Fowsniff CTF

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.255.37

Detailed Nmap Scan :

Command Breakdown:

• (-sV): Service version

• (-sC): Default nmap scripts

• (-p): Specifying ports 22,80,110,143

• (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 22,80,110,143 -oN nmap 10.10.255.37

Enumeration

Lets visit the website

Reading this, lets look at their twitter page.

Looks like we have a bunch of passwords that have been dumped. Lets go see it.

Lets save these in a file called credentials.txt

The hashes are md5 so after decoding them we get their passwords. To get only the hashes in a file lets use this command.

sed -n 's/.*://p' credentials.txt > passwords.txt

Lets also get all the usernames in a file and call it users.txt

Now lets crack the passwords

We found most of them, lets put these in the passwords list. Lets remove the 6th password and the 6th user in the user list.

Now before we start bruteforcing lets look at the robots.txt page the nmap scan told us about.

Exploitation

Looks like there is nothing. Lets now brute force pop3 running on port 110.

hydra -L users.txt -P passwords.txt pop3://10.10.255.37

Looks like we found the username and password, now lets login using netcat.

Lets list the files and read them

Its an email, reading through it, we have the temporary password for SSH, now lets look at the second file

Reading through this email we can see that the user baksteen said that he will read the message later, indicating that the temporary password should still be the one for their account. Now lets login through ssh with the username baksteen and the password we just found.

ssh baksteen@10.10.255.37

And we are logged in.

Privilege Escalation

Lets look at the files in the current directory and lets also check which group this use is part of.

Now lets look for files that this group can run

The /opt/cube/cube.sh file looks interesting, lets read it

We can see that this file is run whenever a user logs into the machine, so lets edit this file to get a reverse shell and then login to the machine to run the file and get a shell.

After adding the reverse shell to the file using nano lets start a netcat listener

Now once we try to login to ssh we get a reverse shell.

We are root.