We covered the first part solution walkthrough of Cyberry Vulnhub lab where we demonstrated port knocking.
In the second part, we covered the second solution walkthrough of Cyberry Vulnhub lab where we demonstrated binary exploitation with GDB debugger & Metasploit framework.
Description
Instructions The boot2root is a Debian virtual machine and has been fully tested using VMWare Workstation 12. The network interface of the virtual machine will take it’s IP settings from DHCP. Level Beginner to Intermediate.
Cyberry are eagerly anticipating the release of their new “Berrypedia” website, a life-long project which offers knowledge and insight into all things Berry! Challenge The challenge is to get root. Rooting this box will require a wide variety of skills and techniques, and you may find that there is more than one way to achieve this.
Initial Reconnaissance & Web Server Exploration
I started by identifying the IP address of the vulnerable machine. An nmap
scan revealed several open ports, including HTTP, SSH, and FTP. I then used nikto
to scan the web server for potential vulnerabilities. Conceptual nmap
command: nmap -sV -p- <target_IP>
Conceptual nikto
command: nikto -h http://<target_IP>
Examining the source code of the initial web page revealed some Base64 encoded text. Decrypting this text provided some motivational text and a path to an image, which wasn’t immediately useful. Conceptual echo
command for decoding: echo "base64_string" | base64 -d
Discovering a Hidden Page & Image Analysis
I navigated to a specific hidden page on the web server. This page contained a PDF-like interface with several images. After inspecting them, one particular image stood out as a clue. Saving and rotating this image revealed a collage of singers.
Port Knocking Clue
The presenter revealed that the singers in the image were related to the song “I Hear You Knocking.” I searched for “I Hear You Knocking singers” on Google Images to confirm their identities and identify the release dates of their versions of the song. The identified singers were:
- Smile Louis
- Dave Edmunds
- Fats Domino
- Gale Storm
This information hinted at a “port knocking” sequence. The order for knocking was determined by a clockwise arrangement of the singers in the image, starting with Dave Edmunds. The release dates of the songs by these artists in that specific order formed the actual port knocking sequence.
Unveiling a New Port & Brainf*ck Language
After performing the port knocking sequence (which involves sending a series of SYN packets to the specific ports in the correct order, though the exact knocking tool or command wasn’t shown, a tool like knockd
or a custom script would be used), a rescan with nmap
revealed a new open HTTP port. Conceptual nmap
command after knocking: nmap -p- <target_IP>
Navigating to this new port displayed the exact same web page as before. However, inspecting the source code of this page revealed a letter “H” that linked to yet another page. This new page contained text written in “Brainf*ck” language. Using an online Brainf*ck decoder, I processed each line of the code. Decoding all the lines resulted in a wordlist.
Brute-Forcing FTP Credentials
The decoded Brainf*ck output also included a password hint: “password take off.” I then used the generated wordlist as a username list, and “take off” as the password, to brute-force the FTP server using Hydra. Conceptual hydra
command: hydra -L wordlist.txt -p "take off" ftp://<target_IP>
The brute-force attack was successful, revealing the FTP credentials: username “movie” and password “take off.”
FTP Access & Encrypted File
Logging into the FTP server with the discovered credentials, I listed the files. I found and downloaded a file named bash_history
. This bash_history
file revealed two important items: remainder.encrypt
(an OpenSSL encrypted file) and a separate password list. The file
command confirmed that remainder.encrypt
was indeed an OpenSSL salted file. Conceptual ftp
commands: ftp <target_IP>
user movie
pass take off
ls
get bash_history
Conceptual file
command: file remainder.encrypt
Decrypting the OpenSSL File
I then used a Python script to decrypt the remainder.encrypt
file. The script took the encrypted file and the downloaded password list as input and attempted to brute-force the decryption. The script generated many decrypted files, and I had to identify the correct one by looking for a file containing ASCII text. A command was used to filter the output and find the file with readable ASCII text. Conceptual Python script usage: python decrypt_script.py remainder.encrypt password_list.txt
Conceptual grep
command to find readable file: grep -a -l 'some_common_ascii_string' decrypted_files/*
(This would typically be run within the context of the script or after the script dumped output to files).
Gaining Web Admin Access
The content of the correctly decrypted file revealed new login credentials: username “Mary” and a corresponding password. I used these credentials to log into the web application, successfully gaining admin access.
Video Walkthrough | Part one
Video Walkthrough | Part Two