Author Topic: Cracking school network (Read 2409 times)

flowjob · « **on:** April 27, 2012, 07:14:26 pm »

Hey guys,
had my first success on trying to crack our school network:

Our IT-Teacher gave us the pass for a user on the mainserver so we can upload our homepages to the server. I persuaded our teacher to allow PHP sites for executing and uploaded an php file wich i can use to run sh-commands on the server.
There are no special limits for commands running via php set, so i made it to get the full tree of the server and walk into almost every folder (except some special,no whole user).

But now I'm trying to write this php file into the admins public_html folder (so i can run it on the internet as the admin), but I get always an "Permission denied".
Btw,I tried it with "echo SOURCECODE > runit.php".

So, is there a way how i could bypass this "Permission denied" ?

some additional info: access to 6 normal users,all rights set to "rwxr-xr-x",the server is Ubuntu/Apache, the automatically used shell is sh
Node: Linux
Release: www
Version: 2.6.32-33-386
Machine: #72-Ubuntu SMP
Processor: i686
Hostname: www

p_2001 · « **Reply #1 on:** April 27, 2012, 08:08:45 pm »

why not try and get the passwd file? it will have root password in hash. reverse it and you get the root password...
then you can access anything...
I believe it would work, especially if as you said that you can access the folders..

the passwd file is read-only for all accounts because of logging in requires password - hash to be read( and matched)

Kulverstukas · « **Reply #2 on:** April 27, 2012, 08:12:34 pm »

Only way I can think of is get an admin's account or find a privilege escalation exploit...

flowjob · « **Reply #3 on:** April 27, 2012, 08:43:31 pm »

Ok,got the encrypted password from the shadow file:
root:$1$IJN.j3Sl$u.SOMEOTHERCHARS:14261:0:99999:7:::

I know already that "$1$" stands for a md5 based pass and the pass only contains
a - z,A - Z and 0 - 9. ~~so what's the "IJN.j3Sl$u." part?~~
Ok, "$1$" stands for md5 hash, "$IJN.j3Sl$" for the salt and "$u.SOMEOTHERCHARS" for the hashed pass. So wich function is ubuntu using to hash this pass? And what should I use to crack the pass? bruteforce? rainbow tables?

'cause bruteforce would take too long,and as the pass are some random chars, tables would make not that much sense too...

p_2001 · « **Reply #4 on:** April 28, 2012, 11:37:13 am »

try some website, search "reverse md5 lookup" in google, worked for me when i needed it

Z3R0 · « **Reply #5 on:** April 30, 2012, 07:58:50 am »

Quote from: Area_13 on April 27, 2012, 08:43:31 pm

And what should I use to crack the pass? bruteforce? rainbow tables?

john the ripper can crack linux/unix passwd/shadow files in the already set format of root:hash:::....however it will be bruteforced by default unless if you specify a dictionary or rainbowtable to use with the cracking process. On the bright side, if you know the password policy, it should make your rules alot easier for cracking.

EvilZone

News:

Author Topic: Cracking school network (Read 2409 times)

flowjob

Cracking school network

p_2001

Re: Cracking school network

Kulverstukas

Re: Cracking school network

flowjob

Re: Cracking school network

p_2001

Re: Cracking school network

Z3R0

Re: Cracking school network