This is a walkthrough on De-ICE S1.140, available for download at VulnHub. This release was much anticipated and took a while to get released to the public. It's a little tougher than the previous De-ICE challenges, but uses a similar formula of password cracking and guessing.
After booting up the De-ICE virtual machine, I used
netdiscoverand identified the target's IP address as 192.168.1.146. I copied the IP address into a file,
t.txt, and passed it into
onetwopunch.shfor a full TCP and UDP port scan:
Several services were found running: FTP, SSH, HTTP, IMAP, and POP3. I pointed my web browser to http://192.168.1.146 and was greeted by a the Lazy Admin Corp. webpage:
Aside from some hints for completing the challenge, there wasn't much else on the webpage. At this point I fired up
wfuzzto enumerate the website further.
Both programs identified a new resource,
/forum. Navigating to it, I found a web forum powered by my little forum. I did a quick search online for any vulnerabilities affecting this version of my little forum but found nothing of use.
Looking through the forum threads, I discovered that one of the users, Sandy Willard used to have a different surname, Raines. I also found a thread containing a snapshot of what appeared to be an SSH log on the server. There were several user names on the list, and I thought it might be a good idea to just pull them out and pop them into a text file in case I needed to use it for
hydra. I wrote a quick shell script to do this, but the results produced a little gem:
One of the user names recorded in the log was
!DFiuoTkbxtdk0!. This appeared to be a password. Most likely the user attempted to SSH in, but typed his password first instead of his user name. Looking at the log again, I noticed that there was only one successful login, which was from user
Naturally the first thing I did was to attempt to SSH to the server. This failed miserably, with the SSH server disallowing password authentication. I needed an SSH key to login to the server. I compiled a list of users based on the names I gathered on the forum and tried to see if I had access to their home directories, eg: http://192.168.1.146/~mbrown/.ssh. This exercises proved to be in vain.
I attempted to login to the forum as
mbrownwith the password I found, and it worked. I explored the forum a little bit more as an authenticated user, and found
mbrown's email address on his profile page:
I didn't see anything else of interest in the forum, so I set my eyes on the next service: FTP. Attempting to login as
mbrownwith his password didn't work. However, anonymous login was allowed. I found a directory called
incomingwhich didn't appear to contain anything.
Attempting to upload anything in
incomingdidn't work. Perhaps this user didn't have the proper permissions to write to that directory. The next two services were IMAP and POP3, both of which were running with SSL. I decided to try IMAP first and connected to the service using the following command:
# openssl s_client -connect 192.168.1.146:993 -crlf
In order to proceed, I needed to authenticate. I was able to login using the email address for
mbrownlisted on his forum profile, and his forum password:
Having logged in, I listed all available folders. This returned the
INBOXitself contained two emails:
I read the contents of both emails, however it was the second email that had some interesting information:
Here, the MySQL root password had been revealed. I attempted to use this password to login as the admin user in the forum, or the root user for FTP, but neither of them worked. There was another email in the
INBOX.Sentfolder, and this contained the root user's password for PHPMyAdmin:
I attempted to navigate to http://192.168.1.146/phpmyadmin but found nothing there. I figured that if there was something, then
wfuzzwould have found it earlier. After trying several other things, I was a bit lost. With the Christmas holidays approaching, I gave up for a few days to make merry, promising to come back to this again later.
I looked over my notes again once Christmas was over, and realized that I had completely disregarded port 443. Out of curiosity, I punched in https://192.168.1.146/phpmyadmin and it sent me to a PHPMyAdmin login page!
Using the PHPMyAdmin password I found in
mbrown's email, I was able to login and view the databases on the server:
Determined not to miss anything again, I took my time exploring the contents of the databases and taking notes and screenshots. The exploration ended with me obtaining several password hashes. The first set was from the
forum.mlf2_userdata, which were basically forum passwords and the email addresses associated with the user:
The next set of passwords were from the
mail.mailboxtables which contained passwords for each user's IMAP/POP3 account:
I ran each hash through Google and had no luck at all with the batch from the
forumdatabase. However, I was able to find the passwords for two of the accounts in the
The passwords belong to users
rhedley. I still had no SSH access, but I decided to give FTP another try. I wasn't able to login as
swillard, but I was able to as
rhedley. From there I was able to list all the home directories for each user on the server.
