AdSense

Tuesday, March 1, 2022

w34kn3ss

W34KN3SS

- Layout for this exercise:










1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine w34kn3ss, from the VulnHub pentesting platform.

w34kn3ss can be downloaded from here:

https://www.vulnhub.com/entry/1,270/

- Once the virtual machine downloaded and extracted with VirtualBox:








2 - ENUMERATION

- Looking for IP with netdiscover, it is 192.168.1.43:





- Scanning with Nmap:










- Scanning deeper both ports 80 and 443, we find domain weakness.jth:
























- Dirbusting the web server at port 80:


























- Nothing interesting at folders /blog, /test and /uploads:









































- Editing /etc/hosts by adding domain weakness.jth:



- Dirbusting weakness.jth we find /private:




- Going to http://weakness.jth it seems to be a rabbit hole, though there is a hint about a potential user n30:























- However http://weakness.jth/private provides interesting information:





















3 - EXPLOITATION

- Downloading mykey.pub and moving to the working directory it seems to be an encrypted key for SSH:












- Reading notes.txt we learn that the key was generated by openssl 0.9.8c-1:


- Looking for exploits related to openssl 0.9.8c-1:











- We are dealing with vulnerability CVE-2008-0166: "OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-0166


- Copying and reading 5622.txt:







- Downloading and extracting 5622.tar.bz2:





















- Now we can look for the SSH private key by passing the encrypted key as parameter to grep, finding it inside /rsa/2048:











- SSH-ing the target with the private key for user n30:











4 - READING 1st FLAG

- Looking inside n30's home folder:












- Reading user.txt:





5 - PRIVILEGE ESCALATION

- Two interesting hints:

    a) there is a file .sudo_as_admin_successful

    b) n30 belongs to group sudo


- Unfortunately we cannot access to n30's sudoer privileges because we don't have the password:




- Regarding the file code we notice that it's Python 2.7 byte-compiled:





- Transferring code to Kali:






- Installing uncompyle6:




-Trying to uncompile code if fails because there is no extension .pyc:


- Adding extension .pyc:



- Running code.pyc there is nothing of interest:









- Now uncompyle6 reverses code.pyc into readable Python source code:



























-Focusing the attention on the column we have n30:dMASDNB!!#B!#!#33 

















- Finally we can try n30's sudoer privileges:








- We get a root shell:






6 - CAPTURING THE 2nd FLAG

- Reading root.txt: