Showing posts with label netdiscover. Show all posts
Showing posts with label netdiscover. Show all posts

Thursday, May 15, 2014

[WALKTHROUGH] De-ICE_S1-140

Seems like this will be the final challenge in De-ICE series... and I really enjoyed myself throughout the full series...

Hopefully will see some coming challenges to be added on this series again..  :)

For this moment, let's heads on and attack the final box...

This box is running with DHCP enabled... Hence, ping sweep throughout the network is required in order to find out the real ip address of the target box...

Here, we use the Netdiscover in order to find out the ip address of the target box, which is 192.168.17.141


Never forgets to recon the box and grab as much info as possible...


Aggressive mode...


Checking out their website... some quotes by Bill Gates <3 br="">


Seems like nothing we can get from the website (there is a hints section in the website)...

Let's try with Dirbuster and see if we might get some interesting sub-directory....




Some interesting sub-directory founded: forum, phpmyadmin, webmail...

Let's head over the forum section and see what might we get from there...


Oops... some careless mistake done by one of the staff "mbrown" who leaked his own password in the forum...   ;)

Let's try login to the forum using 'mbrown' account credentials...


And, we can see his email account after login to his profile...

Since we got an email account, might as well try login to his webmail and see if it is successful...


BOOM! Another password found for the "root" account...  XD


From this email, we can find out that "mbrown" using the same password for a several services... (as we can see even from this stage... 'mbrown' is using the same password for his forum and email account... )

Since now we got the 'root' account for phpmyadmin... let's check out the phpmyadmin as well...



We able to login successfully using the "root" account found... and we can see some password hashes in the database as well... :)



By searching the hash using Google search engine, we can easily cracked found the password for two of the accounts there...

Now, we try ftp into the box using the credentials we found just now...


Fortunately enough, we can still able to access the ftp service successfully using the 'rhedley' account...


By sniffing around for any suspicious files, we see an encrypted file located in the ftp folder... Sadly to tell that we do not have the key to decrypt the file at the moment, but we may download the file to our local box for further usage later...

Seems like we are out of our way to get a shell on the box... :(


After Googling around, we found that /forum/templates_c/ is actually writable... we shed some lights here...

Quickly login into the phpmyadmin, we create a new table 'shell' under the 'test' database..


Generate a php shell payload...

 
Insert the code into column '1' in table 'shell'...



And insert into dumpfile...


Refresh the page at /forum/templates_c/ and we can see a newly created phpshell.php file...   :)


Before running the shell payload, we need to prepare some handler in order catch handle the exploit...



We now have a shell on the target box, but the shell is running with minimal privilege...

Let's try with the 'rhedley' account we found earlier...


Another round of scorching around...



And we found the key to decrypt the encrypted file we retrieved earlier... :)

After decrypt the file, we found that it is actually a copy of 'etc' folder of the target box... now we will need to crack the password in order to get sudo privilege on the box...


By using the darkc0de wordlist, we able to get the password for the 'sraines' account, which is previous account of 'swillard'...

So, let's try change the user to swillard but using the password found for 'sraines'... "brillantissimo"!


Now, we got a proper root shell on the target box... checking out the flag secret.jpg and we are rewarded with a cake!  :)


A very rewarding challenge... :)

Posted by at No comments:
Labels: , , , , , , , , , , , , , , ,

Wednesday, May 14, 2014

[WALKTHROUGH] De-ICE_S1-130

After a long rest, finally here is the S1-130 of De-ICE series as promised...

This challenge involved some Java programming language... ;)

Unlike those previous challenges in De-ICE series, the ip address this time is not the same as the name (S1-130).. Instead, the ip address for the target box this time is 192.168.1.20 as we found out using Netdiscover.


Never forget to do some reconnaissance before we initiate our attacks...


 By visiting the web site, we can see the admin email account for the Nosecbank domain... :)


 Next thing to do is generate some mutated usernames based on the 'customerserviceadmin' found on the website using my customized scripts...

Let's see if any generated username is valid through the SMTP service using RCPT command...


 Now we got a valid username reside in the target box... "csadmin" which is mutated from the original username "customerserviceadmin"...

