I've been playing around with VirtualBox which has enabled me to load up servers that I was previously unable to get working in my 'go to' hypervisor.  With a variety of servers to practice on with varying degrees of difficulty, this has been beneficial if for no other reason than because it allows me to take 30-60 minutes, focus on an easier box, write it up, and then move on about my day.

    In that amount of time, I can stay focused, with few interruptions, and follow the thread wherever it leads me.  I often find harder boxes, requiring more time, will seem much harder than reality only because I lose my concentration, lose my place, and sometimes there are large gaps in time between where I left off and where I begin again.  So much so that I often scrap all of my notes and start from the beginning.

    Bottom-line -- the more variety we get, the more well-rounded we'll become. 

    Enough said, let's talk about Fowsniff.  I wouldn't call this box hard, it was different, very clever, and this should end up on one of those 'must do' OSCP box lists.  What I really like is that we're given a clue, we're then required to use that clue to get the next clue, and then the next.

    We kick off with an Nmap scan:

    We take a look at the web port:

    Firing up Nikto:

    Not really finding anything, I turn to GoBuster:

    After poking around, looking for that first foothold, even going so far as to start digging through JavaScript and examining exif data, I step back and I think about the description.  It states:  "beginner level".  At that point, I circle back because I realize I'm missing something. 

    Back to the first page:

    I don't know how many times I've said this before but READ EVERYTHING.  It was right there the whole time and I let it slip by without giving it much thought.  Heading over to Twitter:

    And that leads us to Pastebin:

    Which is actually kind of amusing because when I saw the Twitter hint, I was just thinking how fun it would be to create a server and do a fake Pastebin dump.  Turns out -- the author is one step ahead of me.

    By now, I'm totally loving this exercise.  

    We check out what's been dumped:

    MD5 hashes to crack and another hint:

    Firing up Hashcat:

    Lots of passwords, too many.  Let's take this over to Metasploit:

    Slowly making its way through:

    And we have a hit!

    You could fire up a mail client, I'm going old school with Telnet:

    And we get our next hint, an SSH password. 

    Retrieving the second message:

    I don't know which user has changed their password or not so I'll take the users in one file and the password in another:

    We'll let Metasploit do the heavy lifting again:

    What's interesting is that Metasploit spawned a session.  I didn't know it would do that with this module.  Personally, I want to SSH in directly just in case the session is semi-wonky. 

    We SSH into the box:

    Let's see what we're dealing with:

    I literally just talked about this exploit yesterday:

    Download, chmod, execute:


    Loved this box.  So clever and what a great tool for teaching.  Huge props to the author(s)!

    © 2020