h4cked — TryHackMe

0xsanz
5 min readMar 13, 2021
h4cked-THM

Find out what happened by analyzing a .pcap file and hack your way back into the machine.This is a beginner's friendly room and can be found here:

https://tryhackme.com/room/h4cked

The attacker is trying to log into a specific service. What service is this?

Open WireShark and notice that service which the attacker is trying to login in to is FTP.Now do the following to the the username and password asked in later questions.Select the first FTP packet->right click, Follow->TCP Stream.

wireshark ftp

There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?

Hydra

The attacker is trying to log on with a specific username. What is the username?

Answered above

What is the user’s password?

Answered above

What is the current FTP working directory after the attacker logged in?

Clear the filter which was applied earlier and got to packet number 401 which is just after the successful FTP login.This packet will show the current FTP working directory.

The attacker uploaded a backdoor. What is the backdoor’s filename?

Check packet no. 425 in Capture.pcapng

The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?

A famous php shell from pentest monkey. Check packet no. 431.

Which command did the attacker manually execute after getting a reverse shell?

Select packet no. 452 and right click->Follow->TCPStream. This will reveal what the attacker was doing on the target after getting the shell.

This will also tell us the computer’s hostname,command the attacker executed to spawn a new TTY shell, command executed to gain a root shell

--

--

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204