Skip to content

Rayferrufino/Make-and-Break

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits

Screenshots

Screenshots

 
 

Final Project.pdf

Final Project.pdf

 
 

Fullstack-Demo-Presentation.md

Fullstack-Demo-Presentation.md

 
 

Googledrive-link-Machine.md

Googledrive-link-Machine.md

 
 

README.md

README.md

 
 

Screencast-version.mp4

Screencast-version.mp4

 
 

Repository files navigation

Make-and-Break

Create and exploit a vulnerable Virtual Machine

Description: Built a custom Virtual Machine, running Ubuntu 18.04.1 and Webmin 1.810. Using CVE-2019-15107 to exploit a backdoor in the Linux System Administration Interface

PROOF of CONCEPT
Linux OS (Ubuntu 18.04.1) will be deployed containing security flaws that will allow an attacker to compromise the system to root level.

Installing SSH server

Install Webmin 1.890

  • Create a username (deathstart) and password (readytograduate) serving on port 10000 by default
  • Download webmin-1.890.tar.gz from https://sourceforge.net/projects/webadmin/files/webmin/
  • Extracting the file and running the following commands within the extracted Webmin folder
  • <sudo ./setup.sh /usr/local/webmin>
  • Enter password for user deathstart when prompted

Kali

  • Recon steps: Kali VM and Ubuntu VM are on the same subnet

  • In Kali do an nmap scan for the Ubuntu machine, check for open ports and services
  • Notice that port 10000 is open (a web server) and port 22. We will try to exploit port 10000, an http web server (miniServ 1.890) by using a known flaw, which let us connect remotely to it

  • We use exploit 2019-15107 Unauthenticated Remote Code Execution in Metasploit to get root access.
  • Open msfconsole on Kali, search for webmin, and use exploit unix/webapp/webmin_backdoor

  • Set options accordingly - RHOST, LHOST

  • Run the exploit and get a shell

  • We tried to spawn our shell but we were unsuccessful. In addition we can't change directories even though we are "root" but fortunately we can cat files and list directories including the /etc/shadow! file that contains the hashed passwords

  • We copied the content of the shadow file and passwd file into a shadows.txt and passwd.txt file and we procced to crack the hash using John the Ripper

  • Type unshadow passwd.txt shadow.txt > password.txt in order to combine both files and use John
  • We already created our own password list (fullstack.txt) with common passwords, which we will use with John in order to obtain the password
  • Type john --wordlist=fullstack.txt password.txt in order to crack and reveal the password

  • Cracking successful, password for deathstart is readytograduate SSH to this user ssh deathstart@192,168.44.132 and type the password readytograduate when prompted

At this point we have fully compromised the machine and gained control of the system.

About

Built a custom Virtual Machine, running Ubuntu 18.04.1 and Webmin 1.810. Using CVE-2019-15107 to exploit a backdoor in the Linux machine

Resources

Readme
Activity

Stars

2 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published