TryHackMe WriteUp H4CKED

PwnLab.Me

Admin
Katılım
21 Ocak 2024
Mesajlar
202
Tepkime puanı
9
Puanları
18
Yusuf Bilal Batır tarafından yazılmıştır.

[EN] H4CKED TryHackMe WriteUp


Hello everyone, in this article we’ll be going through the “h4cked” room on TryHackMe. This room has been designed for the ones who know the fundamentals of WireShark, privilege escalation and shell.

“Find out what happened by analysing a .pcap file and hack your way back into the machine.”

hacked-300x47.png


The machine consists of two tasks. Firstly we have a pcap folder given. This is a traffic folder that is caught from an attack from a server to a system. We’ll be analyzing how the attacker got into the system and what he did while he was in the system.

Task 1: Oh no! We’ve been hacked!




Download the pcap folder and open it via WireShark.

1. The attacker is trying to log into a specific service. What service is this?



WireShark shows us there are plenty of connections attempting to the 21st port. And the 21st port is the FTP port.

Answer: FTP

2. There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?


We find the answer when we Google “Van Hauser brute force” query we find the answer



Answer: hydra

3. The attacker is trying to log on with a specific username. What is the username?


We click on a random TCP connection and then right click. We click on Follow → TCP Stream. It’ll show us the packets in the current TCP connection. Seemingly the attacker attempted to login with “Jenny” username more than once.

4.png


Answer: jenny

4. What is the user’s password?


We can obtain the password that was successfully logged in by the attacker from packets. If a command is successfully accepted and processed, the server gives us a 200 reply code. So by filtrering packets through WireShark we’ll detect the successful login.

ftp.response.code == 200



We click on a random TCP connection and then right click. We click on Follow->TCP Stream.



Answer: password123

5. What is the current FTP working directory after the attacker logged in?


The attacker has ran the “pwd” command. The “pwd” command shows us the current directory while working on a shell.



Answer: /var/www/html

6. The attacker uploaded a backdoor. What is the backdoor’s filename?


We find out that after the attacker establishes a FTP connection he then uploads a reverse shell named “shell.php“.



Answer: shell.php

7. The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?


We find the datas that is downloaded into the system by using the “ftp-data” filter. The STOR command is used after the data connection is successfully made up while uploading files to the server. We see that the attacker has uploaded the “shell.php” file by the STOR command.



We right-click and then click on Follow→ TCP Stream.



We can see the feature of the file and the answer.

Answer: http://pentestmonkey.net/tools/php-reverse-shell

8. Which command did the attacker manually execute after getting a reverse shell?


When we examine the “shell.php” we obtain the IP and port numbers.



By filtrering the IP and port numbers we obtained from the “Shell.php” file we can easily find out what we are looking for.

ip.dst_host == 192.168.0.147 && tcp.dstport == 80



Follow->TCP Stream



Answer: whoami

9. What is the computer’s hostname?




Answer: wir3

10. Which command did the attacker execute to spawn a new TTY shell?


We see that the attacker creates a new shell by using the python3 –c ‘import pty; pty.spawn(“/bin/bash”)’ command.



Answer: $ python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

11. Which command was executed to gain a root shell?




Answer: sudo su

12. The attacker downloaded something from GitHub. What is the name of the GitHub project?




Answer: Reptile

13. The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?


Rootkit is a virus type that provides attackers with remote and full control by creating a backdoor. Reptile project is a rootkit that was developed for that reason.

Answer: rootkit



Task 2: Hack your way back into the machine


In the second task it is asked us to read up the flag.txt file and find out the flag. There are some tips given that we can take the advantage of such as the attacker changed the username and password, the flag stays in the /root/Reptile directory, the pcap file may be used if needed.

Now we perform a nmap scan. At the end of the scan we detected that the port 21 (FTP) and the port 80 (HTTP) are open.



We knew that the password had been changed as it is mentioned in the clue. Now let’s find out the changed password by using the Hydra tool on the FTP port.



We find out that the username is jenny and the password is 987654321. By using the information that we gathered we connect to the FTP server. Then we download the shell.php file that the attacker had uploaded.



We write the IP address that the TryHackMe platform provides us and the port that is going to be listened to by opening the shell.php file through the nano editor.



We upload the php file that we changed its’ feature to the FTP port.



nc –lvp 666 → We start the Netcat tool by using the port number that we wrote on the php file.

10.10.6.158/shell.php
We execute the shell file by writing the IP address of the target machine and the location of the file to the URL. Then we get the reverse shell.



We follow the steps that the attacker has taken. The attacker had changed the shell after he penetrated the system. By using the following command we change the shell:

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

Afterward we login to the system at normal user level by using the jenny username and password. And then by using the sudo su command we reach the root privilege.



We knew that flag file stays in the /root/Reptile directory as it was told us in the clue. We obtain the flag by going to that directory!



See you in further articles
🙂
 
Moderatör tarafında düzenlendi:
Geri
Üst