Hack the De-Ice S1.130 (Boot2Root Challenge)

Hello and welcome readers to another CTF challenge De-ice s1.130. This is the third instalment in the series of vulnerable machines in de-ice series. You can download de-ice from the official vulnhub repository here.

The aim of this challenge is to get root and read the congratulatory flag.

Difficulty Level: Intermediate

A new penetration tester with raw skills might not be able to solve this lab since it also has some debugging of algorithm, I would rate the level of this lab as intermediate.

Steps involved:

  1. IP grabbing
  2. Port scanning
  3. Setting up an SMTP listener to validate users
  4. Python scripting to enumerate the SMTP users
  5. Bruteforcing ssh using the username we grabbed
  6. Creating a custom wordlist using mail we read in csadmin to bruteforce sdadmin
  7. Creating a custom wordlist using mail we read in sdadmin to bruteforce dbadmin
  8. Adjoining part files in all 3 accounts
  9. Cleaning and debugging the algorithm using Java language
  10. Running the program to create a password for sysadmin
  11. Logging into root using su binary and nabbing the flag

Let’s get started then!

I found that the IP address of the lab was 192.168.1.20 and my Kali had an IP 192.168.1.108

 

As usual, the first step was to scan the open ports using nmap. Nmap is the most popular tool used to scan for open ports. However, you can use other tool as well and it would work just as fine.

 

Without any delay, I moved on to the website since port 80 was open.

I didn’t find anything good here and neither did nikto tell me anything important.

So, I clicked the link below and it opened another web page.

There was nothing useful here as well. But wait, we did find an email ID that could be related to the server user. So, I tried activating a netcat listener on SMTP.

Rcpt to: kali

I tried a custom domain here as it required a mail from tag.

Mail from: [email protected]

But it did not work and neither did some other combination. But still, connection wasn’t getting reset and it let me check the users, so I could generate permutations of users and hit them and see which one is a legal user!

I made a python script that would enumerate the users easily. Save this as smtp_enum.py

Code:

(A huge shoutout to cyberry for this script. You can visit this website here)

Inputs in the script: IP address of victim

We generated a list of usernames based on the permutations of the mail found: [email protected]

I created another script user-mutator.py that mutates the users but only using upto at max 3 options provided.

For example if the username is cservicea, follow that c-service-a are 3 different options.

It will not generate a username, let’s say, csservicea (c-s-service-a)

Now, I ran this script and saved the results or output in a text file called userlist.txt

 

Now, I’ll run the script and append the output in a text file called matches.txt

Mind you, this will append all the outputs regardless the user is right or not. Hence, I’ll use a grep filter to check the correct user.

It did the work! We found a user called csadmin. Now it’s time to bruteforce this using the password list rockyou.txt

A password was found!

Let’s log into ssh using this username and password.

When I read the /etc/passwd file, I found a sysadmin user with escalated privileges. This could do the trick but right now we need to focus on the shell we just got.

I went back to home directory and found a folder called mailserv_downloads

This had 2 messages or emails.

I read the first one first.

I read the mail using cat command

It looked like an important mail since it mentioned a sender sdadmin. It also has details about sdadmin’s

Son’s birthday. If he kept his password simple, we could crack it using cup and that’s what we did.

But before that I also examined the part file but as expected, it had nothing.

Let’s make a custom dictionary using cup now.

And fill the details as deemed in the mail.

The dictionary was saved in /home under the name of paul.txt

We copied it on desktop and bruteforced ssh using hydra.

Voila! A password was found for sdadmin using the custom dictionary.

Lets login to ssh using these credentials.

It works! Let’s navigate for another piece of information in home directory now.

Of course there is another part file, part 3. This gives an idea that dbadmin might have the last missing piece. But before that we need to steal dbadmin’s credentials.

Can this mail help?

 

This looked like a reply to a mail we read earlier. This mail also talked about a “databaser.” Right hand to god, this could be dbadmin. Hence, we created another custom dictionary using cupp to bruteforce dbadmin.

The name was fred.txt this time. We again bruteforced ssh using hydra.

 

A password was found!

Lets login ssh using this credential.

We finally found the last missing piece of the 3 part mail.

I copied all these 3 mails into 3 separate text files on my local machine with names part1, part2, and part3.

I concatenated all these 3 files into a single file complete.txt

But there were too many useless characters and lines.

This step took way too much time than we can describe in the scope of this article since I cleaned extra spaces, tabs, characters, lines and made it readable but first of the many steps can be described as:

So on and so forth went the editing until the text file was readable:

 

Hmm… This looked like an algorithm. Comments also cleared some of the info to complete all the dots together.

Here is what we established:

  1. This is an algorithm which takes input the username and creates a password (1st comment says so)
  2. We could generate password for sysadmin

Hence, there was a need to create a program using the algorithm. I tried C, it was giving an error due to an unresolved issue, therefore I went back to cyberry’s blog (A huge shoutout to him again) and found his Java code.

Quite a genius he is!

Code:

The final dot:

“Pseudocode will be implemented with the root account and my account.”

My account seems like sysadmin talking.

Let us compile this Java code using javac.

 

Execute this using :

As stated, we input sysadmin as the username and it gave us a password. It gave a password for root as well but it didn’t work.

 

Hence, we got into the sysadmin shell!

We tried su here and it prompted for password.

Upon entering the system generated password, we got into root!!

Final steps:

Hence, the flag was nabbed! Hope you enjoyed this!

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

Leave a Reply

Your email address will not be published. Required fields are marked *