# Fowsniff CTF ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McAiVlCG-KwsbM_j0L8%2F-McAiaMv6VkFQkJuuY6L%2Fimage.png?alt=media\&token=a6cf8718-c308-47ae-a038-635de97c54ee) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.255.37 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McAj8m-twxKmWldyYmX%2F-McAjaTtkgWM0PN7WSJ-%2Fimage.png?alt=media\&token=82bd6b99-62f4-4964-8846-19bee25d59ee) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,80,110,143 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 22,80,110,143 -oN nmap 10.10.255.37 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McAj8m-twxKmWldyYmX%2F-McAjj3hANNIXXz8BSD9%2Fimage.png?alt=media\&token=676523d4-2e8d-49f6-a68a-68eeaf342bad) ## Enumeration Lets visit the website ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McAj8m-twxKmWldyYmX%2F-McAkBTfV5q72BB6oeY2%2Fimage.png?alt=media\&token=38216c19-7281-4ca4-bcc6-2e3e488c50b6) Reading this, lets look at their twitter page. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McAj8m-twxKmWldyYmX%2F-McAkQY16Z37VbOisu8g%2Fimage.png?alt=media\&token=14fd6be2-d65f-4184-97c2-5ec75f43e6a0) Looks like we have a bunch of passwords that have been dumped. Lets go see it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McAj8m-twxKmWldyYmX%2F-McAkbh6iYFQ_oavpmDz%2Fimage.png?alt=media\&token=8b43595a-e87d-4ecf-b813-7d31b0461d3c) Lets save these in a file called `credentials.txt` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McAj8m-twxKmWldyYmX%2F-McAksIbMDSXkapi3AzR%2Fimage.png?alt=media\&token=34d6a274-4c04-4686-bc5b-d05bacdd292a) The hashes are `md5` so after decoding them we get their passwords. To get only the hashes in a file lets use this command. ``` sed -n 's/.*://p' credentials.txt > passwords.txt ``` Lets also get all the usernames in a file and call it `users.txt` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McAj8m-twxKmWldyYmX%2F-McAmKiyxjM7OGGZ8WK-%2Fimage.png?alt=media\&token=638b07a1-0e80-42fe-af27-265cecef22e6) Now lets crack the passwords ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McAj8m-twxKmWldyYmX%2F-McAmVk9gqtZsBk7e8Bl%2Fimage.png?alt=media\&token=ceb2489e-c00a-4a7f-b17e-c41d83073380) We found most of them, lets put these in the passwords list. Lets remove the 6th password and the 6th user in the user list. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McAj8m-twxKmWldyYmX%2F-McAn-s6q5f3H-1MuCAW%2Fimage.png?alt=media\&token=b08753f9-c27f-49cd-bc7a-150eaaee9cef) Now before we start bruteforcing lets look at the robots.txt page the nmap scan told us about. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McAj8m-twxKmWldyYmX%2F-McAnEsJxdZoI8ok-X9B%2Fimage.png?alt=media\&token=4f9a0fdc-76a9-448d-9747-26d0ac2079dd) ## Exploitation Looks like there is nothing. Lets now brute force `pop3` running on port 110. ``` hydra -L users.txt -P passwords.txt pop3://10.10.255.37 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McAj8m-twxKmWldyYmX%2F-McAoclyBtdhurGXF5fZ%2Fimage.png?alt=media\&token=81e3c2f6-2411-40c4-9750-ecf2e854f3d7) Looks like we found the username and password, now lets login using netcat. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McAj8m-twxKmWldyYmX%2F-McAowrw1UFdfxpZxmSc%2Fimage.png?alt=media\&token=b810a4ed-0adc-4f6b-bb2d-6b4ea9ec98ab) Lets list the files and read them ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McAj8m-twxKmWldyYmX%2F-McApE77C4vakw0w5tp4%2Fimage.png?alt=media\&token=a93a0f34-40c2-4217-ad0e-5389b4d9b7a9) Its an email, reading through it, we have the temporary password for SSH, now lets look at the second file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McAj8m-twxKmWldyYmX%2F-McApVEZewFH2RlBZ_Nk%2Fimage.png?alt=media\&token=2dc774d5-779e-4262-b267-ae18cf6b72d2) Reading through this email we can see that the user baksteen said that he will read the message later, indicating that the temporary password should still be the one for their account. Now lets login through ssh with the username `baksteen` and the password we just found. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McApse0PjghqqSxfPQp%2F-McAq58lJ1IzJeM73sFU%2Fimage.png?alt=media\&token=00440fdb-1c57-4f64-bd10-f400d6d4967f) ``` ssh baksteen@10.10.255.37 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McApse0PjghqqSxfPQp%2F-McAqKDdXe5QH14ZqkFf%2Fimage.png?alt=media\&token=b2fc8bae-cfc7-4e90-bfa6-2f431658c2a8) And we are logged in. ## Privilege Escalation Lets look at the files in the current directory and lets also check which group this use is part of. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McApse0PjghqqSxfPQp%2F-McAuQLJqqngMiapgarp%2Fimage.png?alt=media\&token=09293d8e-eba8-4ef3-919d-483efcca80cd) Now lets look for files that this group can run ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McApse0PjghqqSxfPQp%2F-McAumVCMOWxc3XQLV6Q%2Fimage.png?alt=media\&token=6e01c90e-6254-45c2-969d-a9999f63eb0a) The `/opt/cube/cube.sh` file looks interesting, lets read it ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McApse0PjghqqSxfPQp%2F-McAux7OiiuiEIiCIHno%2Fimage.png?alt=media\&token=53cfbc0d-9325-480a-99d7-e7ed74ac60f8) We can see that this file is run whenever a user logs into the machine, so lets edit this file to get a reverse shell and then login to the machine to run the file and get a shell. After adding the reverse shell to the file using nano lets start a netcat listener ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McApse0PjghqqSxfPQp%2F-McAwTD15pTeOc9C46l3%2Fimage.png?alt=media\&token=1a4ea53e-4427-4731-90db-384f683547c0) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McApse0PjghqqSxfPQp%2F-McAvefSXLIKsMzXRCjE%2Fimage.png?alt=media\&token=43bb8c9b-6eed-41e4-9d31-ed2587c1ae8f) Now once we try to login to ssh we get a reverse shell. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McApse0PjghqqSxfPQp%2F-McAwdxks4TAQnD_x3vs%2Fimage.png?alt=media\&token=fea0aff8-a017-4cca-92e5-586b62e7577c) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McApse0PjghqqSxfPQp%2F-McAwhXDV7RSAOggcIqk%2Fimage.png?alt=media\&token=a96ecec5-5dc5-42d1-a0a8-e00549ef3b28) We are root.