Open in app

Sign in

Write

Sign in

Knock Knock || HackTheBox | Sherlocks Answers

Nihir Zala
2 min readDec 25, 2023

--

HackTheBox Knock Knock Machine

Here I already Solved this lab & here I give you an example for it how I solved like which method.

Which ports did the attacker find open during their enumeration phase?

21,22,3306,******** (PCAP Analysis — Port Scan)

What’s the UTC time when attacker started their attack against the server?

21/03/2023 ****** (PCAP Analysis — Port Scan)

What’s the MITRE Technique ID of the technique attacker used to get initial access?

T1110.**** (FTP — Brute Force)

What are valid set of credentials used to get initial foothold?

tony. Shephard:****! (FTP — Brute Force)

What is the Malicious IP address utilized by the attacker for initial access?

3.109.209.** (PCAP Analysis — Port Scan)

What is name of the file which contained some config data and credentials?

.****p (FTP - Session)

Which port was the critical service running?

244** (FTP — Session)

What’s the name of technique used to get to that critical service?

Port ******* (FTP — Session)

Which ports were required to interact with to reach the critical service?

29999,45087,***** (FTP — Session)

What’s the UTC time when interaction with previous question ports ended?

21/03/2023 10:58:** (Critical FTP — Access)

What are set of valid credentials for the critical service?

abdullah.yasin:***********************(Critical FTP - Login)

At what UTC Time attacker got access to the critical server?

21/03/2023 **********(Critical FTP — Login)

What’s the AWS AccountID and Password for the developer “Abdullah”?

391629733297:yiobkod0986Y[adij@**** (Critical FTP - Files)

What’s the deadline for hiring developers for forela?

30/08/***** (Critical FTP — Files)

When did CEO of forela was scheduled to arrive in pakistan?

08/03/**** (Critical FTP — Files)

The attacker was able to perform directory traversel and escape the chroot jail. This caused [the] attacker to roam around the filesystem just like a normal user would. What’s the username of an account other than root having /bin/bash set as default shell?

cyberjunkie (Critical FTP — Files)

What’s the full path of the file which lead to ssh access of the server by attacker?

/opt/reminders/.****** (Critical FTP — Files / GitHub — Commits)

What’s the SSH password which attacker used to access the server and get full access?

YHUIhnollouhdnoamjndlyvbl398782**** (GitHub — Commits)

What’s the full url from where attacker downloaded ransomware?

http://13.233.179.35/PKCampaign/Targets/Forela/***********.zip (Ransomware - Download)

What’s the tool/util name and version which attacker used to download ransomware?

Wget/**** (Ransomware - Download)

What’s the ransomware name?

GonnaCry (Ransomware — File Analysis)

Happy Hacking… :)

You can follow me on social media:

Twitter, Linkedin, Instagram & Github.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Nihir Zala
Nihir Zala

Written by Nihir Zala

38 Followers
1 Following

Hi there, I'm Nihir Zala—a Laravel developer from Gujrat, India, with over 2.5 years of professional experience. I also learning Penetesting from THM and HTB.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams