL Package Random Number Generator Weakness
• Attackers can exploit this issue to predict random data used to generate encryption keys by certain applications. This may help attackers compromise encryption keys and gain access to sensitive data. 
• Samba 'AndX' Request Heap-Based Buffer Overflow
• A vulnerability has been reported in Samba, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in process.c when handling Any Batched (AndX) request packets and can be exploited to cause a heap-based buffer overflow. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in versions prior to 3.4.0.
• Apache HTTP Server httpOnly Cookie Information Disclosure
• Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by an error in the default error response for status code 400. If no custom ErrorDocument is specified, a remote attacker could exploit this vulnerability to disclose httpOnly cookies and other sensitive information.
• HTTP TRACE / TRACK Methods Allowed
• Trace is a function and a utility of Apache to troubleshoot webpages. It can be used to discover why pages are not working and potentially could be used to fix issues. As explained in the news from the Apache Foundation, the same information exposed in the attack for which this CVE is crafted can be garnered in other more typical ways. Thus, the CVE is a pretty weak representation of a real problem.
• SMB Signing Required
• SMB signing and security signatures can be configured for the Workstation service and for the Server service. The Workstation service is used for outgoing connections. The Server service is used for incoming connections. When SMB signing is enabled, it is possible for clients that support SMB signing to connect and it is also possible for clients that do not support SMB signing to connect. When SMB signing is required, both computers in the SMB connection must support SMB signing. The SMB connection is not successful if one computer does not support SMB signing.
• Webmin / Usermin Null Byte Filtering Vulnerabilities
• Webmin and Usermin both come with the Perl script 'miniserv.pl' to provide basic web services, and the version of 'miniserv.pl' installed on the remote host fails to properly filter null characters from URLs. An attacker may be able to exploit this to reveal the source code of CGI scripts, obtain directory listings, or launch cross-site scripting attacks against the affected application.

Exploit

From the lists above I will try to exploit the Webmin. I will using Metasploit to exploit Webmin.

First, I search the exploit for webmin in metasploit.

Yes, I got some exploit for webmin and I choose File Disclosure vulnerabilities to get the system informations (/etc/passwd).

We got the lists of users in the server. Now I'll try to grab the shadow.

Yes we got the users and passwords. We can use that lists and crack the hashes using John.
But, lets try to grab the other files.

From index1.php, I can see (include function) there is another vulnerabilities (LFI). Lets try to access the apache log and put a web shell on the server.

Update : I failed to include the apache access log because of lacks permissions from the server.

Now, I will start to crack the Password using John...

to be continued.....