DE-Ice S1.100 – VulnHub #3

DE-Ice Series are vulnerable VMs aimed towards beginners.They can be found at VulnHub(obviously).Let’s get crackin’.
I’ve fired up my trusty netdiscover and found the IP.
Screenshot from 2016-08-27 15-45-05I used zenmap to get open ports.It seems that something is wrong with the FTP server.Interesting but let’s continue.
Screenshot from 2016-08-27 15-46-25Since I didn’t have any usernames bruteforcing SSH was out of question.I navigated to port 80 and found a web page to No Security Corp’s Information Portal.

This slideshow requires JavaScript.


Here I found some usernames.I wrote them in a text file.Of course I put the sys admins first since they were the most likely to have a SSH account.

This slideshow requires JavaScript.


I fired up hydra too see if any users was dumb enough to have the same password as their username.Surprise, surprise.It was Bob Banter.An intern.
Screenshot from 2016-08-27 23-00-39I SSH’d to the box and found something rather…unusal.It seems that something within the FTP was encrypted using root password.My current user wasn’t in the sudoers…
Screenshot from 2016-08-27 23-02-23…so I tried priv-esc exploits.None of them worked so there was only one option.Bruteforce the Sr. Sys Admin, Adam Adams.

This slideshow requires JavaScript.


Since we had the username this would speed up the process a lot.I fired up hydra,went to sleep,had some breakfast and checked out the password.
Screenshot from 2016-08-28 10-33-01
Now I could read the shadow file…
Screenshot from 2016-08-28 10-33-54
I copied the shadow file and it was easy cracking the root password via Johnny.A GUI for John The Ripper.
Screenshot from 2016-08-28 10-36-26
I downloaded the encrypted file and decrypted it.It was encrypted with AES-128-CBC cipher and since the passwd file did say something about root password I assumed that was the key,and I was correct.

This slideshow requires JavaScript.


I hope you enjoyed 🙂