Vulnhub - W34KN3SS: 1
Introduction
The matrix is controlling this machine, neo is trying to escape from it and take back the control on it , your goal is to help neo to gain access as a “root” to this machine , through this machine you will need to perform a hard enumration on the target and understand what is the main idea of it , and exploit every possible “weakness” that you can found , also you will be facing some upnormal behaviours during exploiting this machine.
This machine was made for Jordan’s Top hacker 2018 CTF , we tried to make it simulate a real world attacks “as much as possible” in order to improve your penetration testing skills , also we but a little tricky techniques on it so you can learn more about some unique skills.
Difficulty: Intermediate , you need to think out of the box and collect all the puzzle pieces in order to get the job done.
This box is on the NetSecFocus Admin list of OSCP-like machines. It’s W34KN3SS: 1 from vulnhub. It’s got a mild Matrix theme.
Ports
This box has SSH, HTTP and HTTPS on the standard ports (22, 80 and 443). A detail scan, or viewing the SSL certificate, gives some useful information:
Organization weakness.jth
Common Name weakness.jth
Email Address n30@weakness.jth
I add weakness.jth to /etc/hosts.
HTTP/HTTPS and hints
I enumerate the webservices with gobuster and turn up some things:
At https://192.168.1.106/test/ we get a meme with some text:
it’s all about keys :D
At http://weakness.jth/ we get a message from n30 - same user as in the email address on the SSL certificate.
At http://weakness.jth/private/ we find an SSH public key and a note, with the text:
this key was generated by openssl 0.9.8c-1
OpenSSL
This version of OpenSSL had a bug that reduced the available keyspace:
When creating a new OpenSSH key, there are only 32,767 possible outcomes for a given architecture, key size, and key type.
This means that we can try all possible keys to see if one works, hence the hint about needing lots of keys. I used the python exploit code from searchsploit:
root@kali:/opt/vulnhub/w34kn3ss# python 5720.py ./5622/rsa/2048/ 192.168.1.106 root 22 5
Which found a working key for our user n30:
Privesc
Our user n30 is a member of the sudo group and in his home directory is an interesting file called code. The file is a compiled python script:
If we run it, we get this:
Did someone say hardcoded login info?
Uncompyle
I copy the binary over to kali and try to run uncompyle6 on it; that’s failing for some reason. There is something going on with python versions but it’s not immediately clear what. Instead what I do is setup a python virtual environment, clone the uncompyle2 repo from GitHub into it and then decompile the file there so I’ve got no mix ups with versions. The sequence of commands was broadly this (taken from my bash history):
So what’s in out? Effectively it’s our credentials, with some other stuff that’s not important:
n30:dMASDNB!!#B!#!#33
Privesc
With our credentials and being a member of the sudo group it’s game over:
Goodbye, Mr Anderson.