Open in app

Sign in

Write

Sign in

Fowsniff CTF

Pavithra Santhosh
4 min readJun 18, 2021

--

url:- https://tryhackme.com/room/ctf

Introduction

Hi Hackers,

In this article, we are going to deal with the boot2root challenge box. This is for beginner level.

Task 1 :- Hack into the FowSniff organisation.

  1. Deploy the machine. On the top right of this you will see a Deploy button. Click on this to deploy the machine into the cloud. Wait a minute for it to become live.
Deploy
  1. Using nmap, scan this machine. What ports are open?

We will start with Enumeration, to check for the open ports

#nmap -sS -sV -O 10.10.134.90

nmap scan

3. Using the information from the open ports. Look around. What can you find?

Since, port 80 is open, we will check with web server

web server

4.Using Google, can you find any public information about them?

I got this information about fowsniff crop after searching in Google.

In the comment session, i got pastebin

5.Can you decode these md5 hashes? You can even use sites like hashkiller to decode them.

6.Using the usernames and passwords you captured, can you use metasploit to brute force the pop3 login?

We will decode the hashes using md5.

By decoding we got to know for the user stone, there is no password

pastebin

7.What was seina’s password to the email service?

Instead of Brute forcing, in a simple way we decoded the md5 hash of seina user to get the password.

pastebin
password of seina

8. Can you connect to the pop3 service with her credentials? What email information can you gather?

We can log in to POP3 server with the credentials of seina using telnet or netcat

Here, we are using netcat

#nc 10.10.134.90 110

nc

We got 2 messages . We will retrieve it

#retr 1

While retrieving the first message we got the temporary password

retr 1

While retrieving the second message we got the user name “baksteen

#retr 2

retr 2

9.In the email, who send it? Using the password from the previous question and the senders username, connect to the machine using SSH.

We will connect to ssh login to get user flag from the credentials we observed

10.Once connected, what groups does this user belong to? Are there any interesting files that can be run by that group?

11.Now you have found a file that can be edited by the group, can you edit it to include a reverse shell?

Instead of using reverse shell, i downloaded exploit , we will try to get root shell using exploit

Once, we got user shell, we will find the host name of the machine

#uname -a

Here, we got Linux 4.4.0–116-generic

We will search in the internet to find any information

We found an exploit, we will download it

exploit

The downloaded exploit is in .c format. So, we are compiling it into gcc

compiling to gcc

We will get the compiled exploit from kali to user

start python server in the location of the compiled exploit

python

Then in user shell,get the exploit

Once we get the exploit file, give the full permission to the file & execute

We got root shell

root shell

Change the directory & cat the root flag

Hope you enjoyed this blog. Happy Learning!!!

--

--

Pavithra Santhosh
Pavithra Santhosh

Written by Pavithra Santhosh

7 Followers
2 Following

This is Pavithra Santhosh, who is a aspiring Cyber security professional, Currently part of Red team certification programme from Hacker U.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech