CTF-Writeups/VulnHub/Fart_Knocker.md
2021-01-17 07:28:32 +05:00

3.8 KiB

VulnHub-Fart Knocker

NMAP

Nmap scan report for Huhuhhhhhuhuhhh (192.168.43.108)
Host is up (0.00012s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:35:8B:64 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.30 seconds

PORT 80

On visiting the web page we had link named Wooah on clicking it prompt as to save or open a pacp file which is a wireshark file for analyzing packets

From the packets we can see that an IP was trying to connect with a port sequence of 7000,8000,9000,800. So this looks like a port knocking scenario where you have to connect to number of ports in a sequence which will unlock a port for you to connect which is used to hide a port from connecting.

Port Knocking

We can either use a for loop to conenct to certain port or we can use netcat to connect to these port sequence but a command knock can help us out in port knocking

Now we after port knocking run the nmap scan again immediately after running the knock command

We can see that port 8888 is opened but in seconds it will be turned due to it's timeout configuration so run the knock command again and connect to this port using netcat or telnet

Visting the page we get

We again get a prompt for opening or saving a pcap file let's do that an open it with wireshark

We can these packets here so follow the tcp stream of these packets

On following it gives this message

eins drei drei sieben

Which on translating is in german which is translated to 1 3 3 7 which is the next sequence for port knock

On connecting with that port it gives us another page

The heading gives us a hint that base

Looks like another port which needs to be knocked

Connecting with any username will give you the ssh banner which has username and password

But ssh was keep closing when we were loggin in with the correct creds but on giving the command /bin/bash I was able to get on the box

I tried to stabilize the shell but bash not spawning in any way

So ignoring to stabilize the shell let's enumerate the box using linpeas so I used netcat to transfer the file

Immediately it pointed that it is using an older version of linux kernel so we can look it up on exploit-db for any exploit available.

This is the most common exploit of linux kernel which I have seen in alot of vulnerable machines

Make sure to convert it into dos format because usually this is the error which occurs when running the binary , transfer the file to the machine , compile it then run it