[Write-up]: Knock! Knock! Machine On TryHackMe

Hi there,
Hopefully, everything is ok :) When I created my blog site, I promised myself to write a post once a month. Blog post of May is about to Knock Knock machine walkthrough in TryHackMe. Aim of this machine is to teach you what port knocking is? I don’t tell it. It is good article in here. You can learn briefly in a few minutes.

Let’s start.

Nmap Scanning

As you know, we always start nmap scanning.

1
nmap -sV -sC -T4 <your-machine-ip>

Just one port is open which is http (80)

Nmap Result

When we go to web site, there is download link that it have pcap extension which is data file created by WireShark.

Web Site

Analyzing first pcap file

Analyzing first pcap file with WireShark:

  • Source ip: 192.168.56.102 and Destination ip: 192.168.56.101 by reffering to firt icmp packet.
    icmp package

  • Let’s filter tcp packets and define what ports are knocked by client. When We look the tcp packets, client knocks 7000-8000-9000-7000-8000-9000 ports in sequence then sends request to port 8888.
    tcp package

Before we make knock those ports, we can use knock script and get secret message. /burgerworld/ is secret directory.

1
$ ./knock <your-machine-ip> 7000 8000 9000 7000 8000 9000 && telnet <your-machine-ip> 8888

knock

Analyzing second pcap file

When we go to the secret directory, second pcap download file link greets to us.
Web site2

Let’s examine second pcap file. Firstly, I looked knoking port but it didn’t work. After that, i realized that two TCP packets has over 2000 bytes in total. The response packet has readable ASCII characters and i followed TCP stream by right click the packet. We can see interesting message that CAN YOU UNDERSTAND MY MESSAGE? - eins drei drei seiben

Pcap2

“eins drei drei seiben” is written by german language. We can translate to 1337 in english. Honestly, It took more 2 than two hours for getting secret message. Also, i got help. We can get following command for getting secret message.

1
$ ./knock <your-machine-ip> 1 3 3 7 && telnet <your-machine-ip> 1337

Second secret message is a directory:

Knocking2

When we go to the second secret directory, Base64 encoded message greets to us :) It is decoded that plain text is Open up SSH: 8888 9999 7777 6666

webSite3

SSH Connection

When We make knocking with following command,

1
$ ./knock <your-machine-ip> 8888 9999 7777 6666 && ssh <your-machine-ip>

and get ssh credentails.

ssh

We can log into with ssh. However, We can not get shell directly. After a bit searching, I found this solution then tried following command for getting shell properly.

1
$ ssh butthead@<your-machine-ip> /bin/sh

Unfortunately, our shell doesn’t have tty. We can run following command for geting tty shell. Also, you can find more information shell spwaning.

1
/bin/sh -i

Privilege Escalation

I examined Crontab, SUID files, sudo -l command, uname -a (kernel version) for privilege escalation in system and found ‘overlayfs’ Local Privilege Escalation for kernel version.

If We can compile and run exploit, we will get root access on victim machine.

ssh

That’s all. See you next blog post. Take care :)