Friday, 15 July 2016

De-ICE: S1.140

De-ICE are Penetration LiveCD images available from and provide scenarios where students can test their penetration testing skills and tools in a legal environment.

Scanning with aggressive mode all ports

21/tcp  open   ftp      ProFTPD 1.3.4a
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
22/tcp  open   ssh      OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 38:82:58:d3:9c:0d:28:01:f0:77:11:0a:24:c7:28:84 (DSA)
|   2048 62:a6:24:6a:62:71:b6:5f:7f:67:2f:c2:fd:0a:2a:5e (RSA)
|_  256 2b:1d:91:ac:6b:2e:7a:fe:6e:aa:0d:55:cc:30:7c:de (ECDSA)
80/tcp  open   http     Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
|_http-server-header: Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1
|_http-title: Lazy Admin Corp.
443/tcp open   ssl/http Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
|_http-server-header: Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1
|_http-title: Lazy Admin Corp.
| ssl-cert: Subject: commonName=webhost
| Not valid before: 2016-07-13T09:13:52
|_Not valid after:  2026-07-11T09:13:52
|_ssl-date: 2016-07-13T09:17:17+00:00; -1s from scanner time.
465/tcp closed smtps
993/tcp open   ssl/imap Dovecot imapd

|_imap-capabilities: LOGIN-REFERRALS ENABLE AUTH=PLAIN Pre-login have ID IMAP4rev1 listed more capabilities post-login IDLE AUTH=LOGINA0001 OK SASL-IR LITERAL+
|_ssl-date: 2016-07-13T09:17:17+00:00; -1s from scanner time.
995/tcp open   ssl/pop3 Dovecot pop3d
|_ssl-date: 2016-07-13T09:17:17+00:00; -1s from scanner time.
Let's start from FTP, because it allows anonymous user. There is incoming directory which is empty.
Browsing web application we can see default web page

OK, we won't to display a source code, because it contains hints. Let's run Dirbuster.

Forum looks interesting. Let's see it deeper.

Excellent! Hmmm what do you think about Login Attacks? It is interesting for you? Beucase for me it is.

OK, we have to understand what it was going on. We can see that someone was trying enumerate usernames and/or brute force SSH. Hey, look at this
Mar 7 11:15:32 testbox sshd[5774]: Accepted keyboard-interactive/pam for mbrown from port 35168 ssh2
Mar 7 11:15:32 testbox sshd[5774]: pam_unix(sshd:session): session opened for user mbrown by (uid=0)
but unfortunately SSH in this case does not allow password authentication.
I have also found
Mar 7 11:15:32 testbox sshd[5772]: Invalid user !DFiuoTkbxtdk0! from
Mar 7 11:15:32 testbox sshd[5772]: input_userauth_request: invalid user !DFiuoTkbxtdk0! [preauth]
This looks like a password. BINGO! I have logged in as mbrown using the password.

Very good! I was looking for some chance to upload some kind of backdoor, but without success.
I remember that DirBuster found also /webmail/ directory, so let's try to log in as mbrown.

BINGO! We are in. I have open one of two mail and it contains following very juicy information.

Wow! So nice! Now we are able to log in as root to phpmyadmin panel.

Nice! I was searching a lot 'where may I upload our PHP script' and I have found that /templates_c/ directory is writable.

Excellent! So, let's execute it

Awesome, we have got limited shell via Web Browser. But we can also obtain console limited shell using certain script.

Great! So, maybe we can log in as some user using known password. BINGO! We have achieved it! So let's try find something useful

Yeah! Let's download the key for our attacker machine and try log in SSH via key authorization.
Unfortunately without success... Hmmm I am a little bit confused.
So let's look at /home directory

I was trying decrypt the file but we need to know password. I have found /opt/ file - it may be interesting!

We cannot execute it, but we can see that there is a password for our encrypted file!