In my previous post I demonstrated how to hack De-ICE S1.100 the first in Thomas Wilhelms’ deliberately vunereable Slax Linux platforms. De-ICE S1.100 was a level 1 challenge. For this post I’m going to demonstrate one possible way to gain root and find the flags for the second challenge in the series (also level 1) De-ICE S1.110
Once again, I’ve listed all steps I took to get to the end of the challenge. Hopefully, this might be of use and you could possibly compare it to your own approach. Let me know if you think if it’s too long winded and would prefer just to see the exact steps for each solution.
Here’s my solution to De-ICE S1.110.
1. Run the following command from Backtrack nmap -A 192.168.1.110
(-A): Additional, Advanced, and Aggressive. This nmap scan is a shortcut for running both the operating system fingerprinting process (-O) and the version scanning process (-sV) during the same nmap scan.
2. Some interesting information returned from the nmap sweep:
Port 21: is running an ftp service and allows anonymous access. I logged on to the ftp service and there were quite a number of files stored in the download directory. After trawling through the directory I came across two interesting files in download/etc/core and download/etc/shadow. The shadow file looks like it could possibly be the systems shadow file. The core file is a core dump file and is generally created when the OS or an application running on the OS has crashed out for some reason. If you type in this command: file core you get this ELF 32-bit LSB core file Intel 80386, version 1 (SYSV). The part in brackets tells us who has created the dump file, in this case it’s the system itself. The core file is a binary file and it’s possible to debug into the file and read it’s contents. But to view it in a text format, type this command: strings core
3. The core file contains shadowed password for the root, aadams, bbanter and ccoffee users. The fact that this information has been written to file during a system dump makes me think this is the the real shadow file, so I’m discarding the other shadow file I found in the ftp trawl.
4. From the nmap sweep I can see this system is running a website on port 80, so I ran onto that through firefox and saw a number email addresses displayed on it’s web pages
Sr. System Admin: Adam Adams – email@example.com
System Admin (Intern): Bob Banter – firstname.lastname@example.org
System Admin: Chad Coffee – email@example.com
5. The nmap sweep also highlighted an ssh service running on port 22 and a CUPS service running on 361. I’ll come back to this later if needs be, but I’m going to start the attack using the shadowed passwords I found in the core file.
6. I used John the Ripper in the previous post. I’m using it again here, running it from Backtrack, where it comes pre-installed. The passwords in the shadow file have been hashed with a one-way hash. It’s possible to get a list of various passwords, hash these with various hashes and compare the hashed result to the values stored in the shadow file. If they match, you have the text version of the hashed password. I’m going to use John the Ripper and the rockyou list of passwords that comes pre-loaded in Backtrack to carry out this operation. To do this, go to this folder in Backtrack /pentest/passwords/john and run the following command:
./john –rules –wordlist=/pentest/passwords/wordlists/rockyou.txt shadow
(shadow): the shadow file I created from the users I cut from the core file
John the Ripper returns the following password matches: bbanter/Zymurgy, root/Complexity
10. I then attempted to log on to the ssh service as the root user but the login was rejected. It looks as though root is not be configured for remote access through ssh. I logged out and logged back in as bbanter. Once in, I used the su command: su root to switch to the root user. I now have root access on the victim box.
11. The hints for this challenge advise to look for encrypted customer information. So looking for any files with a encrypted extension (.enc), I entered this command from the root drive:
find -mount -iname “*”*.enc
(-mount): ignore mounted drives in the search
(-iname): ignore case in the file names
(enc): file extension to search for
Because I am the roor user I can search the entire system without getting any permission denied issues on any folders or files when I search.
12. The search returns this file at this location ./home/root/.save/customer_account.csv.enc
13. I went to to the folder ./home/root/.save/ to examine the file and found a second shell script file of interest in the same directory copy.sh
14. Run the command cat copy.sh. The copy.sh file contains an openSSL encyrption command, it also shows location of the password cert used in the encryption process. This looks like the method that was used to encrypt customer_account.csv.enc
15. This is probably overkill but I wrote a small script based on the detail in copy.sh to decrypt customer_account.csv.enc.
openssl enc -d -aes-256-cbc -in customer_account.csv.enc -out customer_account.csv -pass file:/etc/ssl/certs/pw
Save the file, give it execute permissions (chmod +x decrypt_customer_detail.sh) and run the file
16. When I open customer_account.csv now (cat customer_account.csv) I can see there is a host of sensitive customer information. Customer Id, customer name, creditcard type and account number are all available.
17. And with that the challenge is over
I hope you found that interesting, any comments or improvements please email me and let me know. I’ll be attempting De-ICE S1.120A next. I’ll post my solution once I have it.