Hello friends! Today we are going to take another boot2root challenge known as Fowsniff. The credit for making this vm machine goes to “berzerk0” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Beginner

Flags: There is one flag (flag.txt).

Table of contents:

• Port scanning and IP discovery.
• Hitting on port 80
• Finding hashes on Pastebin
• Decoding hashes
• Brute force pop3 login
• Connecting to pop3
• Finding SSH username and password
• Finding privilege escalation vectors
• Exploiting Misconfiguration in system
• Getting root access.
• Reading the flags.

Walkthrough

Let’s start off with scanning the network to find our target.

We found our target –> 192.168.1.29

Our next step is to scan our target with nmap.

The NMAP output shows us that there are 4 ports open: 22(SSH), 80(HTTP), 110(POP3), 143(IMAP)

We find that port 80 is running http, so we open the IP in our browser.

We don’t find anything on webpage. Dirb scan and nikto also didn’t reveal anything, so we googled “fowsniff corp” and found a pastebin link that contained username and passwords. (You can find the link here)

We cracked the hashes use this site and find passwords to the respective email addresses. But only 8 hashes were cracked and there are 9 usernames.

So we create two wordlists one for username and one for passwords, we will use this to brute force pop3 login.

We use Metasploit-framework to brute force pop3 login. After running the brute forcing pop3 login we find the correct credentials to be “seina:scoobydoo2”.

 

We connect to pop3 service on the target server and login using the credentials we retrieved. After logging in we list the messages and find there are 2 messages.

We retrieved the 1^st message and find that it contains the password to connect through SSH.

We retrieved the second message and find a message that hints that use the username “baksteen”.

We use the credentials “baksteen:S1ck3nBluff+secureshell” to login through SSH.

After gaining access we enumerate the system, as user “baksteen” belongs to two different groups. We use try to find files that belong to “users” group and find a file called “cube.sh”.

We take a look at the content of the file and find it contains the message that comes once we login through SSH.

We open the file with vim, and add python reverse shell one liner in the file.

p

We try to run it and find it gives an error “python: command is not found”. We try to locate python and find it contains python3.

So we make changes to the exploit we change the python reverse shell one liner. We replace python with python3.

As when we login through SSH we get a banner similar to the one that “cube.sh” contains. So we check “/etc/update-motd.d/” directory to look for executables that might run this program and find that file “00-header” runs this shell script.

So now we exit the SSH and setup our listener using netcat, then we again connect through SSH. So that our reverse shell gets executed.

As soon as we successfully login, we get a reverse shell as root user on our netcat listener. We go to the root directory and find the file called “flag.txt”. We take a look at the content of the file and find the congratulatory message.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here