📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Reconnaissance
  • Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

Fowsniff CTF

PreviousGLITCHNextTeam

Last updated 3 years ago

Was this helpful?

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.255.37

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 22,80,110,143

  • (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 22,80,110,143 -oN nmap 10.10.255.37

Enumeration

Lets visit the website

Reading this, lets look at their twitter page.

Looks like we have a bunch of passwords that have been dumped. Lets go see it.

Lets save these in a file called credentials.txt

The hashes are md5 so after decoding them we get their passwords. To get only the hashes in a file lets use this command.

sed -n 's/.*://p' credentials.txt > passwords.txt

Lets also get all the usernames in a file and call it users.txt

Now lets crack the passwords

We found most of them, lets put these in the passwords list. Lets remove the 6th password and the 6th user in the user list.

Now before we start bruteforcing lets look at the robots.txt page the nmap scan told us about.

Exploitation

Looks like there is nothing. Lets now brute force pop3 running on port 110.

hydra -L users.txt -P passwords.txt pop3://10.10.255.37

Looks like we found the username and password, now lets login using netcat.

Lets list the files and read them

Its an email, reading through it, we have the temporary password for SSH, now lets look at the second file

Reading through this email we can see that the user baksteen said that he will read the message later, indicating that the temporary password should still be the one for their account. Now lets login through ssh with the username baksteen and the password we just found.

ssh baksteen@10.10.255.37

And we are logged in.

Privilege Escalation

Lets look at the files in the current directory and lets also check which group this use is part of.

Now lets look for files that this group can run

The /opt/cube/cube.sh file looks interesting, lets read it

We can see that this file is run whenever a user logs into the machine, so lets edit this file to get a reverse shell and then login to the machine to run the file and get a shell.

After adding the reverse shell to the file using nano lets start a netcat listener

Now once we try to login to ssh we get a reverse shell.

We are root.