Pentestit.ru V.9 (Part 14) – Token SSH-Test – Final 14/14

Categories Tutorials

So the Final Chapter arrived… 😀 I’m happy to say that this was an awesome experience, and I hope this was useful for someone else also.
This Lab is coming to an end soon, and the version v10 will start, a new era, new challenges, more to learn, more to share, more difficulty’s to cross.

So, lets get to the business, shall we?

This was a painful one, I’m far far away from Russia, so doing a -Pn -p0-65535 scan take hours…
Anyway I did it and waited… xD

d.nash@tl9-ssh:~$ nmap -Pn -p 0-65535 192.168.0.7

Starting Nmap 6.00 ( http://nmap.org ) at 2016-09-22 16:16 MSK
Stats: 0:02:35 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan

Connect Scan Timing: About 1.17% done; ETC: 19:56 (3:37:17 remaining)

3h and 37minutes? wait all this time? It was always crashing while I waited, so I quit this challenge.

Then…One day talking with another user he told me the server have some bug, so I went to talk with an admin to request for it to be fixed, and I’m happy to say that he did a great job, fixing it in the same day. 🙂

So, after having that done, I retried the same old scan, and to my happiness and surprise:

d.nash@tl9-ssh:~$ nmap -Pn -p0-65535 192.168.0.7

Starting Nmap 6.00 ( http://nmap.org ) at 2016-10-12 21:49 MSK
Nmap scan report for 192.168.0.7
Host is up (0.00065s latency).
Not shown: 65532 closed ports
PORT     STATE    SERVICE
0/tcp    filtered unknown
1941/tcp filtered unknown
1970/tcp filtered unknown
2011/tcp filtered raid-cc

Nmap done: 1 IP address (1 host up) scanned in 5.78 seconds

d.nash@tl9-ssh:~$

Really quick, see? 😉

So we got port 0, 1941, 1970 and 2011 filtered. Strange right? :-\
We tried to nc to prot 0, and we get a diferent error than other ports.

d.nash@tl9-ssh:~$ nc 192.168.0.7 0
invalid port 0
d.nash@tl9-ssh:~$ nc 192.168.0.7 2011
(UNKNOWN) [192.168.0.7] 2011 (?) : Connection timed out
d.nash@tl9-ssh:~$

After doing a sneak peak on the write-up (yes, again :-\ – My knowledge is still very limited) i understand what it is port knocking, and that it is, what is implemented here.
So, I start to do some research about port knock and how it is implemented, and got a big idea of how it works. Won’t explain it here, but you can learn it on the following link:https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-to-hide-your-ssh-daemon-from-attackers-on-ubuntu

So, we started by trying the script of the write-up but with a different change, I connected to the ssh server (the one via ssh d.nash@192.168.101.8) and from here, I run the script:

d.nash@tl9-ssh:~$ for p in 2011 1941 1970; do nmap -Pn --max-retries 0 -p $p 192.168.0.7;done

Starting Nmap 6.00 ( http://nmap.org ) at 2016-10-13 13:39 MSK
Warning: 192.168.0.7 giving up on port because retransmission cap hit (0).
Nmap scan report for 192.168.0.7
Host is up.
PORT     STATE    SERVICE
2011/tcp filtered raid-cc

Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds

Starting Nmap 6.00 ( http://nmap.org ) at 2016-10-13 13:39 MSK
Warning: 192.168.0.7 giving up on port because retransmission cap hit (0).
Nmap scan report for 192.168.0.7
Host is up.
PORT     STATE    SERVICE
1941/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1.10 seconds

Starting Nmap 6.00 ( http://nmap.org ) at 2016-10-13 13:39 MSK
Warning: 192.168.0.7 giving up on port because retransmission cap hit (0).
Nmap scan report for 192.168.0.7
Host is up.
PORT     STATE    SERVICE
1970/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds

As you can see I run this from inside the tl9-ssh host, and on another window inside tl9-ssh host after each sequence tryout, I run the following:

d.nash@tl9-ssh:~$ nmap -Pn -p 22 192.168.0.7

Starting Nmap 6.00 ( http://nmap.org ) at 2016-10-13 13:40 MSK
Nmap scan report for 192.168.0.7
Host is up (0.00038s latency).
PORT   STATE  SERVICE
22/tcp closed ssh

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

That is so that we can check if the port knock opened the ssh 22 port.

Guess what, after all the tryouts, it didn’t opened…
And this is were I found myself lost. I mean, why is not working? This doesn’t make sense. And the Admin told me, that everything was working as it should o_0

So, I went once again to the write-up to read it closely. And on the write-up it is mentioned a tunnel, and then the port knock is made via the tunnel, so I decided to try that.

After understand how I can make a tunnel with multiple ports, I went all-in for this process and this is what I’ve done:
Note: I’ll not post here the right sequence 😉 You can get it, I know you can 😉

So we create our tunnel:

$ sudo ssh -L 1941:192.168.0.7:1941 -L 1970:192.168.0.7:1970 -L 2011:192.168.0.7:2011 d.nash@192.168.101.8

Now just leave it open, after insert the daypass “thing”.
Now in another window you run the script:

$ for p in 1970 2011 1941; do nmap -Pn --max-retries 0 -p $p 127.0.0.1;done

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-10-13 11:49 WAT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00028s latency).
PORT     STATE SERVICE
1970/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-10-13 11:49 WAT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00024s latency).
PORT     STATE SERVICE
2011/tcp open  raid-cc

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-10-13 11:49 WAT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00027s latency).
PORT     STATE SERVICE
1941/tcp open  unknown


Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

Notice the diferences? Now it says those ports are open… hmmm, I wonder if this means anything. Maybe yes, maybe no.

In any case, after find the correct sequence we get the port open:

d.nash@tl9-ssh:~$ nmap -Pn -p 22 192.168.0.7

Starting Nmap 6.00 ( http://nmap.org ) at 2016-10-13 13:49 MSK
Nmap scan report for 192.168.0.7
Host is up (0.00030s latency).
PORT   STATE SERVICE
22/tcp open  ssh


Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

So, if port is open we just need to connect there and get our token 😛

d.nash@tl9-ssh:~$ nmap -Pn -p 22 192.168.0.7

Starting Nmap 6.00 ( http://nmap.org ) at 2016-10-13 13:54 MSK
Nmap scan report for 192.168.0.7
Host is up (0.00037s latency).
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
d.nash@tl9-ssh:~$ ssh d.nash@192.168.0.7
Linux tl9-ssh-test 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64
Last login: Thu Oct 13 13:09:28 2016 from 172.16.0.2
d.nash@tl9-ssh-test:~$ ls
token.txt
d.nash@tl9-ssh-test:~$ cat token.txt 

**z**h**

Notice that after the sequence you need to be fast to check if the port is open and then connect, else it may close during that time.

And that is it… We got our Last and Final Token 😀 \o/

This was really a nice series of challenges, and an amazing LAB experience, and I would like to thanks specially to Pentestit.ru team.
lab9_en_sized

2 Comments

  • Anthony
    January 3, 2017

    Part 14 where are the other parts this was an excellent write up and id love to read the rest

    • admin
      January 6, 2017

      It’s the last part of Lab9.
      Version 10 is already out, you should work on that one.

Leave a Reply

Your email address will not be published. Required fields are marked *