Showing posts with label penetration. Show all posts
Showing posts with label penetration. Show all posts

Thursday, May 8, 2014

[WALKTHROUGH] De-ICE S1-120

Here comes the S1-120 of the De-ICE series...

Well, I would say this is not that difficult except the part when escalate to root privilege makes me wondering for some times...

In overall, I still enjoy the hacking challenge this time :)

Let's start with a netdiscover to check out the ip address...

 Usual practice RECON with Nmap...


Nmap with aggressive mode...


 Let's check out the website...

Seems like this can be attack using SQL injection...


Finding out using sqlmap...



The guess is CORRECT! Now we dump all the usernames and password into two separate file...

After that, hydra will do the works by breaking into SSH service...


As per previous challenges, 'ccoffee' seems to be the staff since the very beginning...

So, let's try login using 'ccoffee' account...


Now we got a shell on the target machine...

It seems that we can only run 'sudo' with the following file...but executing the file does not escalate our privilege to root... :(


Let's try to backup the original file before we proceed further...

Try create a shell prompt with a same file name and change the permissions to allow all...

IT WORKS! But we only get the shell with 'ccoffee' privilege...  (feeling depress again...)


 Let's check again at the allowable 'sudo' commands...

Perhaps we should just run 'sudo' with full path of the file?

......... and we got the root shell! :)


Next thing to do is just to find the 'flagsss' this time... and I will leave it to you since there are too much of files to be viewed...

# ls -laRh

This command will list out all the files recursively with human-readable file size... :)


Next challenge would be S1-130...
Posted by at No comments:
Labels: , , , , , , , , , , ,

Tuesday, May 6, 2014

[WALKTHROUGH] De-ICE S2-100

Here comes the disk 2 challenge:

This is one interesting box as it really prove to us once again that information gathering stage is soooo IMPORTANT! You will see why later in the post...

First, let's change our ip address to the same network as the Live CD...


Again, network range scanning....


Notice some interesting stuff here? Our target machine is having TWO ip address...

This is very suspicious enough already while we only reach this early stage here... Let's keep that in mind!



 Nmap reconnaissance done on both ip address...

Now, again with the aggressive mode...


Next, grab some available usernames from the webpage...


This time let's verify the username account using the SMTP server...



OK! Now we got three available username here... havisham, magwitch and pirrip...


Let's see if we can get the directory of the available username...


Great! All of the available usernames are can be access through the website...

Further investigate scan using Nikto...


Here we found some interesting directory: /~/pirrip/.ssh/

Let's heads over to the directory using our browser...


Download the id_rsa file into our local machine...

And, chmod the id_rsa to lower permission...


Now we can ssh into our target machine using pirrip's public key... and we got our shell!


 Take a peek at their email conversations, and hopefully we might gain some 'juicy' information...


Nice! The email conversations contained the login credentials for pirrip...

Now we can see what pirrip can do with sudo command...


 Interesting! Since we can use the vi command and we got the password for pirrip, we might just as well modify the shadow file and change the root password to the same password as pirrip's...






 Next, we can finally escalate our privilege using the newly changed password for the root account...


Let's fix the FTP server for them :p


Also, grab the 'flag' (although it is not mentioned in this challenge)...


Squeeeeeze the 'blood' out from the 'body'!


OK! It is now done...

p/s: Nice raises for Havisham there :p
Posted by at No comments:
Labels: , , , , , ,

Monday, May 5, 2014

[WALKTHROUGH] De-ICE S1-110

Here comes the second episode of the De-ICE series...HACK ON!

This second episode is relatively easier compared to the 1st episode. Anyhow, I still enjoy much from this challenge. =)

Let's load up our guns and be prepare for coming storm...


Here we found out the target machine's ip address is 192.168.1.110 (Although we know that this target machine is having the same static ip address beforehand, but it is never too much to do more works).


RECON... RECON... and RECON!!


DEEPER... DEEPER... and DEEPER!!


Let's poke into the FTP server with 'anonymous' login and see what we can gain...


Suspicious 'core' file detected with abnormal large file size... let's grab it to our local desktop and do some further inspect...



Ha! Gotcha! Some credentials found on the 'core' file... copy down the important part and let's crack some stuff with the help of John...


That was fast enough, we have the login account for root and another user 'bbanter'...

If you see the error message, 'Host key verification failed'...

Just try to delete the known_hosts file or 'ssh-keygen -R 192.168.1.110', in this case we are trying to connect to the 192.168.1.110...



Escalate our privilege through the bbanter account... ;)

Let's find our flag, which is a encrypted file again...

 
From the 'copy.sh', we know that the cipher type.

So, let's decrypt the file and we are have reach to the end of the challenge...




Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)