Monday 18 July 2016

De-Ice 2.100

Hello,

Scenario
"The scenario for this LiveCD is that you have been given an assignment to test a company's 192.168.2.xxx network to identify any vulnerabilities or exploits. The systems within this network are not critical systems and recent backups have been created and tested, so any damage you might cause is of little concern. The organization has had multiple system administrators manage the network over the last couple of years, and they are unsure of the competency previous (or current) staff2"

Scanning
PORT    STATE  SERVICE  VERSION
20/tcp  closed ftp-data
21/tcp  open   ftp      vsftpd 2.0.4

| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp  open   ssh      OpenSSH 4.3 (protocol 1.99)
| ssh-hostkey:
|   2048 83:4f:8b:e9:ea:84:20:0d:3d:11:2b:f0:90:ca:79:1c (RSA1)
|   2048 6f:db:a5:12:68:cd:ad:a9:9c:cd:1e:7b:97:1a:4c:9f (DSA)
|_  2048 ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10 (RSA)
|_sshv1: Server supports SSHv1
25/tcp  open   smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp  open   http     Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-server-header: Apache/2.0.55 (Unix) PHP/5.1.2
|_http-title: Site doesn't have a title (text/html).
110/tcp open   pop3     Openwall popa3d
143/tcp open   imap     UW imapd 2004.357

|_imap-capabilities: IDLE IMAP4REV1 BINARY THREAD=REFERENCES SORT completed SCAN CAPABILITY OK MULTIAPPEND THREAD=ORDEREDSUBJECT STARTTLS MAILBOX-REFERRALS AUTH=LOGINA0001 LITERAL+ SASL-IR UNSELECT NAMESPACE LOGIN-REFERRALS
|_imap-ntlm-info: ERROR: Script execution failed (use -d to debug)
443/tcp closed https
I tried log in as anonymous to FTP service, but without success. I have got indeed response 230 but I can't list directory. Probably we need to user with higher privileges.

Default web page looks as below


























Nice web page. So, we can see three links but in spite of that let's run dirbuster.
In the meantime I clicked on link CLICK HERE and I have got something interesting!


































 
Great! There is a list of usernames, I think.
Dirbuster gave us result










 OK, there is not much files. I have created list of usernames and I was trying brute-force FTP and SSH, but without success. I have no idea how to attack this machine. So, maybe we need to a little bit more enumeration.
Nmap scan report for 192.168.2.100
Host is up (0.00016s latency).
MAC Address: 08:00:27:53:0C:11 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.101
Host is up (0.00016s latency).
MAC Address: 08:00:27:53:0C:11 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.1
So, 192.168.2.100 is our target, 192.168.2.1 is our attacker machine, but what is 192.168.2.101?
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.0.55 (Unix) PHP/5.1.2
|_http-title: Site doesn't have a title (text/html).
Wow, what is that?












I run Dirbuster and /home/root directory has been found! So maybe there is other user's home directory? BINGO! We found private and public key for SSH.













Interesting... So, I have downloaded private key and I used it to log in as pirrip.









I have found something interesting in the /var/mail directory.
pirrip@slax:/var/mail$ ls
havisham  magwitch  pirrip
So, let's check what kind of information these mails have. Our user has very juicy information.
From: Estella Havisham <havisham@slax.example.net>
Message-Id: <200801132350.m0DNoXfV010468@slax.example.net>
Date: Sun, 13 Jan 2008 23:50:33 +0000
To: pirrip@slax.example.net
Subject: welcome to the team
User-Agent: nail 11.25 7/29/05
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Thanks!  Glad to be here.

From magwitch@slax.example.net  Sun Jan 13 23:53:37 2008
Return-Path: <magwitch@slax.example.net>
Received: from slax.example.net (localhost [127.0.0.1])
    by slax.example.net (8.13.7/8.13.7) with ESMTP id m0DNmvpV009983
    for <pirrip@slax.example.net>; Sun, 13 Jan 2008 23:48:57 GMT
Received: (from magwitch@localhost)
    by slax.example.net (8.13.7/8.13.7/Submit) id m0DNmvpd009982
    for pirrip; Sun, 13 Jan 2008 23:48:57 GMT
From: Abel Magwitch <magwitch@slax.example.net>
Message-Id: <200801132348.m0DNmvpd009982@slax.example.net>
Date: Sun, 13 Jan 2008 23:48:57 +0000
To: pirrip@slax.example.net
Subject: havisham
User-Agent: nail 11.25 7/29/05
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

I set her up with an accountus servers.  I set her password to "changeme" and will swing by tomorrow and make sure she changes her pw.
Let's try log in as havisham using this password. Hmmm it does not work... but wait a minute
From: noreply@fermion.herot.net
Message-Id: <200801132354.m0DNshjD011722@slax.example.net>
Date: Sun, 13 Jan 2008 23:54:42 +0000
To: pirrip@slax.example.net
Subject: Fermion Account Login Reminder
User-Agent: nail 11.25 7/29/05
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Fermion Account Login Reminder

Listed below are your Fermion Account login credentials.  Please let us know if you have any questions or problems.

Regards,
Fermion Support


E-Mail: pirrip@slax.example.net
Password: 0l1v3rTw1st
Wow, now we know our password! So let's check what we can do as root.
pirrip@slax:/var/mail$ sudo -l
User pirrip may run the following commands on this host:
    (root) /usr/bin/more
    (root) /usr/bin/tail
    (root) /usr/bin/vi
    (root) /usr/bin/cat ALL
Excellent! I have used more command toward /etc/shadow
























So, we are able to use John the Ripper. Unfortunately it consumes a lot of time... We know that vi can use another command via !command.



























Game over!