W34KN3SS

W34KN3SS Vulnhub Walkthrough

Enumeration

nmap -sC -sV oA nmap/weakness 192.168.43.125
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-30 07:34 EST
Nmap scan report for weakness.jth (192.168.43.125)
Host is up (0.00018s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 de:89:a2:de:45:e7:d6:3d:ef:e9:bd:b4:b6:68:ca:6d (RSA)
|   256 1d:98:4a:db:a2:e0:cc:68:38:93:d0:52:2a:1a:aa:96 (ECDSA)
|_  256 3d:8a:6b:92:0d:ba:37:82:9e:c3:27:18:b6:01:cd:98 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Hmmmm ??
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| ssl-cert: Subject: commonName=weakness.jth/organizationName=weakness.jth/stateOrProvinceName=Jordan/countryName=jo
| Not valid before: 2018-05-05T11:12:54
|_Not valid after:  2019-05-05T11:12:54
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
MAC Address: 00:0C:29:F1:CD:FA (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.77 seconds

Lets put the IP to the browser. This is what we get

So I went to run Gobuster

Gobuster

Go through the directory and find nothing really interesting

After that, I went to add a host inside the folder /etc/hosts where the hostname is weakness.jth as we discovered during the nmap scan.

After that I went to weakness.jth website

After that I scan the gobuster again

As we can see the /private, after access the directory, we can get a text file and public key

From the Notes.txt, we can see there are some notes left behind

After a quick google search, we can get the vulnerability from exploitdb

From the exploit, we can download a list of rsa from here

Extract it. We follow the instruction from the exploitdb.

I use grep to find the public key from the extracted file

We can into the user n30 that we found on the first page we discover.

We got into the user n30 and got the user flag

We also see a code with python compiled file

I copy the code to /var/www/html. Then, download the file

After decompiled the pyc file using uncompyle6, we can get the content of the file.

By modifying the file we can get a string which is the password for the n30 user.

Privilege Escalation

Log back into n30 user, we can use sudo -l and supply the password we get and we will get this

We can see it is the SUID vulnerability.

By typing sudo /bin/bash

We got root! Navigate to the /root to get the root.txt

PreviousLin SecurityNextSymfonos 5 <NOT WORKING>

Last updated

Was this helpful?