Open in app

Sign in

Write

Sign in

THM-Fowsniff CTF-Writeup

Mohamed Ali
5 min readSep 16, 2024

--

Hack this machine and get the flag. There are lots of hints along the way and is perfect for beginners!

Find This Room: Fowsniff CTF

Start

Recon

Lets start the process by mapping host-name to target IP address.

mapping fowsniff.com to the target IP address

When any user or application on the system tries to access “fowsniff.com,” it will be directed to the IP address specified in the /etc/hosts file.

nmap

Lets use nmap for port scanning.

nmap fowsniff.com -sV -sC
# -sV - Probe open ports to determine service/version info
# -sC - using default nmap script

nmap scan of fowsniff.com

From the results of nmap scan we know that operating system is Linux, and the open ports are

  1. port 22 (ssh)
  2. port 80 (Apache server)
  3. port 110 (pop3)
  4. port 143 (imap)

Lets have a look at port 80 (Web server)

Home page of the web server

Looks like the website is temporarily down, due to attack. No interesting things found in source-code of the web-server and also when enumerating files/directories using dirb.

But, we have a clue in the web server home page, that official twitter account have been hacked @fowsniffcorp .

Lets check the twitter account.

fowsniffcorp twitter (x.com)

Looks like hackers hijacked the twitter account and leaked some passwords dumps.

leaked password dumps

The leaked information contains usernames and the hashed passwords. Additionally hackers added that these are their email passwords (pop3), which is using MD5 hashing algorithm. We get all the required information about the leaks.

Using crackstation.net for unhashing the password hashes

Used Crackstation to unhash the passwords. Almost all passwords were recovered. Using them to proceed further.

Exploitation

Lets try all gathered username and password combination to login pop3 mail server.

#POP commands:
  USER username      #Log in as "user"
  PASS password      #Substitue "password" for your actual password
  LIST               #List all messages and its sizes
  RETR n             #Show n'th message

pop3 login img1

After attempting login of pop3 with known usernames and passwords, found that user seina haven’t updated the password after the hack, and we are able to login as seina in pop3.

pop3 login img2

While looking into the messages of seina in pop3, found temporary ssh password to get into the machine. ( S1ck3nBluff+secureshell )

hydra

We are not sure this ssh password belongs to which user. Let’s try brute forcing with known users and this password.

using hydra to bruteforce the ssh

We found the user whose ssh password we found in the mail. ( baksteen )

Lets try login as baksteen via ssh into the system.

ssh login as baksteen

Login successful via ssh with user baksteen.

Privilege Escalation

Lets start enumeration for privilege escalation vector.

  1. No interesting things found in cron jobs.
  2. User baksteen can’t use sudo.
  3. No SUID binaries found useful.

Interesting information found in .viminfo file

While checking all files in home directory of the user, found .viminfo file which may contain sensitive file names. Lets check the permission for all these files.

checking permission for all interesting files

While checking permission for those interesting files, only file “ /opt/cube/cube.sh” exists, where user baksteen have read, write access.

viewing the content of /opt/cube/cube.sh

Here they are printing a welcome banner of Fowsniff Corp.

Looks like we already seen this kind of image somewhere else? Yes, your guess is correct, We saw them when login to the system via ssh.

But how this will help us???

While login into the system via ssh, the possibilities are

  1. the script will execute as the uses who is connecting via ssh
  2. the script will execute as other user with/without elevated privileges
  3. the script will execute as root user

Lets check this via adding our commands to this script.

adding our command to the script

The above command will create a file called testFile.txt and add the id of the user executing it and will change the file’s permission as readable by all.

Lets login using ssh.

checking the testFile.txt

After login via ssh we found that file called testFile.txt is created and it’s content tells that it is created by root user. So we can use this to elevate our privilege as root user.

Lets generate a reverse shell code.

Reverse shell code via Reverse Shell Generator

Generated reverse shell code via Reverse Shell Generator. Lets add it to the script.

appending reverse shell code to the script

Lets start a listener via netcat (nc).

root access via reverse shell

Started listener in port 1234 via netcat. After logged in via ssh we got reverse shell connection as root user.

Fowsniff Ctf Walkthrough
Tryhackme Writeup
Red Team Methodology

--

--

Mohamed Ali
Mohamed Ali

Written by Mohamed Ali

47 Followers
5 Following

Security Researcher

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams