Wednesday, April 18, 2012

De-ICE pentest discs 1.120a and 1.120b

The De-ICE pentest LiveCDs 1.120a and 1.120b were released quite a while ago.  I tried them out yesterday and managed to successfully work through both of them.

As a few people (e.g. g0tmi1k) have already put up excellent walkthroughs for them, I won't be doing so.  Here, I will just mention a way to cut out part of the merry goose chase in 1.120b.  This will allow you to skip the part on using cupp, but you would still need to repair and combine the java file.

Basically, after you manage to get a non-root user account on the box, take a look at the kernel version.  It is 2.6.16.  This box is vulnerable to the Linux Kernel 'udp_sendmsg()' MSG_MORE Flag Local Privilege Escalation Vulnerability.  As gcc is not installed on the box, compile statically the publicly-available exploit on your attacking box.  Then transfer the resulting executable onto the box and run it to get root.  This should cut out the hassle of having to compromise the other 2 user accounts.  Unfortunately, to achieve the goal of this pentest, you would still need to put the java file together to get the password to decrypt the accounts file.  g0tmi1k has already covered this last part in good detail.