De-ICE are Penetration LiveCD images available from http://forum.heorot.net and provide scenarios where students can test their penetration testing skills and tools in a legal environment.
Scanning with aggressive mode all ports
Let's start from FTP, because it allows anonymous user. There is incoming directory which is empty.
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.4a
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 38:82:58:d3:9c:0d:28:01:f0:77:11:0a:24:c7:28:84 (DSA)
| 2048 62:a6:24:6a:62:71:b6:5f:7f:67:2f:c2:fd:0a:2a:5e (RSA)
|_ 256 2b:1d:91:ac:6b:2e:7a:fe:6e:aa:0d:55:cc:30:7c:de (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
|_http-server-header: Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1
|_http-title: Lazy Admin Corp.
443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
|_http-server-header: Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1
|_http-title: Lazy Admin Corp.
| ssl-cert: Subject: commonName=webhost
| Not valid before: 2016-07-13T09:13:52
|_Not valid after: 2026-07-11T09:13:52
|_ssl-date: 2016-07-13T09:17:17+00:00; -1s from scanner time.
465/tcp closed smtps
993/tcp open ssl/imap Dovecot imapd
|_imap-capabilities: LOGIN-REFERRALS ENABLE AUTH=PLAIN Pre-login have ID IMAP4rev1 listed more capabilities post-login IDLE AUTH=LOGINA0001 OK SASL-IR LITERAL+
|_ssl-date: 2016-07-13T09:17:17+00:00; -1s from scanner time.
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN LOGIN) RESP-CODES PIPELINING CAPA TOP UIDL USER
|_ssl-date: 2016-07-13T09:17:17+00:00; -1s from scanner time.
Browsing web application we can see default web page
OK, we won't to display a source code, because it contains hints. Let's run Dirbuster.
Forum looks interesting. Let's see it deeper.
Excellent! Hmmm what do you think about Login Attacks? It is interesting for you? Beucase for me it is.
OK, we have to understand what it was going on. We can see that someone was trying enumerate usernames and/or brute force SSH. Hey, look at this
Mar 7 11:15:32 testbox sshd[5774]: Accepted keyboard-interactive/pam for mbrown from 10.0.0.23 port 35168 ssh2but unfortunately SSH in this case does not allow password authentication.
Mar 7 11:15:32 testbox sshd[5774]: pam_unix(sshd:session): session opened for user mbrown by (uid=0)
I have also found
Mar 7 11:15:32 testbox sshd[5772]: Invalid user !DFiuoTkbxtdk0! from 10.0.0.23This looks like a password. BINGO! I have logged in as mbrown using the password.
Mar 7 11:15:32 testbox sshd[5772]: input_userauth_request: invalid user !DFiuoTkbxtdk0! [preauth]
Very good! I was looking for some chance to upload some kind of backdoor, but without success.
I remember that DirBuster found also /webmail/ directory, so let's try to log in as mbrown.
BINGO! We are in. I have open one of two mail and it contains following very juicy information.
Wow! So nice! Now we are able to log in as root to phpmyadmin panel.
Nice! I was searching a lot 'where may I upload our PHP script' and I have found that /templates_c/ directory is writable.
Excellent! So, let's execute it
Awesome, we have got limited shell via Web Browser. But we can also obtain console limited shell using certain script.
Great! So, maybe we can log in as some user using known password. BINGO! We have achieved it! So let's try find something useful
Yeah! Let's download the key for our attacker machine and try log in SSH via key authorization.
Unfortunately without success... Hmmm I am a little bit confused.
So let's look at /home directory
I was trying decrypt the file but we need to know password. I have found /opt/backup.sh file - it may be interesting!
We cannot execute it, but we can see that there is a password for our encrypted file!
TBU
