If any one loves some pen testing challenge,Please get in and Give me a hand - Network Security

mandi

I have been Given a funny pen-testing challenge by my friend,

He has given me one of the ip of a machine from his LAB,he challenged me to root the server,Also he said there are vulnerabilities exsists on the server..

he set the challenge with the following rules

1)NO ddos
2)Do not hack or ddos other machines on the network range

I started to studying the target and i nmapped it and got the following


 PORT  STATE    SERVICE  VERSION
21/tcp   open  ftp  ProFTPD 1&#46;3&#46;1
22/tcp   open  ssh  OpenSSH 5&#46;1p1 Debian 5 (protocol 2&#46;0)
80/tcp   open  http  Apache httpd 2&#46;2&#46;9

Also it is getting very interesting(from my point),we are authorized to do any kind of mess on the ip,Also i am looking for some one who is interested at exploiting,pen testing who can join me and help me....

If any body wants to join me please pm me or reply here,I will get you back with more details...

EDIT:box is running with 2.6.13 kernel

Sh3llc0d3

The above machine on the information I've found a vulnerability. So your friend wasn't lying when he said it existed. Check these out:
http://www.securityfocus.com/bid/33722/info
http://cve.mitre.org/cgi-bin/cvename.cg ... -2010-3867
http://www.hackerscenter.com/index.php? ... ility.html

mandi

Thanks bro,But that was not the tricky part bro,
The server does not have a site running,all it is running is just https service,with just a test directory,also i scanned the site(as far i did with the scanners),it does not have any url strucutre
like this "?tid=",i DOn't know how launch or inject the attack,so if any 1still need to have some fun,please let me know...

EDIT:@ Semtex-Primed ---> if you are interested, i can pm you the accunetix scan results and the ip,so that you can have a look :)

Sh3llc0d3

So ProFTP is installed but no FTP account? If you can find a page such as ftp://ftp.example.com you're sorted, curious that ProFTP uses an open port but the process is not being used. Just general bad practice. The OpenSSH version updated a previously vulnerable release and not really checked into apache but this would be good reading (http://httpd.apache.org/security/vulner ... es_22.html).

I'd double check that there is no account such as ftp://ftp.example.com on the site as there is a perl script which can be executed http://downloads.securityfocus.com/vuln ... s/33722.pl

Good luck my friend :)

EDIT: Yeah can do mate, PM me them and i'll take a look in the morning as i'm just off to sleep now lol, had a long day.

mandi

Thanks mate,pming u the link,please have a look at your free time and let me know with some more updates :)

hope i can find some more help from you...

Xin

Pretty sure from memory that both the proftpd and openssh pl1 are vulnerable

mandi


Pretty sure from memory that both the proftpd and openssh pl1 are vulnerable

hmmm bro,Are you good with opcodes?

Because i had already found an exploit,but it is for the higher version(i.e 1.3.3) my target is using 1.3.1,need to craft the opcode stuff and then need to inject it remotely,
If you are interested please let me know,i will pm you with details :)

Xin

said:
Pretty sure from memory that both the proftpd and openssh pl1 are vulnerable
hmmm bro,Are you good with opcodes?

Because i had already found an exploit,but it is for the higher version(i.e 1.3.3) my target is using 1.3.1,need to craft the opcode stuff and then need to inject it remotely,
If you are interested please let me know,i will pm you with details :)

I will have a go :) pm me the details and il try rewrite it for your version

mandi


I will have a go &#58;) pm me the details and il try rewrite it for your version

Sent you an pm,have a look,hope i can find some help from you :)

Howdy, Stranger!

Top Posters

Who's Online (0)