De-ICE: S1.140 - Write up

De-ICE: S1.140

https://www.vulnhub.com/entry/de-ice-s1140,57/

I've been doing a lot of hackthebox.eu boxes, I've decided to take a small break from those and focus on other vuln boxes for a while, A colleague told me about these ICE boxes he did for labs during school. So  I decided to check them out.

Recon

Since these are live CD's the first thing I need to do is find out the ip address of the live CD VM i'm running.

My home network is 192.168.50.0/24 so I started with a small updown nmap scan of my entire subnet to find the target VM

nmap -T4 -oX /root/Desktop/ice/nmap.xml 192.168.50.0/24

I then converted the XML output to HTML to make it pretty

xsltproc /root/Desktop/ice/nmap.xml -o /root/Desktop/ice/nmap.html

Found the target at 192.168.50.176

So now let's rescan the open ports with the -A switch to finger the OS/Services

Let's recap what we found

Port 21 PROFTPD 1.3.4a

Port 22 OPenSSH 5.9p1

Port 80 Apache 2.2.22

Port 443 "" HTTPS ""

Port 993 Imaps

Port 995 pop3s

OS LInux 2.6.32

So we have a FTP running on port 21 with anonymous access. SSH running on port 22, An Apache web server on ports 80 and 443. Mail services IMAP and POP3 running on 993 and 995 respectively.

Let's try browsing to port 80 and 443 to see what is shown

Port 80

Port 443

Lazy admin corp? I can definitely relate to that.

Let's run some enumeration on both ports and see if we can find anything more interesting

Dirb found some interesting things on port 80.

-----------------

DIRB v2.22    

By The Dark Raver

-----------------

OUTPUT_FILE: /root/Desktop/ice/dirb80.txt

START_TIME: Wed Dec  4 10:39:04 2019

URL_BASE: http://192.168.50.176/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

+ http://192.168.50.176/forum/index.php (CODE:200|SIZE:7348)

http://192.168.50.176/forum/backup/

http://192.168.50.176/forum/config/

http://192.168.50.176/forum/images/

http://192.168.50.176/forum/includes/

Let's see what is on the /forum/index.php

A forum ( like the name suggests) poking around in there, we find a couple of posts and some other pages

A login page

Users

A registration page

We'll revisit this forum to poke around more later

Let's enumerate around on port 443 and see if we can find anything else.

I get this error using Dirb so let's try dirbuster instead to brute force enumeration on 443

Let's stage it to just look for folders first, we can look at files later

1. Set the target IP and port
2. Attach word list to use
3. Turn off file search
4. Turn off recusive
5. start

DirBuster 1.0-RC1 - Report

http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project

Report produced on Wed Dec 04 11:50:29 EST 2019

--------------------------------

https://192.168.50.176:443

--------------------------------

Directories found during testing:

Dirs found with a 200 response:

/

/forum/

/forum/themes/

/forum/themes/default/

/forum/themes/default/images/

/forum/js/

/phpmyadmin/

/forum/themes/default/subtemplates/

Dirs found with a 302 response:

/webmail/

Dirs found with a 401 response:

/phpmyadmin/setup/

It found the same forum, plus PHPmyAdmin and webmail which redirects to

https://192.168.50.176/webmail/src/login.php

This is a lot of good info, let's move on to trying to root this box

Let's get our hands dirty

Exploit

Let's check around on the sites we have found to see if we can find some good info

Remember we already know the users on the forum thanks to the disclosure built in.

Let's look at the forum.

The first post is about a new security policy they are implementing

For our sakes let's hope the users aren't following these directions. :)

The login Attacks post looks interesting.

