CTF-Writeups/TryHackMe/h4cked.md
2021-04-04 03:26:19 +05:00

3.5 KiB

TryHackMe- H4cked

Oh no! We've been hacked!

Download the pacp file we are given , on opening the .pcap file we can see a lot of traffic

At the starting we can see that a number of times connection to port 21 is being made which is a port for FTP.

If we follow the tcp stream for port 21 we can see the username and the password the attacker is trying

Here username is jenny , changing the stream we will find the password is brute forced

Here we can see that attacker uploaded a backdoor shell.php in /var/www/html

Here we can see once the attacker gain access he stabilizes the shell , switches to user jenny and since that user can run any command as sudo he escalates to root and to gain persistance intalls reptile rootkit

Tasks

  1. The attacker is trying to log into a specific service. What service is this? FTP

  2. There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool? hydra

  3. The attacker is trying to log on with a specific username. What is the username? jenny

  4. What is the user's password? password123

  5. What is the current FTP working directory after the attacker logged in? /var/www/html

  6. The attacker uploaded a backdoor. What is the backdoor's filename? shell.php

  7. The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL? http://pentestmonkey.net/tools/php-reverse-shell

  8. Which command did the attacker manually execute after getting a reverse shell? What is the computer's hostname? whoami

  9. Which command did the attacker execute to spawn a new TTY shell? python3 -c 'import pty;pty.spawn("/bin/bash")'

  10. Which command was executed to gain a root shell? sudo su

  11. The attacker downloaded something from GitHub. What is the name of the GitHub project? Reptile

  12. The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called? rootkit

  13. What is the computer's hostname ? wir3

Rustscan


PORT   STATE SERVICE REASON         VERSION                                                                                                 [25/685]
21/tcp open  ftp     syn-ack ttl 63 vsftpd 2.0.8 or later 
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:                                                           
|_  Supported Methods: GET POST OPTIONS HEAD                              
|_http-server-header: Apache/2.4.29 (Ubuntu)                          
|_http-title: Apache2 Ubuntu Default Page: It works 
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port   

Hydra

We got the password now let's login to ftp server

Here after logging I uploaded a php interactive shell and gave permissions to execute

Gain a shell through BSD netcat and stabilize it using python3

Switch to user jenny with the password you brute forced