TryHackMe: Fowsniff CTF Walkthrough

Posted byMANJUNATH NAYAKAPosted inUncategorized

Introduction

Hello Fellow hackers! Today we are going to take another boot2root challenge known as Fowsniff. The credit for making this VM machine goes to “ben” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. 

You can access this machine from this url: https://tryhackme.com/room/ctf

After hitting the deploy button we now have our IP address (before starting, check whether the IP is live by pinging ).

#Enum/Recon

Let’s start off with scanning our target IP address with nmap.

Command used: nmap -A -p- -T4 <machine IP>

The nmap output shows us that there are 4 ports open: 22(SSH), 80(HTTP), 110(POP3), 143(IMAP)

We find that port 80 is running http, so we open the IP in our browser.

I didn’t find anything on the webpage. Dirb scan also didn’t reveal anything.

Interested GIF by reactionseditor

so I googled “fowsniff corp” and found a Pastebin link that contained username and passwords.

I cracked the hashes use online hash cracker to decrypt and find passwords to the respective email addresses. But only 8 hashes were cracked and there are 9 usernames.

We connect to pop3 service on the target server and login using the credentials we retrieved. After logging in we list the messages and find there are 2 messages.

I retrieved the first message and find that it contains the password to connect through SSH.

Command used: retr 1

I retrieved the second message and find a message that hints that use the username baksteen.

Command used: retr 2

I use the credentials “baksteen:S1ck3nBluff+secureshell” to login through SSH.

After getting the shell, I came to know that I have logged in as normal user. To get the root flag, We must be root user in this machine. Let’s not wait any longer.

#Priv Esc

From our low-privileged user shell we can enumerate the system further. Our user does not have any sudo privileges and we cannot access any of the other users home directories.

In our earlier enumeration process, I found that the machine is of old version of Ubuntu so I search for the exploit for the same from exploit-db.

And I downloaded the exploit and compiled it with gcc.

gcc -o 44290 44298.c

After the Compilation is completed in the machine, I will download the same exploit in user shell via ssh.

After the exploitation is downloaded, I will give permissions to execute it.

As you can see from the above screenshot, it is clearly visible that we are now root user. Just by changing the directory inside, we will get the flag.

Thanks for reading and hope you enjoyed too. as I always mention in my every blog, suggestions are always welcome and open for discussion.

Happy Hacking….

Published by MANJUNATH NAYAKA

A Cyber Security Enthusiast who is passionate and fond of learning new stuffs in Cyber Security World. I was working as Network and Security operations Engineer but then I found my passion towards Cyber security. I'm a newbie in blogging as well ;)

Leave a comment

Design a site like this with WordPress.com
Get started