Its a log of connections to ssh with a bunch of failed attempts

Mar 7 11:15:31 testbox sshd[5779]: Connection from 10.10.2.131 port 47581

Mar 7 11:15:31 testbox sshd[5763]: Failed password for invalid user marym from 10.10.2.131 port 46449 ssh2

Mar 7 11:15:31 testbox sshd[5760]: Failed password for invalid user patrickp from 10.10.2.131 port 46356 ssh2

Mar 7 11:15:31 testbox sshd[5767]: Failed password for invalid user longe from 10.10.2.131 port 46129 ssh2

Mar 7 11:15:31 testbox sshd[5763]: Received disconnect from 10.10.2.131: 11: Bye Bye [preauth]

Mar 7 11:15:31 testbox sshd[5781]: Set /proc/self/oom_score_adj to 0

Mar 7 11:15:31 testbox sshd[5760]: Received disconnect from 10.10.2.131: 11: Bye Bye [preauth]

Mar 7 11:15:31 testbox sshd[5782]: Set /proc/self/oom_score_adj to 0

Mar 7 11:15:31 testbox sshd[5782]: Connection from 10.10.2.131 port 47631

Mar 7 11:15:31 testbox sshd[5781]: Connection from 10.10.2.131 port 47630

Mar 7 11:15:31 testbox sshd[5767]: Received disconnect from 10.10.2.131: 11: Bye Bye [preauth]

Mar 7 11:15:31 testbox sshd[5783]: Set /proc/self/oom_score_adj to 0

Mar 7 11:15:32 testbox sshd[5772]: Connection from 10.0.0.23 port 35154

Mar 7 11:15:32 testbox sshd[5772]: Invalid user !DFiuoTkbxtdk0! from 10.0.0.23

Mar 7 11:15:32 testbox sshd[5772]: input_userauth_request: invalid user !DFiuoTkbxtdk0! [preauth]

Mar 7 11:15:32 testbox sshd[5772]: Connection closed by 10.0.0.23 [preauth]

Mar 7 11:15:32 testbox sshd[5772]: Set /proc/self/oom_score_adj to 0

Mar 7 11:15:31 testbox sshd[5783]: Connection from 10.10.2.131 port 47651

Mar 7 11:15:32 testbox sshd[5779]: Invalid user bbanter from 10.10.2.131

Mar 7 11:15:32 testbox sshd[5779]: input_userauth_request: invalid user bbanter [preauth]

Mar 7 11:15:32 testbox sshd[5779]: pam_unix(sshd:auth): check pass; user unknown

Mar 7 11:15:32 testbox sshd[5779]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.2.131

Mar 7 11:15:32 testbox sshd[5775]: Failed password for invalid user benedictb from 10.10.2.131 port 46963 ssh2

Mar 7 11:15:32 testbox sshd[5768]: Failed password for invalid user genniege from 10.10.2.131 port 46488 ssh2

Mar 7 11:15:32 testbox sshd[5775]: Received disconnect from 10.10.2.131: 11: Bye Bye [preauth]

Mar 7 11:15:32 testbox sshd[5768]: Received disconnect from 10.10.2.131: 11: Bye Bye [preauth]

Mar 7 11:15:32 testbox sshd[5774]: Connection from 10.0.0.23 port 35155

Mar 7 11:15:32 testbox sshd[5774]: Accepted keyboard-interactive/pam for mbrown from 10.0.0.23 port 35168 ssh2

Mar 7 11:15:32 testbox sshd[5774]: pam_unix(sshd:session): session opened for user mbrown by (uid=0)

1. We can see failed login attempts for valid users name, so here we have a bad password for a user that actually exists michaelp
2. More bad passwords for legit user accounts
3. Here we see something different it is invalid user with the user name of !DFiuoTkbxtdk0!
4. A bad login for a user that doesn't exist
5. A completed session for user mbrown

I think mbrown might have accidentally put his password for a user name before making this successful connection

Let's see if we can authenticate anywhere with MBrown and !DFiuoTkbxtdk0!

Why yes, yes we can. We could login to the forum using those creds.

What about that mail server we found? Or SSH

SSH says no, we need a key to authenticate not his password

As for the webmail?

MBrown didn't work for a user name….. But we found his email address from the forum earlier mb@lazyadmin.corp

If we try that?

The world's cleanest inbox, just two emails

Sally gently nudging Mark to stop reusing passwords

LOL thanks for being super lazy mark!

The other email contains the root password for their Mysql

Username: root

Password: S4!y.dk)j/_d1pKtX1

Checking the sent fold we find this

Phpmyadmin login info… we found that earlier ( so much for not reusing passwords Sandy)

Practice what you preach sandy!!

