Stepping through De-ICE S1.100

I’ve been running through a bunch of vulnerable VM’s recently and wanted to document some of my progress so far.  Here’s how I stepped through De-ICE S1.100 which you can get here from Vulnhub.

Ran nmap -sS -sV –open –reason




Ran Nessus against




Looked up CVE’s on PHP 5.1.x (but lead no where)


Looked at webpage and put names of IT staff in a txt file



Grabbed the rockyou.txt file, ran Hydra and got the password for aadams



Logged in as aadams



Ran cat /etc/passwd and cat/etc/shadow but it gave me permission denied on shadow file, so I did sudo cat/etc/shadow and entered his password and got the results




I then tried running the hashes through some online hash checkers, but I couldn’t find one that worked, so I looked up some other options, and John the ripper came up.. of course! (duh).  I then copied the hashes into a txt file called hashes.txt (but forgot root…oops!) and ran John with the rockyou wordlist





I then started looking around and found an ftp directory with a file named salary_dec2003.vsc.enc.  I looked up what enc files were and how to open them (after trying some other stupid things) and found openssl, which was on the computer.  I ran it with the example I found, but it didn’t work.  so I looked at the help file, saw I could try other encryption types, tried the first one in the list and was able to open the file!  It was crazy large though, so I then looked up how view it better and learned of the less command.