Vulnhub Fartknocker CTF Write Up

This post is a solution to the CTF Challenge which can be found here.

When we load the downloaded life onto Virtual Box , we find a login screen.

A nmap scan shows only port 80 is open.The scan result indicates that either the whole level is web app based or there is PORT KNOCKING involved. If you are not familiar with port knocking , i can give you a analogy . Suppose there are three guys who share a hostel room and are working on something secret and do not want others to know about it. They decide that whenever anyone of them knock the door they do it two knocks , three knocks and one knock (knockknock knockknockknock knock ) so that those present inside the room can understand that its their roommate and can open the door asap without worrying.

Same way to prevent people from attacking on open ports , port knocking was introduced which allowed people to set a certain sequence of ports which when knocked(tried to connected to) in a certain sequence will open some predefined port )

We point the Web Browsers URL bar to the ip and get a page which has a link to a pcap file. Opening the file with wireshark and analysing reveals the sequence in which the ports must be knocked .

    7000
    8000
    9000
    7000
    8000
    9000
    8888

After knocking the ports , nmap scan reveals that port 8888 is open and it points to

    /burgerworld/

When opened in browser , it gives the link to a second pcap file. When we analyse the cap file and follow the tcp stream we get a strange image and 4 words written in a language not known to me.So i copy those words and paste it on google translate which translate to 1 3 3 7 .

This is our new clue . We continue the tradition of port knocking and knock the ports in order

    1
    3
    3
    7
    1337
Another Nmap scan points us to  /iamcornholio/

We get a string which looks like base64. When decoded gives us


    Open up SSH: 8888 9999 7777 6666

We again use nectat to knock ports

    8888
    9999
    7777
    6666

and a nmap scan reveals that port 22 (SSH) port is open.

When the command ssh 192.168.56.101 is run it spits out :

The login credentials of username butthead.

When we try the credentials butthead and nachosrule we get the following output:

    ############################################
    # CONGRATS! YOU HAVE OPENED THE SSH SERVER #
    # USERNAME: butthead                       #
    # PASSWORD: nachosrule                     #
    ############################################

And we get logged out instantly .

We use sftp using filezilla to browse and view the files.

We find there is a file named nachos , when we open the file we get the following text:

    cat nachos
    Great job on getting this far.

    Can you login as beavis or root ?

Now we need a privilege escalation to get to the next clue.I remembered a post i read about private escalation on several versions of ubuntu. I google again and i get a exploit on exploit db link: https://www.exploit-db.com/exploits/37292/

I use filezilla again to transfer the file.

Then i use the ssh command and add the command gcc 37927.c at the end to compile the c program on the machine.

Then i connect via ssh again and use /bin/bash .

Then i run the compiled program using

    ./a.out (default name for compiled c file if no name is specified for output file)

We get the following on our screen :

    ./a.out

    spawning threads

    mount #1

    mount #2

    child threads done

    /etc/ld.so.preload created

    creating shared library

    sh: 0: can’t access tty; job control turned off

ROOT

Now we can run the command whoami to see the username .

It says ROOT, hooray we goot root.

Now we list the content of the root dir using :

ls /root/ and we see there is a file named SECRETZ.

We do a cat and see the Success Message:

cat /root/SECRETZ

    You have done a great job, if you can see this, please shoot me an email

    and let me know that you have beat this box!

    SECRET = “LIVE LONG AND PROSPER, REST IN PEACE MR. SPOCK”