• netdiscover
  • Nmap
  • Wfuzz
  • Nikto
  • Strings


Use netdiscover to detect target IP address

netdiscover -i eth0 -r is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

only port 1337 is opening. Based on the nmap’s output. I think this is port knocking.

use netcat to check:

nc -nv 1337

get the list, looks like port number. I try to knock them, but failed. Then I realized that i should try all permutations, then I wrote script Run that, then rerun nmap

use nikto

nikto -h

use wfuzz

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 2>/dev/null

Nothing cool shows.

check the page

nothing useful. Since it is only one image, I will download it and check the string in it

strings knockknock.jpg

looks like we got abfnW/sax2Cw9Ow

try to use this login ssh, failed….

Figure out it is Caesar cipher and use Caesar cipher decryption tool

get jason/jB9jP2knf

got shell:

now find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied) find / -perm -g=s -o -perm -6000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

got a file /home/jason/tfc

run the file

looks like it need a input file and output file.

tfc will encrypt input and also decrpt input if its encryped. Now generate a large input file.

python -c "print 'A'*5000" >in.tfc

get segmentation fault error.

First, I use to check if there is any protection

./ --file tfc

No protection.

Since gdb is not available on the target, I download tfc to my kali

the address is 0x0675c916 not 0x41414141. so it should be encryption of 0x41414141. I was able to figure out how many bytes to pass in to overwrite the return address (4124 bytes).

(To be continue…)