[Vulnhub] - W34kn3ss Walkthrough

So it's been a long time since I published any walkthroughs and also vulnhub started publishing new machines from yesterday so I thought why not solve and write about them. The first machine I did is this one - W34kn3ss and below is my walkthrough for the same.

The target machine's IP address is so I did a quick nmap scan on it.

In the above screenshot we can see some open ports like 22, 80 and 443. Nmap's default script scan on port 443 also revealed a domain name "weakness.jth" so I added this domain name on my /etc/hosts and checked the web service running on that domain. 

Nothing really interesting here except that ASCII art of a rabbit and text "n30". Maybe n30 is an username which maybe used later? So, I saved it in my notes and started bruting files/dirs with dirsearch.

Dirsearch revealed this interesting directory /private so I visited this dir on browser and found two files; mykey.pub and notes.txt.

mykey.pub was a SSH public key file and in notes.txt there was a note saying "this key was generated by openssl 0.9.8c-1". A quick google search on this openssl version revealed that it was vulnerable to "Debian OpenSSL Predictable PRNG" attack. In simpler words, we can get private SSH key with little help of public key. g0tmi1k has already generated a tons of private/public key pairs so I downloaded common SSH RSA keys from here and grep'ped the content of mykey.pub file in the list.

So our mykey.pub file matched the contents of 4161de56829de2fe64b9055711f531c1-2537.pub file from the list of keys. Private SSH key is also available for this public key so let's try SSH'ing into the box. But wait.. we don't have username to SSH. What about using that name we found earlier? n30 :)
Tbh when I was doing this box, I randomly typed n30, passed the private key and BAMMMM, we're in.

Checking the user's home directory, we can see a Python 2.7 byte compiled file named code. So, I just copied it to /var/www/weakness/ (I'm lazy and I know it :P) and downloaded on my local machine. I analyzed this file with uncompyle2 and got its raw python code.

 So what this code is, add the characters of password one by one to the variable inf and again, concatenate the variable with the output of time.ctime() function and generate a SHA256 hash. We can just comment few lines and print the inf variable to get the password. 

After running the code, we get output n30:dMASDNB!!#B!#!#33; n30 is the user and dMASDNB!!#B!#!#33 is the password. So let's check sudo privileges for the user n30 with sudo -l command. 

(ALL : ALL) ALL for user n30 which means user n30 can run all commands as root so why not sudo su - and get root? :D

That's how I successfully pwn3d this box :) 
Thank you for reading. Happy Hacking!


Popular posts from this blog

Adventures Into The MeowCorp Bug Bounty Program

Expanding the attack surface with Shodan's lesser known filter

Dropping root shell in a Crypto Exchange for Fun (and Profit?)