DE-Ice Series are vulnerable VMs aimed towards beginners.They can be found at VulnHub(obviously).Let’s get crackin’.
I’ve fired up my trusty netdiscover and found the IP.
I used zenmap to get open ports.It seems that something is wrong with the FTP server.Interesting but let’s continue.
Since I didn’t have any usernames bruteforcing SSH was out of question.I navigated to port 80 and found a web page to No Security Corp’s Information Portal.
Here I found some usernames.I wrote them in a text file.Of course I put the sys admins first since they were the most likely to have a SSH account.
I fired up hydra too see if any users was dumb enough to have the same password as their username.Surprise, surprise.It was Bob Banter.An intern.
I SSH’d to the box and found something rather…unusal.It seems that something within the FTP was encrypted using root password.My current user wasn’t in the sudoers…
…so I tried priv-esc exploits.None of them worked so there was only one option.Bruteforce the Sr. Sys Admin, Adam Adams.
Since we had the username this would speed up the process a lot.I fired up hydra,went to sleep,had some breakfast and checked out the password.
Now I could read the shadow file…
I copied the shadow file and it was easy cracking the root password via Johnny.A GUI for John The Ripper.
I downloaded the encrypted file and decrypted it.It was encrypted with AES-128-CBC cipher and since the passwd file did say something about root password I assumed that was the key,and I was correct.
I hope you enjoyed 🙂