[Vulnhub] - W34kn3ss Walkthrough

-
So it's been a long time since I published any walkthroughs and also vulnhub started publishing new machines from yesterday so I thought why not solve and write about them. The first machine I did is this one - W34kn3ss and below is my walkthrough for the same.

The target machine's IP address is 192.168.0.122 so I did a quick nmap scan on it.


In the above screenshot we can see some open ports like 22, 80 and 443. Nmap's default script scan on port 443 also revealed a domain name "weakness.jth" so I added this domain name on my /etc/hosts and checked the web service running on that domain. 



Nothing really interesting here except that ASCII art of a rabbit and text "n30". Maybe n30 is an username which maybe used later? So, I saved it in my notes and started bruting files/dirs with dirsearch.


Dirsearch revealed this interesting directory /private so I visited this dir on browser and found two files; mykey.pub and notes.txt.


mykey.pub was a SSH public key file and in notes.txt there was a note saying "this key was generated by openssl 0.9.8c-1". A quick google search on this openssl version revealed that it was vulnerable to "Debian OpenSSL Predictable PRNG" attack. In simpler words, we can get private SSH key with little help of public key. g0tmi1k has already generated a tons of private/public key pairs so I downloaded common SSH RSA keys from here and grep'ped the content of mykey.pub file in the list.



So our mykey.pub file matched the contents of 4161de56829de2fe64b9055711f531c1-2537.pub file from the list of keys. Private SSH key is also available for this public key so let's try SSH'ing into the box. But wait.. we don't have username to SSH. What about using that name we found earlier? n30 :)
Tbh when I was doing this box, I randomly typed n30, passed the private key and BAMMMM, we're in.


Checking the user's home directory, we can see a Python 2.7 byte compiled file named code. So, I just copied it to /var/www/weakness/ (I'm lazy and I know it :P) and downloaded on my local machine. I analyzed this file with uncompyle2 and got its raw python code.


 So what this code is, add the characters of password one by one to the variable inf and again, concatenate the variable with the output of time.ctime() function and generate a SHA256 hash. We can just comment few lines and print the inf variable to get the password. 


After running the code, we get output n30:dMASDNB!!#B!#!#33; n30 is the user and dMASDNB!!#B!#!#33 is the password. So let's check sudo privileges for the user n30 with sudo -l command. 


(ALL : ALL) ALL for user n30 which means user n30 can run all commands as root so why not sudo su - and get root? :D


That's how I successfully pwn3d this box :) 
Thank you for reading. Happy Hacking!

Comments

Post a Comment

Popular posts from this blog

Adventures Into The MeowCorp Bug Bounty Program

-
Image
Introduction After hacking into a private program for a while now, I found some nice bugs, mostly through recon and chaining one clue after another. In this blog post, I'll discuss the same as well as my approach to finding them. Since I've signed an NDA with them, all references to the project and company are redacted. For the sake of this blog, I am going to refer to the project as MeowCorp project and their primary domain as meowcorp.io.  Findings #1 /.git/config file to root shell After running regular subdomain enumeration tools, I picked up some interesting subdomains. One of them was api.scan.meowcorp.io. While performing content discovery on this subdomain, I found  git config file. Quickly I dumped the files from .git dir with GitTools  but it was all static CSS, JS files that were of no use. When I was about to close the terminal tab, I noticed that the git repo belonged to a personal GitHub profile.  The company has its own GitHub org profile but the reference to a p
Read more

Expanding the attack surface with Shodan's lesser known filter

-
Image
I have been using Shodan extensively for bug bounty hunting lately and I found some neat tricks to expand the attack surface of the given target. There are many blogs and tutorials on "Shodan Recon" and most of them talk about the same filters - ssl, ssl.cert.subject.cn, org, ip, hostname, etc. but I have not seen anyone talk about this filter - all. So, I won't talk much about the basics of shodan and directly jump to the topic.  Shodan's regular search bar (without any filter) is not consistent and when you search for a keyword, it only looks for the "keyword" in https://www.shodan.io/host/<ip> BUT shodan's raw data (https://www.shodan.io/host/<ip>/raw) contains much more information or what I like to call it as "references" about the target. To find those references and juicy hosts, this "all" filter is very handy. I have been using this filter a lot and it has found many hosts that no other filter could find. The usage
Read more

Dropping root shell in a Crypto Exchange for Fun (and Profit?)

-
Image
I have been using this Crypto Exchange - changenow.io for at least a year now. I didn't realize they also had a bug bounty program which was mentioned in their footer section. I was quite busy with my day job so I kept the details of the program in my todo.txt so I could check it out later. One night when I was having that itch of doing some bug bounties, I checked my todo.txt and decided to hunt bugs on changenow.io. I started by enumerating subdomains and probing for standard web ports (80/443). After obtaining a handful of URLs, I tried to visit them one by one and noticed a few of them were trying to redirect to another internal domain eth-btc.com A quick whois on eth-btc.com revealed that it also belonged to changenow.io (admin email - sysadmin@changenow.io) so I enumerated the subdomains of this domain too. One of the subdomain zbx.sup.eth-btc.com was running Zabbix instance. I didn't have login credentials and common creds also didn't work but there was "Sign i
Read more