Inspection of the web application revealed a pcap file link:
Pcap Analysis
Looking at the pcap file revealed the VM was likely using port knocking (bear in mind the VM’s network has changed).
What is Port Knocking ?
Port Knocking is the a *security by obscurity* technique, in order to expose a service port you must first connect to a set of ports in a specific order. More information about [port knocking on wikipedia](https://en.wikipedia.org/wiki/Port_knocking).
Quick bash loop script for the port knocking:
Successful port knocking combo:
http://10.0.1.113/burgerworld/, disclosed another pcap file:
Investigation of the pcap file in Wireshark revealed more knocking again, following by a connection over port 8080.
Following the TCP stream for port 8080, discovered the following:
The hint: eins drei drei sieben is German for 1 3 3 7.
The previous port knocking patterned worked again for ports 1 3 3 7:
http://10.0.1.113/iamcornholio/, disclosed a Base64 encoded string:
The string was decoded, revealing another port knocking sequence:
The previous port knocking technique was leveraged:
Logging in using the disclosed credentials worked, but the session closed almost immediately and displayed the following message:
The following command was executed, successfully spawning a shell on the target:
Local System Enumeration
The following hint was discovered:
Local Privilege Escalation
Enumeration of the system indicted it was likely vulnerable to CVE-2015-1328, a local privilege escalation using overlayfs mounts inside of user namespaces. Allowing a local user to exploit the flaw to
gain administrative privileges on the system.
Exploit process (CVE-2015-1328):
Root Flag
Conclusion
I enjoyed the VM, dispite not being a fan of Beavis and Butt-Head. Looking at the pcap files for port knocking patterns was a new experience for me.