Hello all,
Scanning phase
Good, we have several open ports. I examined FTP but unfortunately it didn't allow anonymous login. We can see so old version of Apache. Port TCP 100000 looks interesting. But let's begin our penetration testing from web application.
Web application
Nice picture :-) I clicked on it and
Wow, it was surprise :-) But at this stage it doesn't provide us for something useful, I think. I run DirBuster but it does not gives us some new paths. So, let's examine port 10000 (webmin).
Webmin
The default page looks as below
Hmmm, we don't know credentials... I was trying with default such as admin:admin, admin:password etc. - no success. I was looking for some exploit and I found in metasploit framework certain interesting auxiliary mode (file_disclosure). I have set RPATH as /etc/shadow and BINGO!
Excellent! Obviously in the file is also hashed root's password.
Very good, now let's try connect to the target via SSH (and I am still waiting for root and goatse passwords)
Limited shell! Let's check what we can do
Hmmm, I was trying link /bin/bash with /usr/bin/xconf but without success. I examined also bobby account, but I didn't find anything interesting.
Wait! John the Ripper found password for goatse! So let's use them (gaping)
Game Over!