mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-25 13:20:18 +00:00
99 lines
3.5 KiB
Markdown
99 lines
3.5 KiB
Markdown
|
# TryHackMe- H4cked
|
||
|
|
||
|
## Oh no! We've been hacked!
|
||
|
|
||
|
Download the pacp file we are given , on opening the `.pcap` file we can see a lot of traffic
|
||
|
|
||
|
<img src="https://imgur.com/aL3glwA.png"/>
|
||
|
|
||
|
At the starting we can see that a number of times connection to port 21 is being made which is a port for `FTP`.
|
||
|
|
||
|
If we follow the tcp stream for port 21 we can see the username and the password the attacker is trying
|
||
|
|
||
|
<img src="https://imgur.com/Ixqqqaf.png"/>
|
||
|
|
||
|
Here username is `jenny` , changing the stream we will find the password is brute forced
|
||
|
|
||
|
<img src="https://imgur.com/b9xLb4n.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/628EZPw.png"/>
|
||
|
|
||
|
Here we can see that attacker uploaded a backdoor `shell.php` in `/var/www/html`
|
||
|
|
||
|
<img src="https://imgur.com/cRIF7tz.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/XovV9Mn.png"/>
|
||
|
|
||
|
Here we can see once the attacker gain access he stabilizes the shell , switches to user jenny and since that user can run any command as sudo he escalates to root and to gain persistance intalls `reptile` rootkit
|
||
|
|
||
|
|
||
|
## Tasks
|
||
|
|
||
|
|
||
|
1. The attacker is trying to log into a specific service. What service is this?
|
||
|
`FTP`
|
||
|
2. There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?
|
||
|
`hydra`
|
||
|
3. The attacker is trying to log on with a specific username. What is the username?
|
||
|
`jenny`
|
||
|
4. What is the user's password?
|
||
|
`password123`
|
||
|
5. What is the current FTP working directory after the attacker logged in?
|
||
|
`/var/www/html`
|
||
|
6. The attacker uploaded a backdoor. What is the backdoor's filename?
|
||
|
`shell.php`
|
||
|
7. The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?
|
||
|
`http://pentestmonkey.net/tools/php-reverse-shell`
|
||
|
8. Which command did the attacker manually execute after getting a reverse shell?
|
||
|
What is the computer's hostname?
|
||
|
`whoami`
|
||
|
|
||
|
9. Which command did the attacker execute to spawn a new TTY shell?
|
||
|
`python3 -c 'import pty;pty.spawn("/bin/bash")'`
|
||
|
10. Which command was executed to gain a root shell?
|
||
|
`sudo su `
|
||
|
11. The attacker downloaded something from GitHub. What is the name of the GitHub project?
|
||
|
`Reptile`
|
||
|
12. The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?
|
||
|
`rootkit`
|
||
|
13. What is the computer's hostname ?
|
||
|
`wir3`
|
||
|
|
||
|
## Rustscan
|
||
|
|
||
|
```bash
|
||
|
|
||
|
PORT STATE SERVICE REASON VERSION [25/685]
|
||
|
21/tcp open ftp syn-ack ttl 63 vsftpd 2.0.8 or later
|
||
|
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|
||
|
| http-methods:
|
||
|
|_ Supported Methods: GET POST OPTIONS HEAD
|
||
|
|_http-server-header: Apache/2.4.29 (Ubuntu)
|
||
|
|_http-title: Apache2 Ubuntu Default Page: It works
|
||
|
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
|
||
|
```
|
||
|
|
||
|
## Hydra
|
||
|
|
||
|
<img src="https://imgur.com/Bcm5NZD.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/O5HHz1b.png"/>
|
||
|
|
||
|
We got the password now let's login to ftp server
|
||
|
|
||
|
<img src="https://imgur.com/8P9RMfj.png"/>
|
||
|
|
||
|
Here after logging I uploaded a php interactive shell and gave permissions to execute
|
||
|
|
||
|
<img src="https://imgur.com/HrrIHz6.png"/>
|
||
|
|
||
|
Gain a shell through BSD netcat and stabilize it using python3
|
||
|
|
||
|
<img src="https://imgur.com/3LdPEb5.png"/>
|
||
|
|
||
|
Switch to user jenny with the password you brute forced
|
||
|
|
||
|
<img src="https://imgur.com/ABXPU2t.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/BuFXMed.png"/>
|