On this testing I use Backtrack 5 R3 Blackhat Edition target is Metasploitable 2, this simulation is how to get root shell via mysql vulnerable from ubuntu server (Metasploitable 2).
First step its sure scanning network, that is first step for any any hacking on network, I always remember that from my "Sensei" -first step is Information Gathering- "How you know about target without get information for first step!?"
lets open nmap and do scanning :
That highlight is target exploitation, Mysql and we know that version of target, that step is include "Service Enumeration" to collect data about service running and next step I search for information vulnerable for that version of Mysql and found information
here
That step is include "Vulnerable Assesment", after that we now had know information needed to starting exploitation, so lets open metasploit on console
After open metasploit I search for mysql and found few and I choose for login, cause I'll try to bruteforce login of mysql
After select or use that auxliary I type show options to get information how to use this tool and I get information like here
That I highlighted is data need to fill and fill that with information from step Information Gathering, RHOSTS is IP target and PASS_FILE is dictionary of passoword to bruteforce so lets fill it like here
After filling that options run or exploit that and need few minutes for bruteforcing that with dictionary so
please be patient
Evidently that username is ROOT without password, so try to connect with mysql target on other terminal console
After enter in mysql client and get admin of mysql we can look on /etc/passwd with this command
We found data in /etc/password after that I try to get access from ssh server, back to metasploit console to search ssh login
After choose and use auxiliary do same with before show options to know how to use is it and fill with information had known by previous step
Its bruteforcing so take a minutes time to do it, so be patient, and after waiting few minute we get result like here
We found password for msfadmin and type sessions -l to view session in this step like here
There active session and try to get it out with select session by type session -i 1 mean is open session active in id 1 like here
Now we had to enter into server system, just test it with command ifconfig or something to get indentity like here
See we have IP 192.168.56.102 that is IP of target, and more to proof it is target system
And for get access from outside I'll try to access from normal console cause we have user and password already
Get real root shell.
No comments:
Post a Comment