After that we got the valid username, let's hit the box using Hydra... another long waited process... :(


 Password found for the username "csadmin"!

No-brainer-answer after this is to login using the credentials found... :p


 After login successfully into the target box, we should seek to root privilege escalation... :)


Unfortunately, the available sudo command for csadmin is very limited... :(

But we found an email from the sdadmin... :)


From the email content, we do some password profiling and create a customized password list to be attempted for attacks later...


 Great! Password found for the username "sdadmin"... apparently the password is formed using his son's name and birth year.. XD


 Another limited sudo commands for "sdadmin" user account... :(



But... we can find the replied email from the "csadmin" regarding his son's birthday invitation... "databaser" seems like referring to the "dbadmin" user account...


Another round of password profiling for the "dbadmin" account...


 Luckily, we got the password login for "dbadmin" too...


Here we see the part 1 of the broken email... let's try to fix it and see what might we get from this... :p




Finally, we fixed the java code by sticking up the part 1, 2 and 3... (a complete Java code can be seen at the most bottom part of this post...)

Compiled the Java code and see if we can generate the password for "sysadmin" and "root" account...


 Voila! Now we got the password for "sysadmin" and "root" account... and we found the encrypted flag here...

Let's do something and download the encrypted file over our local box...



After grabbed the encrypted files, decrypt it and we're done with the challenge... :)



[*] deice.java
import java.io.*;
public class deice
{
    public static void main(String[] args)
    {
        try
        {
            System.out.println("[*] Password Generator");
            BufferedReader in=new BufferedReader(new InputStreamReader(System.in));
            System.out.print("[?] Username: ");
            String input=in.readLine();
            int[] output=processLoop(input);
            String outputASCII="";
            for(int i=0; i                outputASCII+=(char) output[i];
            System.out.println("[+] Password: " + outputASCII);
        }
        catch(IOException e)
        {
            System.out.println("[-] IO Error Occurred!");
        }
    }
/*input is username of account*/
    public static int[] processLoop(String input)
    {
        int strL = input.length();
        int lChar=(int)input.charAt(strL-1);
        int fChar=(int)input.charAt(0);       
        int[] encArr = new int[strL+2];       
        encArr[0]=(int)lChar;   
        for(int i=1;i            encArr[i]=(int)input.charAt(i-1);
        //encArr[0]=(int)lChar;
        encArr[encArr.length-1] = (int)fChar;
        encArr = backLoop(encArr);
        encArr = loopBack(encArr);
        encArr = loopProcess(encArr);
        int j = encArr.length-1;
        for(int i=0; i            if(i == j)
                break;
            int t=encArr[i];
            encArr[i]=encArr[j];
            encArr[j]=t;
            j--;
        }
    return encArr;
    }
/*Note the pseudocode will be implemented with the    
root account and my account, we still need to implement it with the csadmin, sdadmin,   
and dbadmin accounts though*/   
    public static int[] backLoop(int[] input){
        int ref = input.length;
        int a = input[1];
        int b = input[ref-1];
        int ch = (a+b)/2;       
        for(int i=0;i            if(i%2 == 0)
                input[i] = (input[i]%ch)+(ref+i);
            else
                input[i] = (input[i]+ref+i);
        }
    return input;
    }
    public static int[] loopProcess(int[] input){   
        for(int i=0; i i < input.length; i++ ) {
            if(input[i] == 40 || input[i] == 41)
                input[i] += input.length;
            else if(input[i] == 45)
                input[i] += 20+i;
        }
    return input;
    }
    public static int[] loopBack(int[] input){
        int ref = input.length/2;
        int[] encNew = new int[input.length+ref];
        int ch = 0;
        for(int i=(ref/2); i i < input.length; i++ ) {
            encNew[i] = input[ch];
            ch++;
        }
        for(int i=0; i            if(encNew[i] <= 33)
                encNew[i] = 33+(++ref*2);
            else if(encNew[i] >= 126)
                encNew[i]=126-(--ref*2);
            else{
                if(i%2 == 0)
                    encNew[i] -= (i%3);
                else
                    encNew[i] += (i%2);
            }
        }
    return encNew;
    }
}

Posted by at No comments:
Labels: , , , , , , , , ,
Subscribe to: Posts (Atom)