Hopefully, everything is ok :) When I created my blog site, I promised myself to write a post once a month. Blog post of May is about to Knock Knock machine walkthrough in TryHackMe. Aim of this machine is to teach you what port knocking is? I don’t tell it. It is good article in here. You can learn briefly in a few minutes.
As you know, we always start nmap scanning.
nmap -sV -sC -T4 <your-machine-ip>
Just one port is open which is http (80)
When we go to web site, there is download link that it have pcap extension which is data file created by WireShark.
Analyzing first pcap file with WireShark:
Source ip: 192.168.56.102 and Destination ip: 192.168.56.101 by reffering to firt icmp packet.
Let’s filter tcp packets and define what ports are knocked by client. When We look the tcp packets, client knocks 7000-8000-9000-7000-8000-9000 ports in sequence then sends request to port 8888.
Before we make knock those ports, we can use knock script and get secret message. /burgerworld/ is secret directory.
$ ./knock <your-machine-ip> 7000 8000 9000 7000 8000 9000 && telnet <your-machine-ip> 8888
When we go to the secret directory, second pcap download file link greets to us.
Let’s examine second pcap file. Firstly, I looked knoking port but it didn’t work. After that, i realized that two TCP packets has over 2000 bytes in total. The response packet has readable ASCII characters and i followed TCP stream by right click the packet. We can see interesting message that CAN YOU UNDERSTAND MY MESSAGE? - eins drei drei seiben
“eins drei drei seiben” is written by german language. We can translate to 1337 in english. Honestly, It took more 2 than two hours for getting secret message. Also, i got help. We can get following command for getting secret message.
$ ./knock <your-machine-ip> 1 3 3 7 && telnet <your-machine-ip> 1337
Second secret message is a directory:
When we go to the second secret directory, Base64 encoded message greets to us :) It is decoded that plain text is Open up SSH: 8888 9999 7777 6666
When We make knocking with following command,
$ ./knock <your-machine-ip> 8888 9999 7777 6666 && ssh <your-machine-ip>
and get ssh credentails.
We can log into with ssh. However, We can not get shell directly. After a bit searching, I found this solution then tried following command for getting shell properly.
$ ssh butthead@<your-machine-ip> /bin/sh
Unfortunately, our shell doesn’t have tty. We can run following command for geting tty shell. Also, you can find more information shell spwaning.
I examined Crontab, SUID files, sudo -l command, uname -a (kernel version) for privilege escalation in system and found ‘overlayfs’ Local Privilege Escalation for kernel version.
If We can compile and run exploit, we will get root access on victim machine.
That’s all. See you next blog post. Take care :)