Showing posts with label johntheripper. Show all posts
Showing posts with label johntheripper. Show all posts

Thursday, May 15, 2014

[WALKTHROUGH] De-ICE_S1-140

Seems like this will be the final challenge in De-ICE series... and I really enjoyed myself throughout the full series...

Hopefully will see some coming challenges to be added on this series again..  :)

For this moment, let's heads on and attack the final box...

This box is running with DHCP enabled... Hence, ping sweep throughout the network is required in order to find out the real ip address of the target box...

Here, we use the Netdiscover in order to find out the ip address of the target box, which is 192.168.17.141


Never forgets to recon the box and grab as much info as possible...


Aggressive mode...


Checking out their website... some quotes by Bill Gates <3 br="">


Seems like nothing we can get from the website (there is a hints section in the website)...

Let's try with Dirbuster and see if we might get some interesting sub-directory....




Some interesting sub-directory founded: forum, phpmyadmin, webmail...

Let's head over the forum section and see what might we get from there...


Oops... some careless mistake done by one of the staff "mbrown" who leaked his own password in the forum...   ;)

Let's try login to the forum using 'mbrown' account credentials...


And, we can see his email account after login to his profile...

Since we got an email account, might as well try login to his webmail and see if it is successful...


BOOM! Another password found for the "root" account...  XD


From this email, we can find out that "mbrown" using the same password for a several services... (as we can see even from this stage... 'mbrown' is using the same password for his forum and email account... )

Since now we got the 'root' account for phpmyadmin... let's check out the phpmyadmin as well...



We able to login successfully using the "root" account found... and we can see some password hashes in the database as well... :)



By searching the hash using Google search engine, we can easily cracked found the password for two of the accounts there...

Now, we try ftp into the box using the credentials we found just now...


Fortunately enough, we can still able to access the ftp service successfully using the 'rhedley' account...


By sniffing around for any suspicious files, we see an encrypted file located in the ftp folder... Sadly to tell that we do not have the key to decrypt the file at the moment, but we may download the file to our local box for further usage later...

Seems like we are out of our way to get a shell on the box... :(


After Googling around, we found that /forum/templates_c/ is actually writable... we shed some lights here...

Quickly login into the phpmyadmin, we create a new table 'shell' under the 'test' database..


Generate a php shell payload...

 
Insert the code into column '1' in table 'shell'...



And insert into dumpfile...


Refresh the page at /forum/templates_c/ and we can see a newly created phpshell.php file...   :)


Before running the shell payload, we need to prepare some handler in order catch handle the exploit...



We now have a shell on the target box, but the shell is running with minimal privilege...

Let's try with the 'rhedley' account we found earlier...


Another round of scorching around...



And we found the key to decrypt the encrypted file we retrieved earlier... :)

After decrypt the file, we found that it is actually a copy of 'etc' folder of the target box... now we will need to crack the password in order to get sudo privilege on the box...


By using the darkc0de wordlist, we able to get the password for the 'sraines' account, which is previous account of 'swillard'...

So, let's try change the user to swillard but using the password found for 'sraines'... "brillantissimo"!


Now, we got a proper root shell on the target box... checking out the flag secret.jpg and we are rewarded with a cake!  :)


A very rewarding challenge... :)

Posted by at No comments:
Labels: , , , , , , , , , , , , , , ,

Monday, May 5, 2014

[WALKTHROUGH] De-ICE S1-110

Here comes the second episode of the De-ICE series...HACK ON!

This second episode is relatively easier compared to the 1st episode. Anyhow, I still enjoy much from this challenge. =)

Let's load up our guns and be prepare for coming storm...


Here we found out the target machine's ip address is 192.168.1.110 (Although we know that this target machine is having the same static ip address beforehand, but it is never too much to do more works).


RECON... RECON... and RECON!!


DEEPER... DEEPER... and DEEPER!!


Let's poke into the FTP server with 'anonymous' login and see what we can gain...


Suspicious 'core' file detected with abnormal large file size... let's grab it to our local desktop and do some further inspect...



Ha! Gotcha! Some credentials found on the 'core' file... copy down the important part and let's crack some stuff with the help of John...


That was fast enough, we have the login account for root and another user 'bbanter'...

If you see the error message, 'Host key verification failed'...

Just try to delete the known_hosts file or 'ssh-keygen -R 192.168.1.110', in this case we are trying to connect to the 192.168.1.110...



Escalate our privilege through the bbanter account... ;)

Let's find our flag, which is a encrypted file again...

 
From the 'copy.sh', we know that the cipher type.

So, let's decrypt the file and we are have reach to the end of the challenge...




Posted by at No comments:
Labels: , , , , , ,

[WALKTHROUGH] De-ICE S1-100

Recently, I just mess play around with the De-ICE penetration series. Hopefully I am not too late to join the party yet. Since the Live CD is very vulnerable by designed, it is advisable not to run this in a network exposed to outside world as this might lead to your network compromising.

Disclaimer: Please try this in a safe environment and I will not hold any responsibilities for any damage caused by this post.

Difficulty: Beginner

Requirement:
Kali Linux ( Basically you get everything you need to solve this challenge using this distro )
Some wordlist for dictionary attack later *spoiler alert*
Some food and drinks
Some patient

For a good practise to start a penetration testing, we often scan the network for the live hosts/ip range. Although we already know that the target box has a static ip address at 192.168.1.100, there will be no harm to do a simple network scanning. After setting up our Kali ip address to be in the same network as the Live CD, we scan the network using netdiscover or you may use nmap also. A series of screenshot will walk you through the whole challenge at ease.


192.168.1.100 - Target machine
192.168.1.138 - Kali machine

Let's start our reconnaissance process...

The more information = The higher chance of success! 

Open ports and running services: ftp, ssh, smtp, http, pop3, imap

Note: FTP server seems to be having some problem.

Further deep scan with Nmap in aggressive mode...

Interesting results... let's head on the website see what else information we can get...


In the game-related web page, we can see some username here...

Let's harvest all the username here and might can be any help in the attacking stage later...


We got around 10 usernames harvested from the web page alone... good job!

Let's further mutate the usernames to increase the possibilities...


With the aid of some self-made scripting, we successfully mutate the usernames to more varieties... ^_^

Next step will be attacking the SSH service by using dictionary attacks...


Please note that the wordlist shown in the screenshot is definitely a much more shorter and customized dictionary for demonstration purpose only. The actual time taken during my actual attacking is much more longer than this.

From the attack, we found the login credentials for aadams...

Let's login using the credentials we found and perform further reconnaissance for more information....

Checking out the important directories: /etc/group & /etc/passwd & /etc/shadow




Next, grab the shadow content and do some cracking with the help of John, the Ripper!

Password found for the root account: tarot

Next thing in the todo list is to login to the root account...



Voila! We got a root shell on our target machine...

But... don't get too excited yet! Our challenges is not yet complete!

After checking at the web page for hints, it still has something to fix yet...

Let's fix the broken FTP server...

Checking out the FTP configuration file at /etc/vsftpd.conf...


Comment out the final line as shown in the screenshot and restart the FTP service.


Next mission is to find the CEO's bank account information...


Fortunately, we can transfer the file to our local machine through the FTP server we fixed earlier... good job again!


Finding the encryption type using a custom-made script by myself and output the decrypted version of the secret file...


So now we got the CEO's bank account information.

 Challenge end! Good night! ;)

p/s: Stay tune for the rest of the series...need some time and patient for that...

Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)