VulnHub – TopHatSec – FartKnocker – Vulnerable Distribution

It’s been a little while since I posted, so I figured I would do a write-up of completing the TopHatSec – FartKnocker vulnerable distro (VulnHub) today.

This was a relatively easy challenge, but it was really fun, using some of my IR analyst skills to analyze pcaps and so on. I would rate this as being a very easy/beginner level challenge, but fun, nonetheless.

(– SPOILER ALERT –)(– SPOILER ALERT –)(– SPOILER ALERT –)(– SPOILER ALERT –)(– SPOILER ALERT –)

(– SPOILER ALERT –)(– SPOILER ALERT –)(– SPOILER ALERT –)(– SPOILER ALERT –)(– SPOILER ALERT –)

— SETUP —

First, about my setup. I generally try and convert all these challenges over to qemu, so I can run them on my linux virtual setup.

To do this, I ran the following commands:

1) Extract .ova file: tar xvf FartKnocker.ova

2) Convert .vmdk to qcow2:  qemu-img convert FartKnocker-disk1.vmdk -O qcow2 FartKnocker.qcow2

3) Import qcow2 image into virt-manager, and “start” image.

4) Profit. . .  (oh wait)

— Walkthrough —

I begin by scanning the machine using nmap (or zenmap):

SS-FK011

I can confirm that only port 80 is open right now. Also, just a fair amount of deduction here, but this is going to be a port knocking challenge, hence, (part of) the name of the challenge.

Open up port 80 in the browser:

SS-FK012

Reviewed the HTML page, and all it contains is the text, and a pcap file, for download (pcap1.pcap).

Download that pcap, and open it up in Wireshark:

SS-FK016

Looking at the communication going on, I’m assuming that this machine, is 192.168.56.101, and a client machine, is 192.168.56.102.

So, I see the client machine attempting to connect over (TCP) ports 7000, 8000, and 9000. After the machine attempts those 3 connections, and gets rejected, the client machine then connects to (TCP) port 8888 on the server (so the pcap says). We looked earlier, and we saw that that port wasn’t open. So, we’ll attempt to knock on ports, and see if that opens up.

SS-FK017

It surely does, and we connect to see what is going on, on port (TCP) 8888.

SS-FK045

It simply states /burgerworld/ so, I’m going to assume that is just a sub-directory off of the HTML page.

SS-FK015

And, it is simply just some more text, and a download link, for pcap2.pcap. I’ll go ahead and download that file, and open it up in Wireshark.

SS-FK016

Looking at this packet capture, in Wireshark, I see similar communication going on, as we saw in our first packet capture. With some small changes to the knocking. It appears that this knocking pattern is: (TCP) 21, (UDP) 22, (and maybe TCP 80). So once, again, we complete this knocking pattern, and then port 8080 becomes available on the host.

SS-FK018

SS-FK019

We then connect to port 8080, using the web browser, and we get the following:

SS-FK020

So, I did happen to take a year of German, when I was in junior high, and I know eins drei drei sieben translates to “1337”. So, we are going to try knocking on some ports again.

SS-FK021

After doing this knocking, port 1337 became available on the machine, and once again, we connect via web browser:

SS-FK022

It points us towards the sub-directory /iamcornholio/

SS-FK023

We get some more text, and a hash/encoded string below. Reading the text “base” is mentioned, so I quickly assume base64 decoding will do the trick:

SS-FK024

 

And we do a little port knocking, on 8888, 9999, 7777, and 6666; to see if that will open up ssh (TCP) 22. And . . . It does. . .

SS-FK026

So, we’ll try connecting, via SSH to the host:

SS-FK027

And we are given a username/password, perfect. Once again, we’ll reconnect, this time, using the given username/password:

SS-FK029

We connect, are given a message, and are disconnected. Well, this is no good, let’s see if we can fix that. We’ll look into the various login files, to see if we can see what is disconnecting us.

SS-FK030

SS-FK031

And, if you look carefully, you can see that we are getting logged out, from the ‘exit’ command in .profile; I guess we’ll just have to fix that.

SS-FK032

I quickly commented out that line, and then proceed to login. Do a little browsing around, and found the only “un-hidden” file in the directory, which is nachos, and read it.

SS-FK034

 

Now off to collect information, and see what we can find.

SS-FK035

SS-FK036

SS-FK037

SS-FK038

Found some interesting files, laying around, like these in /var/www, definitely appeared to be a challenge, but the developers decided not to go that route, we found the /spanishfly/ directory, and pcap. But it appears to be part of a challenge we’ve already completed.

SS-FK039

SS-FK040

This is the first part of this vulnhub/fartknocker challenge I had some real difficulty with. We know we are after the password(s) for beavis/root. Time to generate some password lists for these users. I go to their wikipedia page. I start adding various terms, that are commonly associated with Beavis and Butt-head to a text file. After I collect all the details I find on the wikipedia page, I use superkojiman‘s python script (found here), to generate some potential passwords. Then I load up hydra (Hydra-THC), to do some brute forcing.

SS-FK041

I successfully found Beavis’ password. Looked at various scripts found in /home/beavis, but nothing seemed to be really of use, or have a lot of value. Then I found the crown-jewel.

SS-FK042

The user beavis, has the ability to run sudo commands, with no password prompting. We’re essentially root at this point. There are hundreds of ways to get root, some very, very easy, others slightly more difficult. I choose the slightly more difficult path, and I modify sshd_config, and set root’s password, and just login as root, to find the CTF Flag.

SS-FK044

[su_spoiler title=”CTF Flag”]SECRET = “LIVE LONG AND PROSPER, REST IN PEACE MR. SPOCK”[/su_spoiler]

 

Short URL: http://bit.ly/1Mj9S0C

Leave a Reply

Your email address will not be published. Required fields are marked *