I've been playing around with VirtualBox which has enabled me to load up servers that I was previously unable to get working in my 'go to' hypervisor.  With a variety of servers to practice on with varying degrees of difficulty, this has been beneficial if for no other reason than because it allows me to take 30-60 minutes, focus on an easier box, write it up, and then move on about my day.

In that amount of time, I can stay focused, with few interruptions, and follow the thread wherever it leads me.  I often find harder boxes, requiring more time, will seem much harder than reality only because I lose my concentration, lose my place, and sometimes there are large gaps in time between where I left off and where I begin again.  So much so that I often scrap all of my notes and start from the beginning.

Bottom-line -- the more variety we get, the more well-rounded we'll become. 

Enough said, let's talk about Fowsniff.  I wouldn't call this box hard, it was different, very clever, and this should end up on one of those 'must do' OSCP box lists.  What I really like is that we're given a clue, we're then required to use that clue to get the next clue, and then the next.

We kick off with an Nmap scan:





We take a look at the web port:




Firing up Nikto:




Not really finding anything, I turn to GoBuster:




After poking around, looking for that first foothold, even going so far as to start digging through JavaScript and examining exif data, I step back and I think about the description.  It states:  "beginner level".  At that point, I circle back because I realize I'm missing something. 

Back to the first page:




I don't know how many times I've said this before but READ EVERYTHING.  It was right there the whole time and I let it slip by without giving it much thought.  Heading over to Twitter:




And that leads us to Pastebin:




Which is actually kind of amusing because when I saw the Twitter hint, I was just thinking how fun it would be to create a server and do a fake Pastebin dump.  Turns out -- the author is one step ahead of me.

By now, I'm totally loving this exercise.  

We check out what's been dumped:




MD5 hashes to crack and another hint:




Firing up Hashcat:




Lots of passwords, too many.  Let's take this over to Metasploit:



Slowly making its way through:




And we have a hit!

You could fire up a mail client, I'm going old school with Telnet:




And we get our next hint, an SSH password. 

Retrieving the second message:




I don't know which user has changed their password or not so I'll take the users in one file and the password in another:




We'll let Metasploit do the heavy lifting again:




What's interesting is that Metasploit spawned a session.  I didn't know it would do that with this module.  Personally, I want to SSH in directly just in case the session is semi-wonky. 

We SSH into the box:




Let's see what we're dealing with:




I literally just talked about this exploit yesterday:




Download, chmod, execute:



Root!

Loved this box.  So clever and what a great tool for teaching.  Huge props to the author(s)!