Knock-knock
Tools:
- netdiscover
- Nmap
- Wfuzz
- Nikto
- Strings
Vulnerabilities:
Use netdiscover to detect target IP address
netdiscover -i eth0 -r 192.168.41.0/24
192.168.41.166 is the target.
Then run nmap to detect opening ports and running services on the target machine.
nmap -sV -v -O -A -T5 192.168.41.166 -p-
only port 1337 is opening. Based on the nmap’s output. I think this is port knocking.
use netcat to check:
nc -nv 192.168.41.166 1337
get the list, looks like port number. I try to knock them, but failed. Then I realized that i should try all permutations, then I wrote script port_knock_all.py. Run that, then rerun nmap
use nikto
nikto -h 192.168.41.166
use wfuzz
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 http://192.168.41.166/FUZZ 2>/dev/null
Nothing cool shows.
check the page
nothing useful. Since it is only one image, I will download it and check the string in it
strings knockknock.jpg
looks like we got abfnW/sax2Cw9Ow
try to use this login ssh, failed….
Figure out it is Caesar cipher and use Caesar cipher decryption tool
get jason/jB9jP2knf
got shell:
now find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -6000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
got a file /home/jason/tfc
run the file
looks like it need a input file and output file.
tfc will encrypt input and also decrpt input if its encryped. Now generate a large input file.
python -c "print 'A'*5000" >in.tfc
get segmentation fault error.
First, I use checksec.sh to check if there is any protection
./checksec.sh --file tfc
No protection.
Since gdb is not available on the target, I download tfc to my kali
the address is 0x0675c916 not 0x41414141. so it should be encryption of 0x41414141. I was able to figure out how many bytes to pass in to overwrite the return address (4124 bytes).
(To be continue…)