jeudi 29 décembre 2016

Knock-Knock writeup


Knock-Knock writeup


On the website of Vulnhub we can find many virtual machines prepared to exploit known bugs and use different tricks to penetrate systems and find security breaches. Today I'm posting my answer key for one of the machines that I have liked so far: Knock-Knock: 1.1

Description

Description-knock-knock

Let's go!

First we identify the ip that has been assigned to the virtual machine and perform a routine scan
It seems that we do not get any results, but it gave us a clue in describing DHCP is not broken and the name of the virtual machine, I guess that we have to play with ports. The first thing I think about is "portknocking"and I start Googling to refresh your memory.
    • Port Knocking
    • How to Use Port Knocking to Hide your SSH Daemon from Attackers
After a quick reading, let's do a deeper scan, this time hitting
Perfect! We have opened the 1337, we will investigate it a little
It gives us little information, no banner, but I find it curious to see 3 ports at the exit. I'm going to hit them! In the article port knocking in Spanish read: Port knocking (Touching ports) is a discrete method of open ports, by default, the firewall remains closed. It works by requiring connection attempts to a series of closed pre-defined ports. When the correct sequence of "ports" (connection attempts) is received, the firewall then opens certain port (s). So I imagine that if we hit those three ports in the correct order other ports will open to our ip and in theory we will see them with nmap. First we try in the same order they appear after closing telnet
Ouch! There has been no luck. We will have to create a script that tests all possible combinations of strikes to those three ports and we do "brute force". We will use the same thing as before: telnet and nmap
Eureka !! Now the firewall teaches us the ports open to our local ip address, we will see that there is there .. 
On the web we see
Knock-index
After looking at the code and not find anything, did a scan to possible hidden directories and files wfuzz , also spent nikto and got no results in any case. This led me to think that there might have been a bug in ssh, I looked at the version that returned the banner and I railed for a while with that too, I tried brute force with easy ssh dictionaries and I did not get anything either.
Then I realized that the only thing I had not seen in depth was the image that appeared in the index, downloaded it and ...
Knock knock
These "Login Credentials" should be the other service we have active, ssh. After testing user: abfnW and password: sax2Cw9Ow (and vice versa), only got "incorrect password". Then I thought they were encrypted somehow. Since it was not base64 md5 or I went directly to google and put "simple ciphers" and the first article that appears , wikipedia, it gives us the answer. Encryption is our rot13 and we will help a small program in c to decipher.
We copy the two words to a txt ... and ...
After testing them with no result, again I look at "nosaJ", hmmm "Jason"? I'm going to copy the password file to the chain again and I'm going to go through the rot13 again ..
After a couple of tries (user Jason is lowercase and I still do not know why ..) I get into the machine. I do an ls and I see a file with setuid root but ..
Oh wait A "restricted bash" !! , The oldschool them to sound these techniques of old wargames and not bad review them , so we look at https://en.wikipedia.org/wiki/Restricted_shell and our beloved wikipedia returns to give us the solution
Later I discovered a cooler way to escape, which I did not know and learned thanks to this challenge
Well, come to this point and after reviewing the machine in general without finding any strange file or binary with setuid, we are clear that our challenge is already focused on the binary "tfc", created by c0ne and to which They give you thanks in the initial description.

To be continue…

Aucun commentaire:

Enregistrer un commentaire