Monday, 13 June 2016

Fart Knocker challenge

Hello all,
Scanning phase

Hmmm, quite simple. I used nmap scanning with aggressive mode all ports. The Apache 2.4.7 does not have associated critical vulnerability. So, this cause that we have to conduct penetration testing deeper.
The default web page

So, nothing special, but we can see "Hey Beavis". This part of sentence may indicate that there exist Beavis user. We can also see Wooah link. I have clicked on the link and this action cause opening the pcap1.pcap file. We can open the file using WireShark.
Analyzing the pcap file I figured out that the packet flow indicate port knocking with sequence 7000,8000,9000. After knocking we should get 8888 open port. So let's try
nmap -r -p7000,8000,9000 [IP]
We have to do this several time and indeed we have got open the port

Very good, I had tried connect to the 8888 port using netcat and I have got

It is probably some kind of path the web application. We were right

We can download second pcap file via clicking on the heheh...hehh.. link.
I have examined the file and

There is a phrase: eins drei drei sieben it means1,3,3,7. So let's try knock these ports. Bingo! I have got following result

The /iamcornholio/ serves us

The secrecy string looks like base64 ecoding. Indeed it is "Open up SSH: 8888 9999 7777 6666" encoded via base64.
So, let's run port knocking again

Excellent! But nothing special without credentials, hua?

Great! We have also obtained credentials in the ssh banner. Let's try log in using these credentials

Wow, surprise! We should try harder
Very good! I have displayed OS version - Ubuntu 14.04. So I know that ofs is a very effective exploit to obtain root privileges.
Game over!


So, this challenge learn us port knocking actually. I think that knowledge about port knocking and basic pentesting skills are enough to resolve the challenge.