De-Ice 1.120a Walkthrough


          Few days back my friend Chetan told to get hands on De Ice and Kioptrix series before taking PWK labs.The very next weekend I started with De-Ice http://hackingdojo.com/downloads/iso/De-ICE_S1.120.iso . As my bridge network was on 192.168.1.x series I thought of doing De-Ice 1.120a just by bridging the VM. One of the awesome URL that I found today was https://blog.g0tmi1k.com/2011/03/vulnerable-by-design/ .

Enumeration:

  • I started with nmap as usual to find all the open ports. I usually use version detection and aggressive scan in nmap.

  • Well this anonymous thing on port 21 ftp didn't helped me and took me no where. There was also mysql port open which was not much of a use. But running few mysql related metasploit module and bruteforce using rockyou.txt would be good.
  • I tried to access the server on port 80 and it gave me the following.  
  • It has a simple functionality of adding and viewing a product as shown below.
      

    SQL Injection:


    • Well looking at the URL, I couldn't stop myself from running SQLmap. The parameter 'id' was injection. I tried os shell and pwn with sql map but there was no permission for writing on the directories. I even tried to brute-force the writable directory but it didn't work. Moving on after some permutation and combination I used the below query to retrieve users and password hashes.
    • The command ended with --users --passwords.


    • Well using the username and password mentioned above I did ssh using ccoffee with the password ********.



    • Checking in the scripts folder I found '.sh' file which says

      •  Now here's the trick which took me a long time to figure out. User ccoffee can execute getlogs.sh file. So I renamed the original file as follows.
       Then...

             Finally....



    Comments

    1. Unknown6 August 2016 at 01:26

      Hi Hashim,

      are we allowed to use sqlmap in pwk labs??
      thanks a lot for all the blogs you have put up..they have been a great help always

      AH

      ReplyDelete
    2. palometazajkowski25 February 2022 at 05:49

      Slot machines by casino - World Casinos
      Slot machines 부들 이 벗방 are a form of casino 페이 백 먹튀 equipment used for 뱃365 gambling. in the casino section of 벳 365 한글 the video slot machines and other machines which 플레이 포커 was  Rating: 5 · ‎5 reviews

      ReplyDelete

    Post a Comment

    Popular posts from this blog

    MY OSCP REVIEW

    Image
    MY OSCP REVIEW About me I am just a guy who has done B.E (Computer Engineering), C.E.H and I am doing vulnerability assessment for different clients in Mumbai. Inspiration to do OSCP Wanted to read technical stuff only then skip this para. Like other guyz I thought that OSCP is one of the most difficult task in the world of IT Security. And yes, it is one the difficult mission you could ever face. Back in Dec 2014 I was really bored with the conventional vulnerability assessment thing, I wanted to do some more exploitation and some black hat stuff. But in our job we were not allowed to do so, as the environment used to be critical most of the time and time for completing the task was less. So I asked few question on some group in facebook regarding How can I learn more exploitation stuff. There was a guy with the name Mr.WhiteW0rm who have given me a brilliant answer and recommended me to do OSCP. That time I thought though I won't be able to do OSCP but at least I...
    Read more

    Minishare 1.4.1 Bufferoverflow

    Image
    You can download the server from: https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0 Exploit code in ruby: https://www.exploit-db.com/exploits/616/ The vulnerability is a long URL in the GET request. Eg:- GET AAAAAAAAAAAAAAAA..... HTTP/1.1 Lab Setup: 1) Windows xp ( I am using windows xp sp1) 2) Immunity debugger installed on the windows xp machine. 3) Minishare 1.4.1 installed on windows xp running on port 80. 2) Kali linux for scripting and exploiting. Configure the victim: I have installed Minishare server 1.4.1 and it is listening for connections on port 80, as depicted below. Generate Sample script to crash: We will try to smash the stack by sending a buffer of 2000 A's with the help of the following script. #!/usr/share/python import socket,sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((sys.argv[1],80)) buff="GET " buff+="A"*2000 buff+=" HTTP/1.1\r\n\r\n" s.send(buff) s.close...
    Read more