Image for post
Image for post

Walkthrough Of ”W34kn3ss : 1 ” machine

Here we discuss a step-by-step procedure to exploit the machine. Named as “w34kn3ss”

After importing this machine into the virtual box I tried it using the bridged connection. The information about the machine is given below

Attacker machine: Here I am using kali machine as an attacker and the IP address of the machine is 192.168.0.180.

Finding the IP of Target machine:

To find the target IP address from kali we use “netdiscover command”.

Command: Sudo netdiscover

Use: sudo gives us superuser rights to perform commands or tasks and netdiscover is an active/passive address gathering tool.

Image for post
Image for post

IP address of Target machine: 192.168.0.228

Exploring the open ports on the target machine:

For that I started a scan on Nmap

Using the following command nmap –sS –sC 192.168.0.228

-sS: check most commonly used 1000 ports on the server

-sC: To do scanning with default scripts

Image for post
Image for post

So Nmap scan shows that ports 22(SSH), 80(HTTP), 443(SSL) are open on this one. One more information which this scan shows that the server is using an SSL certificate with the organization name weakness.jth. Now let's try to access port 80.

· As we open port 80 in the browser,

Image for post
Image for post

It shows up with a default apache page and nothing else. Since a default page is present we can easily differentiate here with an existing and nonexisting directory so let's start brute-forcing the directory using “dirb”

Enumerating the directories using Dirb

Image for post
Image for post

It is a command-line tool which comes preinstalled in kali, we only have to provide it a worklist and it will look for the directories on the web application

After running dirb it found out that there are some directories which are uploads and tests. Let's try to open them up in the browser.

· test

Image for post
Image for post

· uploads

Image for post
Image for post

These directories seem to be empty

Remember that Nmap found out that there is an SSL certificate with the organization name weakness.jth let's try to resolve our machine IP to this domain. In order to do so, I have to edit my /etc/hosts file so it resolves this weakness.jth to the machine IP

To open /etc/hosts in kali I used sudo mousepad /etc/hosts

Image for post
Image for post

Updated /etc/hosts look like:

Image for post
Image for post

Now try to browse weakness.jth in kali’s browser. You can see that we were welcomed with a different page this time.

Image for post
Image for post

Now again run dirb on “weakness.jth” to find more hidden directory.

Image for post
Image for post

You can see some more hidden directories found which are “/private” and some subfolders of private. Let's now try to open the same directory on the browser to check what these directories contain.

Image for post
Image for post

· mykey.pub : This contains the public key SSH key and as I clicked on mykey.pub

it shows up the key. Copy that key from the browser into a text file.

Image for post
Image for post

· notes.txt: As click on notes.txt, it showed a version disclosure of the SSL which is OpenSSL 0.98c-1

Image for post
Image for post

So we used “searchsploit” in kali and search exploit in version 0.98 of OpenSSL

Image for post
Image for post

It gave us 3 search results. One is written in ruby and one is written in python.

I used the “5622.txt” with the –m option. We use –m to create a mirror or copy of exploit into local machine. As you can see below screenshot exploit is copied to my local “/home/kali/” location.

Image for post
Image for post

This exploit helps us in cracking public key. Now opening the 5622.txt.

Image for post
Image for post

We can directly download this folder from Github and if you open this folder go to /rsa/2048, it contains a lot of private keys which corresponds to the public key. Let try to search for our key in this folder. The command I have used is

grep –r (recursive) –l (display only those file name from the whole which matches the given pattern) < Publically available key >

Image for post
Image for post

You can see that we found a file name “4161de56829de2fe64b9055711f531c1–2537.pub” with the corresponding of our public key.

During our recon on “weakness.jth” we found SSL keys and version of SSL used which was vulnerable. So we visited weakness.jth earlier we were welcomed with an image of rabbit and n30 was written there. So we will try to connect via SSH with the “n30” user name.

I will use ssh with –i option because I already have an identity file.

Image for post
Image for post

Command: Ssh –i 4161de56829de2fe64b9055711f531c1–2537 n30@<machine ip>

Image for post
Image for post

After running the above command, I got access with the user n30@W34KN3SS.

Exploring After Getting SSH

Let's check the listing of files inside it

Image for post
Image for post

· User.txt: As I did cat to dump its content, we saw 1 flag there.

Image for post
Image for post

· Code: To know its file type used the “file” command it shows that this is a python 2.7 byte-compiled code. Let's try to download this file and then look into it

Since the application has a server running and we can access it via 192.168.0.228 let's copy the code file into /var/www/html/ so we can download it for further use.

Image for post
Image for post

After copying the file we can download it from the exploit machine to our local kali machine, Now we can download it.

Image for post
Image for post

After downloading, now we try to decompile it. We can use any online available python decompiler for this purpose. Upon decompiling it we can see the content of the file.

Image for post
Image for post

So after de-compilation that the file is assigning a char and then converting that into a sha256 hash let's try to copy each and every character and then use that as a string for the password. Now let's try to take the superuser or root access using the password

Username: n30

Password: dMASDNB!!#B!#!#33

We use “sudo –i” command in the machine shell.

Image for post
Image for post

You can see by using the password we rooted the machine successfully

Image for post
Image for post

We got our last flag.

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store