Monday 13 June 2016

Fart Knocker challenge

Hello all,
Scanning phase






Hmmm, quite simple. I used nmap scanning with aggressive mode all ports. The Apache 2.4.7 does not have associated critical vulnerability. So, this cause that we have to conduct penetration testing deeper.
The default web page






 
So, nothing special, but we can see "Hey Beavis". This part of sentence may indicate that there exist Beavis user. We can also see Wooah link. I have clicked on the link and this action cause opening the pcap1.pcap file. We can open the file using WireShark.
Analyzing the pcap file I figured out that the packet flow indicate port knocking with sequence 7000,8000,9000. After knocking we should get 8888 open port. So let's try
nmap -r -p7000,8000,9000 [IP]
We have to do this several time and indeed we have got open the port





Very good, I had tried connect to the 8888 port using netcat and I have got




It is probably some kind of path the web application. We were right








We can download second pcap file via clicking on the heheh...hehh.. link.
I have examined the file and






































There is a phrase: eins drei drei sieben it means1,3,3,7. So let's try knock these ports. Bingo! I have got following result










The /iamcornholio/ serves us









The secrecy string looks like base64 ecoding. Indeed it is "Open up SSH: 8888 9999 7777 6666" encoded via base64.
So, let's run port knocking again





Excellent! But nothing special without credentials, hua?









Great! We have also obtained credentials in the ssh banner. Let's try log in using these credentials















Wow, surprise! We should try harder
 
Very good! I have displayed OS version - Ubuntu 14.04. So I know that ofs is a very effective exploit to obtain root privileges.
Game over!
 

Summary

So, this challenge learn us port knocking actually. I think that knowledge about port knocking and basic pentesting skills are enough to resolve the challenge.