TryHackMe WriteUp H4CKED

PwnLab.Me

Admin
Katılım
21 Ocak 2024
Mesajlar
202
Tepkime puanı
9
Puanları
18
Çağrı Ali Ceylan tarafından yazılmıştır.

Hello everyone, in this article we will be solving the h4cked room on the tryhackme platform. This room is designed for beginners with basic knowledge of wireshark, privilege escalation and shell.

Find out what happened by analysing a .pcap file and hack your way back into the machine.

hacked-300x47.png


The machine consists of two tasks. In the first task, it gives us a pcap file. The pcap file given to us is a packet of traffic captured from a server to attack the system. We will analyze how the attacker got into the system and what he did while in the system.

Task 1: Oh no! We’ve been hacked!


1-1-300x65.png


We download the pcap file and open it with wireshark.

1. The attacker is trying to log into a specific service. What service is this?

2-1-300x78.png


Wireshark shows more than one connection attempts to port 21. Port 21 is FTP’s port number.

Answer: FTP

2. There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?

When we do a Google search on “Van Hauser brute force”, we find the answer.

3-300x116.png


Answer: hydra



3. The attacker is trying to log on with a specific username. What is the username?

We press any TCP connection and right click. Click Follow->TCP Stream. This will show us the packets on the current TCP connection. The attacker tried to log in with the jenny username too many times.

4.png


Answer: jenny



4. What is the user’s password?

When the attacker is successful in logging in, we can obtain the password he entered from outgoing incoming packets. If a command is accepted and processed successfully, the server returns a 200 response code. For this, we will detect successful login by filtering packets in wireshark.

ftp.response.code == 200

5.png


We press any of the packages we find by filtering and right-click. Click Follow->TCP Stream.

6.1png.png


Answer: password123

5. What is the current FTP working directory after the attacker logged in?



The attacker ran the “pwd” command. The pwd command shows which directory we are in when processing.



6.2.png




Answer: /var/www/html



6. The attacker uploaded a backdoor. What is the backdoor’s filename?



We detect that the attacker uploads a reverse shell file named “shell.php” to the system after establishing the FTP connection.

6.3png.png




Answer: shell.php

7. The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?

By applying the ftp-data filter, we access the data uploaded into the system. The STOR command is used when uploading files to the system after the data connection has been successfully established. We see that the attacker uploads a shell.php file to the system with the STOR command.

7-300x29.png


Right click and click Follow->TCP Stream. We see the contents of the file and the answer to the question.

8-300x217.png


Answer : http://pentestmonkey.net/tools/php-reverse-shell

8. Which command did the attacker manually execute after getting a reverse shell?

When we examine the Shell.php file, we can see the IP and Port numbers.

9-300x165.png




By filtering the IP and port information we obtained from the shell.php file over wireshark, we can access what we are looking for more easily.

ip.dst_host == 192.168.0.147 && tcp.dstport == 80

10-300x139.png


Follow->TCP Stream

11.png


Answer: whoami

9. What is the computer’s hostname?

12.png


Answer: wir3

10. Which command did the attacker execute to spawn a new TTY shell?

We see that the command pyhon3 –c ‘import pty; pty.spawn(“/bin/bash”)’ is run by the attacker and creates a new shell.

13..png


Answer: $ python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

11. Which command was executed to gain a root shell?

14.png


Answer:
sudo su

12. The attacker downloaded something from GitHub. What is the name of the GitHub project?

15.png


Answer: Reptile

13. The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?

A rootkit is a type of virus that allows attackers to create a backdoor and establish remote control and full control. The Reptile project is also a rootkit developed for this.

Answer: rootkit

Task 2: Hack your way back into the machine


In the second step, we are asked to read the flag.txt file and find the flag. Hints were given that the attacker changed the user password, that the flag is in the /root/Reptile directory and that we can use the pcap file when necessary.

Now we run our machine and run an nmap scan. As a result of Nmap scanning, we detected that ports 21(FTP) – 80(HTTP) are open.

16.png


We got the hint that the password had changed. Let’s run the Hydra tool on the FTP service and get the changed password information.

17.png


We found the username “jenny” and the password “987654321”. We connect to the FTP service with the information we have obtained. We download the attacker’s shell.php file.

18.png


We open the shell.php file we downloaded with the nano editor and write our IP and the port to listen to, which the tryhackme platform provides us with vpn.

19.png


We upload the shell.php file, whose content we changed, to the ftp service.

20.png


nc –lvp 666-> We start our Netcat tool with the port number we entered.

10.10.6.158/shell.php -> We run the shell.php file on the web server by typing the IP of the target machine in the url. And we got a reverse shell.

21-300x120.png


We follow the steps that the attacker used. The attacker had changed the shell after infiltrating the system. We also change the shell using the following command.

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

Then we log in to the system at the user level with the jenny username and password. And then we get root authority on the system with the sudo su command.

22.png


Then we log in to the system at the user level with the jenny username and password. And then we get root authority on the system with the sudo su command.

23.png


See you in our next article.
 
Moderatör tarafında düzenlendi:
Geri
Üst