This user was able to view the contents of the
incomingdirectory, which contained the file
I was able to download this file, but as the
.encextension suggested, it was probably encrypted and would do me no good until I knew what password was used to encrypt it.
I started exploring the home directories on the server. My first priority was to see if I could find an SSH key that I could use to get a proper shell on the server. In
.sshdirectory, I found a file called
Examining this file showed that it was a private RSA key - possibly a copy of his
id_rsa. Only one way to find out! I changed the file's permissions to read-only, and used it to connect to the target as user
I now had a proper shell on the server. After spending some time looking around, I came upon an interesting shell script that I had no read access to:
/opt/backup.sh. Looking at the permissions, I noticed that it had an alternate form of access to it. Using
getfacl, I discovered that the group
ftpadminhad read access to this file.
A quick peek at
swillardboth belonged to the
swillardalso belonged to the
sudogroup, which may be handy later on in elevating to root privileges. Unfortunately I had no read access to any of the other user's home directories, except for
sraines, and there was nothing in there other than an emtpy
I wondered if I could SSH into the server as a different user, so from
mbrown's account, I attempted to SSH in as each user to see what would happen. As luck would have it, I managed to get a shell as
First thing I tried was
sudo -land provided the cracked password I found on Google
Austin-Willard. This did not work. However, this user was part of the
ftpadmingroup, which meant I could read the contents of
So a bit of a jackpot - the file contains the command and password used to encrypt the
backup_webhost_130111.tar.gz.encI downloaded earlier. Using the same command, I added the
-dflag for decryption and saved the output as
The decryption appeared to be successful. I extracted the contents of the archive and found that it was a backup of
/etc. This treasure trove of files included a readable
shadowfile containing each user's hashed password!
unshadow, I merged the contents of
shadowinto a file called
crack.me, which I could pass to
johnfor cracking. I removed non-user accounts and ended up with the following:
sraines:$6$4S0pqZzV$t91VbUY8ActvkS3717wllrv8ExZO/ZSHDIakHmPCvwzedKt2qDRh7509Zhk45QkKEMYPPwP7PInpp6WAJYwvk1:1000:1000:Sandy Raines,401,1429,:/home/sraines:/bin/bash mbrown:$6$DhcTFbl/$GcvUMLKvsybo4uXaS6Wx08rCdk6dPfYXASXzahAHlgy8A90PfwdoJXXyXZluw95aQeTGrjWF2zYPR0z2bX4p31:1001:1001:Mark Brown,404,2457,:/home/mbrown:/bin/bash rhedley:$6$PpzRSzPO$0MhuP.G1pCB3Wc1zAzFSTSnOnEeuJm5kbXUGmlAwH2Jz1bFJU/.ZPwsheyyt4hrtMvZ/k6wT38hXYZcWY2ELV/:1002:1002:Richard Hedley,407,3412,:/home/rhedley:/bin/bash
This backup appeared to have been taken before
sraineschanged her account to
swillard. However, if she didn't change her password, then I would be able to use it to run
swillardaccount. I fired up
john, set it to use the
crack.me, and got up to make a coffee and watch TV for a few hours.
It took about 3 hours, but finally,
sraines' password was cracked:
Fingers crossed, I typed
sudo -s, punched in the password, and got a root shell!
I checked the contents of
/rootto see if there was a flag in there. It contained a file called
secret.jpg. I copied this over to
/var/wwwand viewed the contents using my web browser.
Without any other information about the goal of this challenge, I assume this flag means I've completed it. I spent a bit of time checking for hidden messages in the JPG file but didn't find anything suspicious. Or I might have missed it. I don't know.
I would say this is one of the more enjoyable De-ICE challenges I've attempted. Many thanks to Hacking Dojo for releasing this to the public.