Çağrı Ali Ceylan tarafından yazılmıştır.
Hello everyone, in this article we will be solving the h4cked room on the tryhackme platform. This room is designed for beginners with basic knowledge of wireshark, privilege escalation and shell.
Find out what happened by analysing a .pcap file and hack your way back into the machine.
The machine consists of two tasks. In the first task, it gives us a pcap file. The pcap file given to us is a packet of traffic captured from a server to attack the system. We will analyze how the attacker got into the system and what he did while in the system.
We download the pcap file and open it with wireshark.
1. The attacker is trying to log into a specific service. What service is this?
Wireshark shows more than one connection attempts to port 21. Port 21 is FTP’s port number.
Answer: FTP
2. There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?
When we do a Google search on “Van Hauser brute force”, we find the answer.
Answer: hydra
3. The attacker is trying to log on with a specific username. What is the username?
We press any TCP connection and right click. Click Follow->TCP Stream. This will show us the packets on the current TCP connection. The attacker tried to log in with the jenny username too many times.
Answer: jenny
4. What is the user’s password?
When the attacker is successful in logging in, we can obtain the password he entered from outgoing incoming packets. If a command is accepted and processed successfully, the server returns a 200 response code. For this, we will detect successful login by filtering packets in wireshark.
ftp.response.code == 200
We press any of the packages we find by filtering and right-click. Click Follow->TCP Stream.
Answer: password123
5. What is the current FTP working directory after the attacker logged in?
The attacker ran the “pwd” command. The pwd command shows which directory we are in when processing.
Answer: /var/www/html
6. The attacker uploaded a backdoor. What is the backdoor’s filename?
We detect that the attacker uploads a reverse shell file named “shell.php” to the system after establishing the FTP connection.
Answer: shell.php
7. The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?
By applying the ftp-data filter, we access the data uploaded into the system. The STOR command is used when uploading files to the system after the data connection has been successfully established. We see that the attacker uploads a shell.php file to the system with the STOR command.
Right click and click Follow->TCP Stream. We see the contents of the file and the answer to the question.
Answer : http://pentestmonkey.net/tools/php-reverse-shell
8. Which command did the attacker manually execute after getting a reverse shell?
When we examine the Shell.php file, we can see the IP and Port numbers.
By filtering the IP and port information we obtained from the shell.php file over wireshark, we can access what we are looking for more easily.
ip.dst_host == 192.168.0.147 && tcp.dstport == 80
Follow->TCP Stream
Answer: whoami
9. What is the computer’s hostname?
Answer: wir3
10. Which command did the attacker execute to spawn a new TTY shell?
We see that the command pyhon3 –c ‘import pty; pty.spawn(“/bin/bash”)’ is run by the attacker and creates a new shell.
Answer: $ python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
11. Which command was executed to gain a root shell?
Answer: sudo su
12. The attacker downloaded something from GitHub. What is the name of the GitHub project?
Answer: Reptile
13. The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?
A rootkit is a type of virus that allows attackers to create a backdoor and establish remote control and full control. The Reptile project is also a rootkit developed for this.
Answer: rootkit
In the second step, we are asked to read the flag.txt file and find the flag. Hints were given that the attacker changed the user password, that the flag is in the /root/Reptile directory and that we can use the pcap file when necessary.
Now we run our machine and run an nmap scan. As a result of Nmap scanning, we detected that ports 21(FTP) – 80(HTTP) are open.
We got the hint that the password had changed. Let’s run the Hydra tool on the FTP service and get the changed password information.
We found the username “jenny” and the password “987654321”. We connect to the FTP service with the information we have obtained. We download the attacker’s shell.php file.
We open the shell.php file we downloaded with the nano editor and write our IP and the port to listen to, which the tryhackme platform provides us with vpn.
We upload the shell.php file, whose content we changed, to the ftp service.
nc –lvp 666-> We start our Netcat tool with the port number we entered.
10.10.6.158/shell.php -> We run the shell.php file on the web server by typing the IP of the target machine in the url. And we got a reverse shell.
We follow the steps that the attacker used. The attacker had changed the shell after infiltrating the system. We also change the shell using the following command.
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
Then we log in to the system at the user level with the jenny username and password. And then we get root authority on the system with the sudo su command.
Then we log in to the system at the user level with the jenny username and password. And then we get root authority on the system with the sudo su command.
See you in our next article.
