Fowsniff: 1 Vulnhub Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as Fowsniff. The credit for making this vm machine goes to “berzerk0” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Beginner

Flags: There is one flag (flag.txt).

Table of contents:

  • Port scanning and IP discovery.
  • Hitting on port 80
  • Finding hashes on Pastebin
  • Decoding hashes
  • Brute force pop3 login
  • Connecting to pop3
  • Finding SSH username and password
  • Finding privilege escalation vectors
  • Exploiting Misconfiguration in system
  • Getting root access.
  • Reading the flags.

Walkthrough

Let’s start off with scanning the network to find our target.

We found our target –> 192.168.1.29

Our next step is to scan our target with nmap.

The NMAP output shows us that there are 4 ports open: 22(SSH), 80(HTTP), 110(POP3), 143(IMAP)

We find that port 80 is running http, so we open the IP in our browser.

We don’t find anything on webpage. Dirb scan and nikto also didn’t reveal anything, so we googled “fowsniff corp” and found a pastebin link that contained username and passwords. (You can find the link here)

We cracked the hashes use this site and find passwords to the respective email addresses. But only 8 hashes were cracked and there are 9 usernames.

So we create two wordlists one for username and one for passwords, we will use this to brute force pop3 login.

We use Metasploit-framework to brute force pop3 login. After running the brute forcing pop3 login we find the correct credentials to be “seina:scoobydoo2”.

 

We connect to pop3 service on the target server and login using the credentials we retrieved. After logging in we list the messages and find there are 2 messages.

We retrieved the 1st message and find that it contains the password to connect through SSH.