This page looks best with JavaScript enabled

Fart Knocker

 ·  ☕ 2 min read  ·  ✍️ m0nk · 👀... views
🏷️ Port Knocking Kernel Exploit OverlayFS CVE 2015 1328

This is a rellay fun box aimed to teach port knocking. We portknock the box at three instance to get to the ssh port but, the shells aren’t stable TTY shells and we have to find our way in. Finally we exploit the OverlayFS exploit(CVE: 2015-1328) to gain root.

featured image

Initial Foothold

Host Discovery

Initially we are dropped into a network containing the vulnerable host and we scan for our target on the

Network: 192.168.43.0/24

arp-scan

Confirming our results with Nmap

nmap-host-discovery

Host Scanning

Next we start off by scanning the host for open ports we find an http server running on port 80

nmap-allports

On opening this website in browser, we discover a link to download a Pcap file.

Web Pcap 1

Port Knocking

PCAP1

Opening this pcap file in wireshark, we discover the Port Knocking Sequence of 7000 8000 and 9000. This Knocks open 8888

8888 open

Connecting to this port using netcat, we are told of a hidden directory

8888 path

Visiting this path on the website gives us a link to download another Pcap file.

path burgerworld

Opening this Pcap with wireshark, we found another hidden message in tcp stream

Pcap 2

Google translator helps us to decode this secret message

Message Decoded

This message tells us to knock Port in sequence 1 3 3 7 This helps us in Knocking opens port 1337 . Connecting to port 1337 using netcat reveals another hidden directory.

Knock 1 3 3 7

Visiting this directory on browser, it containing username of Beavis and ssh port opening sequence encrypted which I thought of initally as password.

Path iamcornholio

Decoding this messsage, we get the final port knocking sequence to open up ssh port 22 whein knocked in the order 8888 9999 7777 6666

port 22 opened

SSH port opened

SSH onto the Machine

While we try to ssh as the user Beavis we found the actual ssh credentials

SSH Credentials

1
2

USERNAME: butthead                       
PASSWORD: nachosrule

SSH Shell Closed

But our shell is immediately exited when we login successfully. To solve this, we run the /bin/bash command followed by the ssh command. This gives us a shell on the box.

SSH success

Escalation

Further Enumerating the box looking for any low hagning fruit or misxonfiguration doesnot help so, we try to look for kernel exploits. But, lets ennumerate the Host first.

Kernel info

Using Searchsploit to find desired exploit

Searchsploit info

We transfer the exploit 37292.c to our target using Python

1

python3 -m http.server

Exploit Downloaded

Compile the exploit on the target and exploit the system

1
2

gcc 37292.c -o exploit -pthread
./exploit

Exploited

PWNED!

Share on
gr33nm0nk2802
WRITTEN BY
m0nk
An Infosec Researcher. Certifications - Certified Red Team Professional | HTB Prolabs - Dante, Rastalabs | Certified Appsec Practitioner | CEH (Practical)

See Also

Total visitors ...
Total views ...

©2023, All Rights Reserved