Step 1 command = netdiscover -r 192.168.1.0/24
Use this to find all the ip/hosts near you. Here the ip of target machine is 192.168.1.42
Step 2 Use command = nmap -A -sV -p- 192.168.1.42 for aggressive scan
Step 3 We can clearly see that 3 ports are open with some websites running on port 80 and 443. Moreover https service has ssl certificate under organization name weakness.jth. So let’s first open the port 80 service with command = http://192.168.1.42/ and https://192.168.1.42/
However, both the websites are the same and not much helpful nor the page source. So let’s check the ssl certificate which we saw in nmap scan. We see that the organization name is weakness.jth and one email is given too.
Now let’s try to resolve our IP to this domain. So let’s add the dns of website to /etc/hosts with command = “echo “192.168.1.42 weakness.jth” >> /etc/hosts”
Step 4 now let’s open this website on the browser with command = http://weakness.jth/. We see the following web page is opened. And there is a hint to follow the rabbit and some string is written i.e n30.
Now we are again stuck here wondering what we need to do further. So let’s start with doing dirb on all the websites we found using following commands
Now the dirb results of the first two commands show the same directories.
.1.42/uploads/ gives the same webpage which further directs us to the index page of the website.
But http://192.168.1.42/test/ give us a new hint that we will need lots of keys. Lets keep this hint for future use .Page source of this also does not give us any useful information.
Step 5 now lets see the dirb result of http://weajness.jth
We can see the various directories and webpages found in the dirb result. On checking the http://weakness.jth/private/ we found that it contains 2 files one is a pub file which is some sort of public key and other is a text file, notes.txt which tells us that the ssh key was generated openssl 0.9.8c-1. We find the same thing in http://weakness.jth/private/files.
Step 6 Now let’s open the mykey.pub file and see what is in it. We see that this is a base64 encoded. And we also know that the public key was generated by OpenSSL 0.98c-1.
Now let’s try to crack this base64 hash using command = echo “<hash>” | base64 -d. However this approach is wrong as we get a non-readable text.
So let’s search for any exploit in kali using tool searchsploit for this public key using command = searchsploit openssl 0.9.8c-1. It gave us 3 search results. One is written in ruby and one is written in python. we used the “5622.txt” with the –m option as we will need different tools to read python or ruby files. We use –m to create a mirror or copy exploits into a local machine.
Now let’s read this file. We see various steps which tell us what we have to do further.
We see a link to Gitlab in the first step which tells us to download the list from there. A tar file will be downloaded. We need to extract this file using command = tar -xf and go to folder /rsa/2048, it contains a lot of public keys. Let’s try to search for our key in this folder using command = grep –r –l “Public key”. –r is used for recursive search and -l is used to display only those file names from the whole which matches the given pattern.
Step 7 we got the public key which matches the encoded base64 text. Now lets login to SSH using the public key and the username as n30 which we found before using command = Ssh –i 4161de56829de2fe64b9055711f531c1–2537 [email protected]. -i is used for the identity file i.e public key
We got access. Now lets do command = ls and see the directories/files the user has. It is seen that the user has code and user.txt. On opening user.txt using command = cat user.txt, we get some encoded data which is our user flag. Now we have to find the root flag. But first let’s see what the code is. We tried to do cd and cat commands but we got some gibberish data. Then We used command = file code to see that code is a python 2.7 byte-compiled file.
Step 8 as the code file is python 2.7 byte-compiled. So we need to decompile it first to read it. We can use any online decompiler or kali for it. But we need that file on our system first because we cant access this file from the target system. So the next step is how can we get this file on our system. We know that target has a server running and we can access it via 192.168.1.42. So let’s copy the code file into /var/www/html/ which is the default root folder of the web server using command = cp code /var/www/html.
Now lets download this file on our kali using the command = wget http://192.168.1.42/code.
Before decompiling it with an online decompiler, rename this file with extension .pyc as the online python-decompiler only takes input in .pyc format using command = mv code code.pyc. We used https://www.lddgo.net/en/string/pyc-compile-decompile to decomplie the python code file.
So after decompilation we can see from the code that the file is assigning a char value to some characters and then converting that into a sha256 hash.after copying each character we found that the first 3 characters are the username we used. That means al the next character will form the password for this user which is as follows:
Step 9 Now let’s try to gain root access. Following commands are used for this purpose:
This CTF walkthrough created by Nishtha Kumari