TopHatSec: Fartknocker – Vulnhub Writeup

Source: https://www.vulnhub.com/entry/tophatsec-fartknocker,115/

Today’s vulnhub challenge is Beavis and Butthead themed!  This will be another mystery VM for me…basically no knowledge of skill level or exploits required on this one.  I enjoyed another of TopHatSec’s VM challenges Freshly so am hoping this will be a good one as well.  Anyway, let’s get underway.

I’m going to change up my initial nmap host discovery scan this time and include OS detection:

nmap 192.168.111.0/24 -O

It ends up taking about 2 minutes…so I’m still thinking just an initial nmap ping scan or netdiscover is a more effective way to discover hosts initially.

I followed that up with a service discovery scan.  That added some additional information for the HTTP server on port 80.

nmap 192.168.111.100 -sV

I followed that up with a scan of all 65535 ports using the -p- parameter just be safe.  I’ve been burned missing services before because they were out of the standard scan range.  While that runs in the background let’s check out the site in a browser.

The site contains a link to a PCAP to download.  Let’s open it up in Wireshark

Whew, it’s only 65 so I don’t have to hunt through a sea of thousands of packets.  Reading from start to finish I try to follow what’s going on in the capture.

From start to finish there are ping requests coming from 192.168.56.102 to  192.168.56.101 along with successful replies back.

There are also two separate bursts of TCP SYNs send from *.102 to port 7000, 8000, 9000.  Each with a RST& ACK response.  Apart from those, there’s also a single SYN (with response RST/ACK) sent to port 8888.

I try connecting to all 4 of the ports via netcat:

And we have our first hint.  Let’s navigate to /burgerworld/ in our browser.

A new page, link, and new PCAP to take a look at again.

It starts similarly with repeated pings from 102 -> 101.   But this time SYNs are sent to port 21 and 80.   Then they are followed by a series of SYN/ACKs to destination 8080.  I try netcat again thinking repeating the sequence found here will yield me a clue, but connections are refused on all but port 80 (as it is the webserver port).   But then I see 2 of the port 8080 packets are quite a bit larger and I look closer at the packet data for both.

It becomes even more clear when you follow the TCP stream and piece everything together.

Ja, ich verstehe.  1-3-3-7.  Netcat was a no go for port 1337.  SSH didn’t work.  I tried Telnet hoping I could get some sort of banner grab but that didn’t work either.  Finally after trying several other combinations I tried connecting to the port numbers separately and again with the full sequence and it worked!

I’m starting to wonder if i could scrape a Beavis & Butthead fan-page for word lists and bruteforce  lots of juicy new directories…

The next page that comes up seems to be some sort of encoded text.  My first guess is correct and pasting it into a base64 decoder I get the following output:

Open up SSH: 8888 9999 7777 6666

Well, let’s try out same method out with SSH that we just used with netcat…

I wrote a script basically doing the same commands as above thinking I maybe wasn’t sending the sequence fast enough.

That didn’t’ work either, but then I had an aha moment and added a standard SSH port 22 at the end.

That worked!  I got a username & password dialogue box upon the successful connection too.  But now I have a new problem.  When I connect with the butthead username my connection dies pretty much immediately.

Doing some googling leads me to this thread explaining why this might happen.   Logging in with -v or even -vv doesn’t seem to help diagnose the problem, but one of the suggestions does help.

ssh butthead@192.168.111.100 -t /bin/bash –norc –noprofile

And I’m in!  My current directory has a single file named ‘nachos”.  Let’s cat it to the prompt.

In the /home/ directory there’s another folder for beavis.  Let’s see if there’s anything interesting inside.

The 3 main files are:

I don’t have access to the .bash history files at all.  The html folder has an index.html and index2.html.  The first is the same Beavis ASCII art with “eins-drei-drei-sieben”.  The second just contains the text “test”.

Poking around some more I find a new folder I hadn’t discovered on the webpage by navigating to /var/www/html/spanishfly/

It has a new PCAP to take a look at.

This is basically outlining the 8888,9999,7777,6666 sequence followed by a successful port 22 SSH connection we already went through.  I’m guessing this was a supplement hint had we gone down a different path.

Looking at /etc/passwd it indeed looks like the only other 2 possible IDs at this point are “root” and “beavis”.   I look for services running under root (ps aux | grep root) but just find apache, port knocker, and SSH running.

No obvious clues that I can see so I check the OS version number to see if I can find some priv-esc opportunities with that.

At this point I feel a little cheap because the version/VM is circa 2015 so this wouldn’t have been quite as easy if I had done this challenge around the original release date.    But the world is full of outdated installations…

A quick search on exploit-db and I found this contender. A quick scp from my Kali box, compile, and…

We have root!  Now to look around the root directory for possible goodies.

Got it!