Hello everyone, in this article we will be solving the h4cked room on the tryhackme platform. This room is designed for beginners with basic knowledge of wireshark, privilege escalation and shell.
Find out what happened by analysing a .pcap file and hack your way back into the machine.
The machine consists of two tasks. In the first task, it gives us a pcap file. The pcap file given to us is a packet of traffic captured from a server to attack the system. We will analyze how the attacker got into the system and what he did while in the system.
Task 1: Oh no! We’ve been hacked!
We download the pcap file and open it with wireshark.
1. The attacker is trying to log into a specific service. What service is this?
Wireshark shows more than one connection attempts to port 21. Port 21 is FTP’s port number.
Answer: FTP
2. There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?
When we do a Google search on “Van Hauser brute force”, we find the answer.
Answer: hydra
3. The attacker is trying to log on with a specific username. What is the username?
We press any TCP connection and right click. Click Follow->TCP Stream. This will show us the packets on the current TCP connection. The attacker tried to log in with the jenny username too many times.
Answer: jenny
4. What is the user’s password?
When the attacker is successful in logging in, we can obtain the password he entered from outgoing incoming packets. If a command is accepted and processed successfully, the server returns a 200 response code. For this, we will detect successful login by filtering packets in wireshark.
ftp.response.code == 200
We press any of the packages we find by filtering and right-click. Click Follow->TCP Stream.
Answer: password123
5. What is the current FTP working directory after the attacker logged in?
The attacker ran the “pwd” command. The pwd command shows which directory we are in when processing.
Answer: /var/www/html
6. The attacker uploaded a backdoor. What is the backdoor’s filename?
We detect that the attacker uploads a reverse shell file named “shell.php” to the system after establishing the FTP connection.
Answer: shell.php
7. The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?
By applying the ftp-data filter, we access the data uploaded into the system. The STOR command is used when uploading files to the system after the data connection has been successfully established. We see that the attacker uploads a shell.php file to the system with the STOR command.
Right click and click Follow->TCP Stream. We see the contents of the file and the answer to the question.
Answer : http://pentestmonkey.net/tools/php-reverse-shell
8. Which command did the attacker manually execute after getting a reverse shell?
When we examine the Shell.php file, we can see the IP and Port numbers.
By filtering the IP and port information we obtained from the shell.php file over wireshark, we can access what we are looking for more easily.
ip.dst_host == 192.168.0.147 && tcp.dstport == 80
Follow->TCP Stream
Answer: whoami
9. What is the computer’s hostname?
Answer: wir3
10. Which command did the attacker execute to spawn a new TTY shell?
We see that the command pyhon3 –c ‘import pty; pty.spawn(“/bin/bash”)’ is run by the attacker and creates a new shell.
Answer: $ python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
11. Which command was executed to gain a root shell?
Answer: sudo su
12. The attacker downloaded something from GitHub. What is the name of the GitHub project?
Answer: Reptile
13. The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?
A rootkit is a type of virus that allows attackers to create a backdoor and establish remote control and full control. The Reptile project is also a rootkit developed for this.
Answer: rootkit
Task 2: Hack your way back into the machine
In the second step, we are asked to read the flag.txt file and find the flag. Hints were given that the attacker changed the user password, that the flag is in the /root/Reptile directory and that we can use the pcap file when necessary.
Now we run our machine and run an nmap scan. As a result of Nmap scanning, we detected that ports 21(FTP) – 80(HTTP) are open.
We got the hint that the password had changed. Let’s run the Hydra tool on the FTP service and get the changed password information.
We found the username “jenny” and the password “987654321”. We connect to the FTP service with the information we have obtained. We download the attacker’s shell.php file.
We open the shell.php file we downloaded with the nano editor and write our IP and the port to listen to, which the tryhackme platform provides us with vpn.
We upload the shell.php file, whose content we changed, to the ftp service.
nc –lvp 666-> We start our Netcat tool with the port number we entered.
10.10.6.158/shell.php -> We run the shell.php file on the web server by typing the IP of the target machine in the url. And we got a reverse shell.
We follow the steps that the attacker used. The attacker had changed the shell after infiltrating the system. We also change the shell using the following command.
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
Then we log in to the system at the user level with the jenny username and password. And then we get root authority on the system with the sudo su command.
Then we log in to the system at the user level with the jenny username and password. And then we get root authority on the system with the sudo su command.
See you in our next article.
Moderatör tarafında düzenlendi: