SynerG.exe
Kill Streak Master
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
400 XP
Today we are going to solve another CTF challenge “W34kn3ss 1”. Briefing about the lab, the matrix is controlling this machine, neo is trying to escape from it and take back the control on it, your goal is to help neo to gain access as a “root” to this machine, through this machine you will need to perform a hard enumeration on the target and understand what is the main idea of it, and exploit every possible “weakness” that you can found, also you will be facing some up normalbehaviorsduring exploiting this machine. You need to think out of the box and collect all the puzzle pieces in order to get the job done. This vulnerable can be downloaded from here.
Difficulty: Intermediate
Penetrating Methodologies
Walkthrough
Let’s start off with discovering the IP address of our Target Machine.
Then we’ll continue with our nmap command to find out the open ports and services. The nmap scan result gave us quite a bit of useful information which could be useful later on.
Since port 80 is open, we explored the Targets IP Address on the browser.
We didn’t found anything on the webpage, so we use dirb to enumerate the directories on the web server.
After spending a good time while enumerating through these directories, we finally found a useful directory that quite gave us hint to move forward. The picture is indicatingthat we require lots of keys in this Machine.
A thoughtcomesin our head of adding weakness.jth as a domain name inthe/etc/hosts file. We found the name weakness.jth in our nmap result under port 443.
Let’s just browse weakness.jth on the browser and the result gave a useful credential n30 that come in handy later on.
Let’s again use dirb to enumerate the directories on weakness.jth. You never know what clue it might give us.
As expected it gave us another useful directory as highlighted.
While browsing this directory on the browser it showed two files mykey.pub which is a public key and notes.txt. Let’s download them on our system.
When we opened notes.txt on the browser it gave us a clue about OpenSSL 0.98c-1 and that the public key we found was generated by it.
Then we look for it using searchsploit. The exploit we have used is highlighted, after that, we have copied the exploit 5622 in the /root directory and read the contents in it.
After reading all the contents of the file, it got cleared on how to use this tool. Since there isa GitHublink from where we have to download this tool and follow further instruction given.Basically, this tool will help us in cracking the public key.
When we read the contents of the public key found earlier, it came out to be base-64 encoded SSH public key.
After downloading the tool from theGitHublink. We have used that tool to decode the base-64 encoded public key and we got success in doing it. The decoded key is highlighted.
It’s time to log into SSH using the public key and the username as n30.
On enumerating the directories, we found two files code and user.txt. Let’s read the contents of user.txt.
When we checked the file type of code, it came out to be a python compiled file. Let’s copy it to /var/www/html by this we can download this file on our system.
We havedownloadedthe file on our system and moved it into code.pycbecause it’s a python compiled file and online python-decompiler only takes input in .pyc format. That way we can easily decompile this file.
Ondecompiling, the file using online python-decompiler gave us very useful credential i.e
It a little to figure out it.
Let’s check if n30 has security privileges. So when we did check it asked fora password, here we have given the password found earlier from decompiling.
Booyah!! We have got the root access. Time to read the contents of our final flag.
Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here
Difficulty: Intermediate
Penetrating Methodologies
- Machine discovery and scanning (netdiscover, nmap)
- Surfing HTTP service port (80)
- Directory enumeration using dirbuster
- Exploring directories on the browser.
- Adding domain name to /etc/hosts file.
- Exploring domain name onthe browser.
- Directory enumeration using dirbuster
- Exploring directories on the browser.
- Searchingexploitsusing searchsploit.
- Cracking base-64 encoded public key.
- Logging into SSH usingthe publickey.
- Using online python-decompiler.
- Getting root access.
- Snagging the Root flag.
Walkthrough
Let’s start off with discovering the IP address of our Target Machine.
Code:
netdiscoverThen we’ll continue with our nmap command to find out the open ports and services. The nmap scan result gave us quite a bit of useful information which could be useful later on.
Code:
nmap -p- -A 192.168.1.101Since port 80 is open, we explored the Targets IP Address on the browser.
We didn’t found anything on the webpage, so we use dirb to enumerate the directories on the web server.
Code:
dirb http://192.168.1.101/After spending a good time while enumerating through these directories, we finally found a useful directory that quite gave us hint to move forward. The picture is indicatingthat we require lots of keys in this Machine.
A thoughtcomesin our head of adding weakness.jth as a domain name inthe/etc/hosts file. We found the name weakness.jth in our nmap result under port 443.
Code:
nano /etc/hostsLet’s just browse weakness.jth on the browser and the result gave a useful credential n30 that come in handy later on.
Let’s again use dirb to enumerate the directories on weakness.jth. You never know what clue it might give us.
Code:
dirb http://weakness.jthAs expected it gave us another useful directory as highlighted.
While browsing this directory on the browser it showed two files mykey.pub which is a public key and notes.txt. Let’s download them on our system.
When we opened notes.txt on the browser it gave us a clue about OpenSSL 0.98c-1 and that the public key we found was generated by it.
Then we look for it using searchsploit. The exploit we have used is highlighted, after that, we have copied the exploit 5622 in the /root directory and read the contents in it.
Code:
searchsploit -m 5622
cat 5622.txtAfter reading all the contents of the file, it got cleared on how to use this tool. Since there isa GitHublink from where we have to download this tool and follow further instruction given.Basically, this tool will help us in cracking the public key.
When we read the contents of the public key found earlier, it came out to be base-64 encoded SSH public key.
Code:
cat mykey.pubAfter downloading the tool from theGitHublink. We have used that tool to decode the base-64 encoded public key and we got success in doing it. The decoded key is highlighted.
It’s time to log into SSH using the public key and the username as n30.
Code:
ssh -i 4161de56829de2fe64b9055711f531c1-2537 [email protected]On enumerating the directories, we found two files code and user.txt. Let’s read the contents of user.txt.
Code:
cat user.txtWhen we checked the file type of code, it came out to be a python compiled file. Let’s copy it to /var/www/html by this we can download this file on our system.
Code:
file code
cp code /var/www/htmlWe havedownloadedthe file on our system and moved it into code.pycbecause it’s a python compiled file and online python-decompiler only takes input in .pyc format. That way we can easily decompile this file.
Ondecompiling, the file using online python-decompiler gave us very useful credential i.e
Code:
Username- n30
Password- dMASDNB!!#B!#!#33It a little to figure out it.
Let’s check if n30 has security privileges. So when we did check it asked fora password, here we have given the password found earlier from decompiling.
Code:
sudo -lBooyah!! We have got the root access. Time to read the contents of our final flag.
Code:
sudo -i
ls
cat root.txtAuthor: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here