# Fowsniff CTF

![](/files/-McAiaMv6VkFQkJuuY6L)

## Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**)

```
nmap -Pn 10.10.255.37
```

![](/files/-McAjaTtkgWM0PN7WSJ-)

Detailed Nmap Scan :&#x20;

Command Breakdown:&#x20;

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 22,80,110,143
* (**-oN nmap**): Saving it into a file called nmap

```
nmap -sV -sC -p 22,80,110,143 -oN nmap 10.10.255.37
```

![](/files/-McAjj3hANNIXXz8BSD9)

## Enumeration

Lets visit the website

![](/files/-McAkBTfV5q72BB6oeY2)

Reading this, lets look at their twitter page.

![](/files/-McAkQY16Z37VbOisu8g)

Looks like we have a bunch of passwords that have been dumped. Lets go see it.

![](/files/-McAkbh6iYFQ_oavpmDz)

Lets save these in a file called `credentials.txt`

![](/files/-McAksIbMDSXkapi3AzR)

The hashes are `md5` so after decoding them we get their passwords. To get only the hashes in a file lets use this command.

```
sed -n 's/.*://p' credentials.txt > passwords.txt
```

Lets also get all the usernames in a file and call it `users.txt`

![](/files/-McAmKiyxjM7OGGZ8WK-)

Now lets crack the passwords

![](/files/-McAmVk9gqtZsBk7e8Bl)

We found most of them, lets put these in the passwords list. Lets remove the 6th password and the 6th user in the user list.

![](/files/-McAn-s6q5f3H-1MuCAW)

Now before we start bruteforcing lets look at the robots.txt page the nmap scan told us about.

![](/files/-McAnEsJxdZoI8ok-X9B)

## Exploitation

Looks like there is nothing. Lets now brute force `pop3` running on port 110.

```
hydra -L users.txt -P passwords.txt pop3://10.10.255.37
```

![](/files/-McAoclyBtdhurGXF5fZ)

Looks like we found the username and password, now lets login using netcat.

![](/files/-McAowrw1UFdfxpZxmSc)

Lets list the files and read them

![](/files/-McApE77C4vakw0w5tp4)

Its an email, reading through it, we have the temporary password for SSH, now lets look at the second file

![](/files/-McApVEZewFH2RlBZ_Nk)

Reading through this email we can see that the user baksteen said that he will read the message later, indicating that the temporary password should still be the one for their account. Now lets login through ssh with the username `baksteen` and the password we just found.

![](/files/-McAq58lJ1IzJeM73sFU)

```
ssh baksteen@10.10.255.37
```

![](/files/-McAqKDdXe5QH14ZqkFf)

And we are logged in.

## Privilege Escalation

Lets look at the files in the current directory and lets also check which group this use is part of.

![](/files/-McAuQLJqqngMiapgarp)

Now lets look for files that this group can run

![](/files/-McAumVCMOWxc3XQLV6Q)

The `/opt/cube/cube.sh` file looks interesting, lets read it

![](/files/-McAux7OiiuiEIiCIHno)

We can see that this file is run whenever a user logs into the machine, so lets edit this file to get a reverse shell and then login to the machine to run the file and get a shell.

After adding the reverse shell to the file using nano lets start a netcat listener

![](/files/-McAwTD15pTeOc9C46l3)

![](/files/-McAvefSXLIKsMzXRCjE)

Now once we try to login to ssh we get a reverse shell.

![](/files/-McAwdxks4TAQnD_x3vs)

![](/files/-McAwhXDV7RSAOggcIqk)

We are root.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/tryhackme/untitled/fowsniff-ctf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.