We find some hashes in the mail database on table mailbox

20f1275ce5e67be2c06476333b68f585

07255e7701a86ad1672765d15082f1a3

d768176c4486ce77787c73883406fe97

fa514a9f39391658b15d5db542029aa6

I used https://crackstation.net/ to try and crack these

We got a couple of hits

rh@lazyadmin.corp tum-ti-tum

sw@lazyadmin.corp Austin-Willard

Let's try those on the mail server and see if we can find any other interesting emails.

Nope nothing new, but those cracked passwords did work.

What else can we login to…… what about that ftp?

I tried root, rh and sw with the passwords we have found so far but they didn't work.

Then I remembered in the failed SSH logs those users names were first initial last name

Rhedley worked

Poking around in here we have an ftp folder with a subfolder of incoming which contains and encrypted backup file

As well as user folders for the other users on the system. I can browse the folders but the contents seem empty

Lets check for hidden folders…. Specifically hidden folder that might have that ssh key we need to authenticate with SSH

Look what we found under mbrown under .ssh   

It's a 2048 bit RSA key. I wonder if we can use this to login into the ssh

Let's try to ssh as mbrown now with this key

At first  I got an error key permissions being too broad

Ran 

Chmod 600 downloadkey 

to only give myself permissions to the key

Ok we are in we have a user

I tried a bunch of stuff here, I poked around the file system, tried writing files to www to serve up a reverse shell. Not much going… 

I did remember that I had another username pass

So I did SU to change to the RHedley account.

Under /opt I found a file named backup.sh

Cat'ing out the file I see it's taking copies of a bunch of import system files and encrypting it to a backup file….. Like the one we found earlier under the FTP

rhedley@webhost:/opt$ cat backup.sh 

#!/bin/bash

## Backup Script

## by SRaines

## Lazy Admin Corp

TMPBACKUP="/tmp/backup";

NAME_PREFIX="backup";

NAME_DATE=$(date +%y%m%d);

NAME_HOST=$(/bin/hostname);

FILENAME=${NAME_PREFIX}_${NAME_HOST}_${NAME_DATE}.tar;

[ ! -d ${TMPBACKUP} ] && mkdir -p ${TMPBACKUP}

tar cpf ${TMPBACKUP}/${FILENAME} /etc/fstab /etc/apache2 /etc/hosts /etc/motd /etc/ssh/sshd_config /etc/dovecot /etc/postfix /var/www /home /opt

gzip --best -f ${TMPBACKUP}/${FILENAME}

openssl aes-256-cbc -in ${TMPBACKUP}/${FILENAME}.gz -out ${TMPBACKUP}/${FILENAME}.gz.enc -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs

mv ${TMPBACKUP}/${FILENAME}.gz.enc ./

rm -fr ${TMPBACKUP}

And it has the password used to encrypt it. I bet we can use that to decrypt the file we got earlier

wpaR9V616xrDTy98L7Uje2DDU5hWtWhs

We will use the same encryption command they used but add the -d to decrypt the file instead of encrypt

openssl aes-256-cbc -d -md md5 -in backup_webhost_130111.tar.gz.enc -out backup.tar.gz -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs

Now we have the decrypted tar file to look through

Looks like backup of the /etc directory, which include the passwd and shadow file.

First we use unshadow to combine the passwd and shadow files

# unshadow passwd shadow > /root/Desktop/ice/unshadod.db

Now we can run that through john to crack the passwords

# john ./unshadod.db 

OMG this takes for EVER

Eventually I get a password

Sraines: brillantissimo

I'm not sure here but John also said mbrown's password was mbrown, as well as rheldley being rhedley…. Which we know its not…..

Let's ssh as mbrown again and try to  SU to sraines

No sraines?.... But but it says…..

I found this in the forum… her last name changed…

What if we try swillard?

Lets see what she can run….. ALL she can run ALL?

Yes, yes she can

Lets get that hash

Ok that's not what I expected. I expected a txt file with the flag…..

Let's copy this over to /var/www to see what the picture is

Just a picture of a cake…. I guess that's our flag?