The "vulnerable-by-design" series De-ICE, has released another challenge. However, it's in two different parts - which makes the naming more confusing! This is De-ICE level 1-disk 3, the second half, and it should not be confused with "version a" (de-ice-1.120-1.0a.iso aka Level 1-Disk 3-Release 1-Version A), as these are NOT the same challenge - it's a completely independent challenge.
Watch video on-line:
Download video: http://download.g0tmi1k.com/videos_archive/De-ICE_v1.2b_(1.120).mp4
The students of "HackingDojo" produced their own exploitable LiveCD which was released under the de-ice name. This is it. To date all of Heorot.net releases (in date order) are as follows:
De-ICE - Level 1 - Disk 1 (hxxp://forums.heorot.net/viewtopic.php?f=16&t=13)(de-ice.net-1.100-1.1.iso) De-ICE - Level 1 - Disk 2 (hxxp://forums.heorot.net/viewtopic.php?f=16&t=13)(de-ice.net-1.110-1.0.iso) De-ICE - Level 2 - Disk 1 (hxxp://forums.heorot.net/viewforum.php?f=18)(de-ice.net-2.100-1.1.iso) pWnOS (hxxp://forums.heorot.net/viewtopic.php?f=21&t=149)(pWnOS v1.0.zip) Hackerdemia (hxxp://forums.heorot.net/viewtopic.php?f=42&t=203)(hackerdemia-1.1.0.iso) De-ICE - Level 1 - Disk 3 - Version A (hxxp://forums.heorot.net/viewtopic.php?f=16&t=482)(de-ice-1.120-1.0a.iso) De-ICE - Level 1 - Disk 3 - Version B (hxxp://forums.heorot.net/viewtopic.php?f=16&t=482)(de-ice-1.120-1.0b.iso)
- Pre-setup (configured IP as the host has a static IP in 192.168.1.0/24 range)
- Scan network for the host (nmap)
- Port scanned host (unicornscan)
- Enumerated running services running open ports (nmap)
- Enumerated possible username(s) (Netcat)
- Brute forced login details (Hydra)
- Profiled other users (CUPP)
- Escalated privilege by re-creating custom encryption program (Java)
- Found the "flag" (a database file)
- Spare or a Virtual machine (Example: Virtual Box or VMware Player)
- nmap – (Can be found on BackTrack 5).
- unicornscan – (Can be found in BackTrack 5's repository).
- hydra – (Can be found on BackTrack 5).
- Common User Passwords Profiler – (Can be found on BackTrack 5).
- Java compiler – (Can be found on BackTrack 5).
By doing a quick "ping" scan with nmap, it reveals the live hosts on the network. Once the target has been discovered, a detailed port scan (TCP & UDP) was taken via unicornscan. The results were then checked with another detailed TCP port scan as well as enumerating which services are running by using nmap. Unicornscan is quicker doing a port scan (especially with UDP scanning). However, nmap has the upside of it being able to do more by "information gathering", for example "OS detection", "version detection of services", "a collection of script scanning" and "traceroute details" (by using "-a" option). The attacker also increases the scan speed (by "-T4"). Nmap also confirms TCP port 80 is open, which is being used for a web server (it's also the default port).
The attacker interacts with the web server and is presented with the "Company Portal" page. There is a message explaining that it the web site is "under maintenance", with methods of contact - a telephone number and email address.
The port scan revealed that there was a SMTP service running and decided to attempt to use the email address to identity possible usernames. The first method (VRFY) was disabled, so the attacker proceeds to draft an email. Depending on the recipient's name it will return if the account is valid or not. The attacker then tries different combinations of the given email address (CustomerServiceAdmin@nosecbank.com) until they find its valid login, csadmin.
The attacker then searches for a wordlist to aid them in attempting to brute force the password. (Editor's note: darkc0de.lst does contain the password. however it would of taken a lot longer for it to reach it). The attacker starts hydra attacking the SSH service and waits for it to try every entry in the file. After waiting a couple of minutes (due to the small size of the wordlist) the attacker found the valid password, 'rocker'.
Upon logging into the system remotely, the attacker finds if there are any other valid users in the system (the result is 4). The attacker then continues on by browsing the users (csadmin) personal folder. The attacker soon discovers a personal email conversation between the staff members. These emails contain personal information regarding each user - which is also commonly used as their password.
After building up the profile for each user, the attacker then generates possible passwords using this information, by using CUPP (Common User Passwords Profiler). The attacker enters in the collected information and waits for the possible combinations to be generated. They then repeat the brute force attempt, this time with a specific wordlist, tailor made for that user. This quickly found the user (sdadmin) password (his child's name and year of birth - donovin1998).
The attacker logs in with the new credentials and views his personal files and soon discovers a reply to the email, which contains more personal information regarding another staff member (as well as negative feeling towards them!). The whole process is then repeated again for the new user (dbadmin), who also used personal information for his password (nickname and a few numbers at the end-databaser60).
When the attacker logs in once again, they soon find the first part to an email which has been in every user account so far. Then contents of the email has been "corrupted", however, the header file of the message is still in contact. The subject of the message implies the purpose of it, "New Custom Encryption for Passwords". The attacker then extracts the printable characters, which shows the beginning of the possible source code.
The attacker then builds up the code, from the three found parts so far, which has been written in java and the function of it was the generation function for the new passwords policy. There are comments left in the code, saying it has already been used on two accounts (sysadmin and root). The attacker then fixes, cleans and adds the code (input & conversion functions).
Once the program was complete, the attacker runs it to generate the passwords for sysadmin and the root account. They then test the passwords by logging into the system as sysadmin and then switching to the super user account, root.
The attacker now has access to the complete system...
...and choose to explore. They find a message, left in the sysadmin home folder, explaining that the user account file has been updated, encrypted and moved. The attacker then locates this file, and by trying all the encryption algorithms with the super user's password, they were able to decrypt the file and view the content in plain text - revealing customers' details, such as names, email addresses, usernames, passwords and more!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105
- De-ICE.net v1.2b has a static IP address of 192.168.1.20. )Make sure you're on the same subnet as it!_
- The wordlist used (part of the metasploit framework) to brute force csadmin, might have been updated since - You may have to use another wordlist.
- I made a couple of mistakes in the video (For example: nosec instead of nosecbank) - it's worth checking the commands subsection!
Song: Electronic Sympathies - Shanti & Punk (Radio Edit) - Ferry Corsten
Video length: 10:48
Capture length: 40:01
Blog Post: https://blog.g0tmi1k.com/2011/08/de-icenet-v12b-120b-level-1-disk/