2

Suppose that there are following three machines in the network:

Machine A:
Microsoft Server 2003 Service Pack 2
FileZilla 0.9.29 beta ftp server (TCP 21)

Mcafee ePolicy server (81), remote desktop (3389), another McAfee server stuff (8081), DNS (UDP 53), Kerberos-sec (open or filtered UDP 88), ntp (UDP 123), snmp(open or filtered UDP 161), ldap(open or filtered UDP 389), mssql-m (UDP 1434), Unknown HTTP-like (UDP 1035)

Remaining ports go like this:

464/udp  open|filtered kpasswd5
500/udp  open|filtered isakmp
1030/udp open|filtered iad1
1033/udp open|filtered netinfo-local
1040/udp open|filtered netarx
1041/udp open|filtered danf-ak2
1046/udp open|filtered wfremotertm
1048/udp open|filtered neod2
1051/udp open|filtered optima-vnet
1434/udp open ms-sql-m
4500/udp open|filtered nat-t-ike

DNS recursion is enabled, ntp also presents time information. SNMP shows timeout response to the brute force queries. (unknown whether it is open or not. MSSQL is active.

Machine B: FreeBSD 7.0(likely 7.0-RELEASE) FreeBSD ftpd 6.00LS (anonymous write access to one /incoming directory is enabled) server (TCP 21), SSH (22), finger (79), HTTP (80) with trace enabled, CVS pserver (2401), MySQL (3306), tftp (UDP 69), syslog (UDP 514)

HTTP server has Apache 2.2.XX with drupal cms enabled at /cms. I obtained a "www" user shell using drupal vulnerability. The shell has write access to /tmp and read access to all directories (though not all files).

Machine C: FTP server (21) with FTP bounce available.

Let's say I have a root or administrator access to Machine C and Machine A. (in case of Machine A, I cracked it using epolicy vulnerability)

How would I be able to use these machines+"www" shell of machine B to obtain the root access to Machine B? (Note that there were time limits, so even though I obtained the root shell of machine A and machine C, I was not able to check every port at machine A.)

The questions would be the following:

  1. I did an nmap scan using --sC, and does this mean that nmap scanner uses FTP bounce to port-scan other machines?

  2. If not, how would FTP bounce be used to attack other machines?

  3. Narrowing the scopes, how would DNS recursion be used to attack Machine B? Is this no help?

  4. It seems that nmap is able to retrieve some mssql information using its nse. How would I be able to access mssql server using Backtrack? Internet resources are little messy.

  5. If ldap at machine A is open, how would this help attack Machine B?

  6. Would ntp and finger be any help? (I know what finger can do; but can it be used to gain root access at machine B directly?)

  7. In this case, can SSH aid the attack?

  8. How would I be able to access mysql server at machine B, freeBSD?

  9. According to exploit-db, although I am not sure of CVS pserver (Machine B) version number, there is an exploit that attacks cvs pserver, and it seems that I need password to "www" user. Would there be any way to find this out without brute-forcing and resorting to root account?

  10. Would there be any way to upload setuid programs so that I would use it to obtain root access at machine B?

Michel Oosterhof
  • 3
  • 4
Dotcom Boom
  • 21
  • 1
  • 2
  • 3
    This question looks extremely broad (10 subquestion!). Consider making it more focused. – Gilles 'SO- stop being evil' Sep 21 '12 at 10:20
  • As @Gilles said, as it stands this question is unanswerable. Please look at which questions here you really need answered and post them as separate questions - have a look at the [faq] for guidance. – Rory Alsop Oct 03 '12 at 12:47

0 Answers0