I am glad to have completed the De-Ice challenge though i needed to take a few referenced , but hey it was a good start .
Lets cut the chase and get to work .
What is De-ICE ?
The answer to that question is Here.To download a copy of the live OS .
- Download (Mirror): http://download.vulnhub.com/deice/de-ice.net-2.100-1.0.iso
- Download (Torrent): http://download.vulnhub.com/deice/de-ice.net-2.100-1.0.iso.torrent
I have used Kali linux for the purpose of this walk through.First of all i used the netdiscover command in kali to discover the IP address of De-ICE.
The IP’s to be discovered were 192.168.2.100 and 192.168.2.101
I ran an nmap scan on the targets .
Since its a walkthrough i am going to cut the i did this i did that and i’m just gonna stick with the next step.
I visited the web app on port 80 of 192.168.2.100 and found this list of email ids . ( Shortlisted them since they could be user ids for login )
I wrote a simple script command that extracts all the usernames from this page ..
Here is the code :
cat index2.html | grep @ |cut -d "-" -f2|cut -d "@" -f1 > username.txt
This gave me a list of all the usernames i think could be listed in the possibility.
Then i tried many possibilities on 192.168.2.100 but did not get any good output .
However 192.168.2.101 was interesting . i ran a nikto scan on it and found the following result .
It talks about DIrectory indexing on /~root/ and /root/ . so i thought that the username list could be used to enumerate in this scenario. like /~(username)/
I quickly edited the username file and appended ~ before every name available in the text file and . Passed it as a parameter in Burp Intruder .
That paid off i got a 200 message for a few Usernames..
Based on this It was time for another nikto scan to crawl and find things under these Directories . /~havisham/ , /~pirrip/ and /~magwitch/.So cutting the chase here is the one for /~pirrip/
A ssh folder was detected in nikto . Bingo that had the rsa private and public key for the server.
Browsing through the mail of the logged in server i figured out there was a password for pirrip.
0l1v3rTw1st nice password eh .
Soon i used this to sudo login to see the permissions of the user .
so we can see here vi, cat, tail and more . Here however cat did not allow me to view the shadow file . but vi does allow me to open the shadow file .
You can now crack the passwords or even change the hash to the ones you know . but this is the trick that i learnt from other blogs . .since we have opened the vi in root we are root . and there fore check the command i entered instead of saving the file . i invoked a bash and guess what just happened .
Wohoo Root it is .
We have successfully cracked the Vulnerable OS .
I will be pasting the entire line of code in a day or two thats it for now will upload a video soon as well !