Scanning phase
Hmmm, quite simple. I used nmap scanning with aggressive mode all ports. The Apache 2.4.7 does not have associated critical vulnerability. So, this cause that we have to conduct penetration testing deeper.
The default web page
So, nothing special, but we can see "Hey Beavis". This part of sentence may indicate that there exist Beavis user. We can also see Wooah link. I have clicked on the link and this action cause opening the pcap1.pcap file. We can open the file using WireShark.
Analyzing the pcap file I figured out that the packet flow indicate port knocking with sequence 7000,8000,9000. After knocking we should get 8888 open port. So let's try
nmap -r -p7000,8000,9000 [IP]We have to do this several time and indeed we have got open the port
Very good, I had tried connect to the 8888 port using netcat and I have got
It is probably some kind of path the web application. We were right
We can download second pcap file via clicking on the heheh...hehh.. link.
I have examined the file and
There is a phrase: eins drei drei sieben it means1,3,3,7. So let's try knock these ports. Bingo! I have got following result
The /iamcornholio/ serves us
The secrecy string looks like base64 ecoding. Indeed it is "Open up SSH: 8888 9999 7777 6666" encoded via base64.
So, let's run port knocking again
Excellent! But nothing special without credentials, hua?
Great! We have also obtained credentials in the ssh banner. Let's try log in using these credentials
Wow, surprise! We should try harder
Very good! I have displayed OS version - Ubuntu 14.04. So I know that ofs is a very effective exploit to obtain root privileges.
Game over!
Summary
So, this challenge learn us port knocking actually. I think that knowledge about port knocking and basic pentesting skills are enough to resolve the challenge.
