I’ve been running through a bunch of vulnerable VM’s recently and wanted to document some of my progress so far. Here’s how I stepped through De-ICE S1.100 which you can get here from Vulnhub.
Ran nmap -sS -sV 192.168.50.101 –open –reason
Ran Nessus against 192.168.50.101
Looked up CVE’s on PHP 5.1.x (but lead no where)
Looked at webpage and put names of IT staff in a txt file
Grabbed the rockyou.txt file, ran Hydra and got the password for aadams
Logged in as aadams
Ran cat /etc/passwd and cat/etc/shadow but it gave me permission denied on shadow file, so I did sudo cat/etc/shadow and entered his password and got the results
I then tried running the hashes through some online hash checkers, but I couldn’t find one that worked, so I looked up some other options, and John the ripper came up.. of course! (duh). I then copied the hashes into a txt file called hashes.txt (but forgot root…oops!) and ran John with the rockyou wordlist
I then started looking around and found an ftp directory with a file named salary_dec2003.vsc.enc. I looked up what enc files were and how to open them (after trying some other stupid things) and found openssl, which was on the computer. I ran it with the example I found, but it didn’t work. so I looked at the help file, saw I could try other encryption types, tried the first one in the list and was able to open the file! It was crazy large though, so I then looked up how view it better and learned of the less command.