W34kn3ss: 1

[ vulnhub  ctf  walkthrough  ]

Goal

root

Download

https://www.vulnhub.com/entry/w34kn3ss-1,270/

Walkthrough

nmap
alt text

default 80, nothing
alt text

default 443, nothing
alt text

dirb on 80 reveals some folders; blog, uploads and test
alt text

test is the only one that has some info, we need keys
alt text

looking at cert of 443, we get a username n30 and a hostname
alt text

update hosts file
alt text

browsing to 80 with hostname we know we’re on the right path
alt text

dirb on hostname reveals a new directory, private
alt text

browsing to directory we have two files
alt text

first is a public key
alt text

second is a note stating keys were created on an earlier version of openssh
alt text

quick google and we find edb 5720 and brute forcing predictable keys
alt text

copy the exploit over and download/uncompress keys
alt text

running the exploit, after some time, we find a key
alt text alt text

get shell as n30
alt text

compiled python code in the home dir states it has hardcoded creds
alt text

copy to web dir and download
alt text

using uncompyle2 we find the creds
alt text alt text

with that it’s a quick sudo to root
alt text

Written on April 21, 2019
Share on: