W34KN3SS
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine w34kn3ss, from the VulnHub pentesting platform.
- w34kn3ss can be downloaded from here:
https://www.vulnhub.com/entry/1,270/
- Once the virtual machine downloaded and extracted with VirtualBox:
2 - ENUMERATION
- Looking for IP with netdiscover, it is 192.168.1.43:
- Scanning with Nmap:
- Scanning deeper both ports 80 and 443, we find domain weakness.jth:
- Dirbusting the web server at port 80:
- Nothing interesting at folders /blog, /test and /uploads:
- Editing /etc/hosts by adding domain weakness.jth:
- Dirbusting weakness.jth we find /private:
- Going to http://weakness.jth it seems to be a rabbit hole, though there is a hint about a potential user n30:
- However http://weakness.jth/private provides interesting information:
3 - EXPLOITATION
- Downloading mykey.pub and moving to the working directory it seems to be an encrypted key for SSH:
- Reading notes.txt we learn that the key was generated by openssl 0.9.8c-1:
- Looking for exploits related to openssl 0.9.8c-1:
- We are dealing with vulnerability CVE-2008-0166: "OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys."
http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-0166
- Copying and reading 5622.txt:
- Downloading and extracting 5622.tar.bz2:
- Now we can look for the SSH private key by passing the encrypted key as parameter to grep, finding it inside /rsa/2048:
- SSH-ing the target with the private key for user n30:
4 - READING 1st FLAG
- Looking inside n30's home folder:
- Reading user.txt:
5 - PRIVILEGE ESCALATION
- Two interesting hints:
a) there is a file .sudo_as_admin_successful
b) n30 belongs to group sudo
- Unfortunately we cannot access to n30's sudoer privileges because we don't have the password:
- Regarding the file code we notice that it's Python 2.7 byte-compiled:
- Transferring code to Kali:
- Installing uncompyle6:
-Trying to uncompile code if fails because there is no extension .pyc:
- Adding extension .pyc:
- Running code.pyc there is nothing of interest:
- Now uncompyle6 reverses code.pyc into readable Python source code:
-Focusing the attention on the column we have n30:dMASDNB!!#B!#!#33
- Finally we can try n30's sudoer privileges:
- We get a root shell:
6 - CAPTURING THE 2nd FLAG
- Reading root.txt: