Here we discuss a step-by-step procedure to exploit the machine. Named as “w34kn3ss”
After importing this machine into the virtual box I tried it using the bridged connection. The information about the machine is given below
Attacker machine: Here I am using kali machine as an attacker and the IP address of the machine is 192.168.0.180.
Finding the IP of Target machine:
To find the target IP address from kali we use “netdiscover command”.
Command: Sudo netdiscover
Use: sudo gives us superuser rights to perform commands or tasks and netdiscover is an active/passive address gathering tool.
IP address of Target machine: 192.168.0.228
Exploring the open ports on the target machine:
For that I started a scan on Nmap
Using the following command nmap –sS –sC 192.168.0.228
-sS: check most commonly used 1000 ports on the server
-sC: To do scanning with default scripts
So Nmap scan shows that ports 22(SSH), 80(HTTP), 443(SSL) are open on this one. One more information which this scan shows that the server is using an SSL certificate with the organization name weakness.jth. Now let's try to access port 80.
· As we open port 80 in the browser,
It shows up with a default apache page and nothing else. Since a default page is present we can easily differentiate here with an existing and nonexisting directory so let's start brute-forcing the directory using “dirb”
Enumerating the directories using Dirb
It is a command-line tool which comes preinstalled in kali, we only have to provide it a worklist and it will look for the directories on the web application
After running dirb it found out that there are some directories which are uploads and tests. Let's try to open them up in the browser.
These directories seem to be empty
Remember that Nmap found out that there is an SSL certificate with the organization name weakness.jth let's try to resolve our machine IP to this domain. In order to do so, I have to edit my /etc/hosts file so it resolves this weakness.jth to the machine IP
To open /etc/hosts in kali I used sudo mousepad /etc/hosts
Updated /etc/hosts look like:
Now try to browse weakness.jth in kali’s browser. You can see that we were welcomed with a different page this time.
Now again run dirb on “weakness.jth” to find more hidden directory.
You can see some more hidden directories found which are “/private” and some subfolders of private. Let's now try to open the same directory on the browser to check what these directories contain.
· mykey.pub : This contains the public key SSH key and as I clicked on mykey.pub
it shows up the key. Copy that key from the browser into a text file.
· notes.txt: As click on notes.txt, it showed a version disclosure of the SSL which is OpenSSL 0.98c-1
So we used “searchsploit” in kali and search exploit in version 0.98 of OpenSSL
It gave us 3 search results. One is written in ruby and one is written in python.
I used the “5622.txt” with the –m option. We use –m to create a mirror or copy of exploit into local machine. As you can see below screenshot exploit is copied to my local “/home/kali/” location.
This exploit helps us in cracking public key. Now opening the 5622.txt.
We can directly download this folder from Github and if you open this folder go to /rsa/2048, it contains a lot of private keys which corresponds to the public key. Let try to search for our key in this folder. The command I have used is
grep –r (recursive) –l (display only those file name from the whole which matches the given pattern) < Publically available key >
You can see that we found a file name “4161de56829de2fe64b9055711f531c1–2537.pub” with the corresponding of our public key.
During our recon on “weakness.jth” we found SSL keys and version of SSL used which was vulnerable. So we visited weakness.jth earlier we were welcomed with an image of rabbit and n30 was written there. So we will try to connect via SSH with the “n30” user name.
I will use ssh with –i option because I already have an identity file.
Command: Ssh –i 4161de56829de2fe64b9055711f531c1–2537 n30@<machine ip>
After running the above command, I got access with the user n30@W34KN3SS.
Exploring After Getting SSH
Let's check the listing of files inside it
· User.txt: As I did cat to dump its content, we saw 1 flag there.
· Code: To know its file type used the “file” command it shows that this is a python 2.7 byte-compiled code. Let's try to download this file and then look into it
Since the application has a server running and we can access it via 192.168.0.228 let's copy the code file into /var/www/html/ so we can download it for further use.
After copying the file we can download it from the exploit machine to our local kali machine, Now we can download it.
After downloading, now we try to decompile it. We can use any online available python decompiler for this purpose. Upon decompiling it we can see the content of the file.
So after de-compilation that the file is assigning a char and then converting that into a sha256 hash let's try to copy each and every character and then use that as a string for the password. Now let's try to take the superuser or root access using the password
We use “sudo –i” command in the machine shell.
You can see by using the password we rooted the machine successfully
We got our last flag.