Wednesday, May 14, 2014

[WALKTHROUGH] De-ICE_S1-130

After a long rest, finally here is the S1-130 of De-ICE series as promised...

This challenge involved some Java programming language... ;)

Unlike those previous challenges in De-ICE series, the ip address this time is not the same as the name (S1-130).. Instead, the ip address for the target box this time is 192.168.1.20 as we found out using Netdiscover.


Never forget to do some reconnaissance before we initiate our attacks...


 By visiting the web site, we can see the admin email account for the Nosecbank domain... :)


 Next thing to do is generate some mutated usernames based on the 'customerserviceadmin' found on the website using my customized scripts...

Let's see if any generated username is valid through the SMTP service using RCPT command...


 Now we got a valid username reside in the target box... "csadmin" which is mutated from the original username "customerserviceadmin"...

After that we got the valid username, let's hit the box using Hydra... another long waited process... :(


 Password found for the username "csadmin"!

No-brainer-answer after this is to login using the credentials found... :p


 After login successfully into the target box, we should seek to root privilege escalation... :)


Unfortunately, the available sudo command for csadmin is very limited... :(

But we found an email from the sdadmin... :)


From the email content, we do some password profiling and create a customized password list to be attempted for attacks later...


 Great! Password found for the username "sdadmin"... apparently the password is formed using his son's name and birth year.. XD


 Another limited sudo commands for "sdadmin" user account... :(



But... we can find the replied email from the "csadmin" regarding his son's birthday invitation... "databaser" seems like referring to the "dbadmin" user account...


Another round of password profiling for the "dbadmin" account...


 Luckily, we got the password login for "dbadmin" too...


Here we see the part 1 of the broken email... let's try to fix it and see what might we get from this... :p




Finally, we fixed the java code by sticking up the part 1, 2 and 3... (a complete Java code can be seen at the most bottom part of this post...)

Compiled the Java code and see if we can generate the password for "sysadmin" and "root" account...


 Voila! Now we got the password for "sysadmin" and "root" account... and we found the encrypted flag here...

Let's do something and download the encrypted file over our local box...



After grabbed the encrypted files, decrypt it and we're done with the challenge... :)



[*] deice.java
import java.io.*;
public class deice
{
    public static void main(String[] args)
    {
        try
        {
            System.out.println("[*] Password Generator");
            BufferedReader in=new BufferedReader(new InputStreamReader(System.in));
            System.out.print("[?] Username: ");
            String input=in.readLine();
            int[] output=processLoop(input);
            String outputASCII="";
            for(int i=0; i                outputASCII+=(char) output[i];
            System.out.println("[+] Password: " + outputASCII);
        }
        catch(IOException e)
        {
            System.out.println("[-] IO Error Occurred!");
        }
    }
/*input is username of account*/
    public static int[] processLoop(String input)
    {
        int strL = input.length();
        int lChar=(int)input.charAt(strL-1);
        int fChar=(int)input.charAt(0);       
        int[] encArr = new int[strL+2];       
        encArr[0]=(int)lChar;   
        for(int i=1;i            encArr[i]=(int)input.charAt(i-1);
        //encArr[0]=(int)lChar;
        encArr[encArr.length-1] = (int)fChar;
        encArr = backLoop(encArr);
        encArr = loopBack(encArr);
        encArr = loopProcess(encArr);
        int j = encArr.length-1;
        for(int i=0; i            if(i == j)
                break;
            int t=encArr[i];
            encArr[i]=encArr[j];
            encArr[j]=t;
            j--;
        }
    return encArr;
    }
/*Note the pseudocode will be implemented with the    
root account and my account, we still need to implement it with the csadmin, sdadmin,   
and dbadmin accounts though*/   
    public static int[] backLoop(int[] input){
        int ref = input.length;
        int a = input[1];
        int b = input[ref-1];
        int ch = (a+b)/2;       
        for(int i=0;i            if(i%2 == 0)
                input[i] = (input[i]%ch)+(ref+i);
            else
                input[i] = (input[i]+ref+i);
        }
    return input;
    }
    public static int[] loopProcess(int[] input){   
        for(int i=0; i i < input.length; i++ ) {
            if(input[i] == 40 || input[i] == 41)
                input[i] += input.length;
            else if(input[i] == 45)
                input[i] += 20+i;
        }
    return input;
    }
    public static int[] loopBack(int[] input){
        int ref = input.length/2;
        int[] encNew = new int[input.length+ref];
        int ch = 0;
        for(int i=(ref/2); i i < input.length; i++ ) {
            encNew[i] = input[ch];
            ch++;
        }
        for(int i=0; i            if(encNew[i] <= 33)
                encNew[i] = 33+(++ref*2);
            else if(encNew[i] >= 126)
                encNew[i]=126-(--ref*2);
            else{
                if(i%2 == 0)
                    encNew[i] -= (i%3);
                else
                    encNew[i] += (i%2);
            }
        }
    return encNew;
    }
}

Posted by at
Labels: , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)