TryHackMe | h4cked Walkthrough
Hi there, I’m glad to see you here. In this article, we’ll solve together the “h4cked” room in TryHackMe. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
Contents:
-Traffic Analysis using Wireshark
-Reconnaissance using Nmap
-Brute Force Attack using Hydra
-Reverse Shell
-Privilege Escalation
Task 1
Subject : Oh no! We’ve been hacked!
It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened? Download the .pcap file and use Wireshark to view it.
Before we begin, I think it’s important that we understand what wireshark is.
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
First of all, if we apply some configurations on Wireshark, the analysis process will be easier for us.
To open the relevant file, select the “Open” option from the “File” menu.
To add columns in Wireshark, use the Column Preferences menu. Right-click on any of the column headers, then select “Column Preferences…”.
And then click the “+” button to add a column.
Set the “Title” and “Type” values as shown in the image below to display the Source Port and Destination Port information in columns.
Answer the questions below
Q1: The attacker is trying to log into a specific service. What service is this?
A1: FTP
When we look at the traffic in general, we can see that there is traffic to port 21. Port 21 is commonly associated with FTP.
FTP (File Transfer Protocol) is a network protocol for transmitting files between computers over Transmission Control Protocol/Internet Protocol (TCP/IP) connections. Within the TCP/IP suite, FTP is considered an application layer protocol.
Q2: There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?
A2: hydra
Hydra is a parallelized login cracker which supports numerous protocols to attack.
Q3: The attacker is trying to log on with a specific username. What is the username?
A3: jenny
When we examine the requests in the Info column, we can see that there is brute-force traffic for the user “jenny”.
Q4: What is the user’s password?
A4: password123
When we look at the responses to the related requests, there is a response called “Login successful”.
To filter to a particular stream, select a TCP, UDP, DCCP, TLS, HTTP, HTTP/2, QUIC or SIP packet in the packet list of the stream/connection you are interested in and then select the menu item Analyze → Follow → TCP Stream. Wireshark will set an appropriate display filter and display a dialog box with the data from the stream laid out.
Unfortunately, Jenny has a very simple password…
Q5: What is the current FTP working directory after the attacker logged in?
A5: /var/www/html
We can search for the “pwd” command to detect the working directory.
The pwd (print working directory) command writes to standard output the full path name of your current directory (from the root directory).
Q6: The attacker uploaded a backdoor. What is the backdoor’s filename?
A6: shell.php
Mastering important details like a filename, a file extension, or a command speeds up the analysis process.
We can see that the attacker is using a backdoor named “shell.php” in this stage.
A client issues the STOR command after successfully establishing a data connection when it wishes to upload a copy of a local file to the server.
Q7: The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?
A7: http://pentestmonkey.net/tools/php-reverse-shell
We can see that the transfer process was successful after we discovered the backdoor.
Correct choice my friend! PentestMonkey is really good.
Q8: Which command did the attacker manually execute after getting a reverse shell?
A8: whoami
As shown in the images below, we can examine what the attacker did after gaining access to the device.
As its name suggests, the whoami command prints the user name of the effective user ID. In other words, it displays the name of the currently logged-in user.
Q9: What is the computer’s hostname?
A9: wir3
Q10: Which command did the attacker execute to spawn a new TTY shell?
A10: python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
For more information on the TTY Shell:
https://steflan-security.com/linux-tty-shell-cheat-sheet
https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/full-ttys
Q11: Which command was executed to gain a root shell?
A11: sudo su
Things will only get worse from there, because the attacker will perform the operations with the privileges of the root user.
Q12: The attacker downloaded something from GitHub. What is the name of the GitHub project?
A12: Reptile
Reptile is a Linux kernel mode rootkit with detection evasion, persistence, and a backdoor.
Q13: The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?
A13: Rootkit
Rootkit malware is a collection of software designed to give malicious actors control of a computer network or application.
Congratulations! From the beginning to the end, we worked together to determine what actions the attacker took. I’m looking forward to the next stage because we will apply the same operations by imitating the attacker’s method. Now it’s our turn! 👊🏻
Task 2
Subject : Hack your way back into the machine
The attacker has changed the user’s password! Can you replicate the attacker’s steps and read the flag.txt? The flag is located in the /root/Reptile directory. Remember, you can always look back at the .pcap file if necessary. Good luck!
Deploy the machine
Step 1: You need openvpn configuration file to connect with VPN to machines in TryHackMe.
Step 2: Use openvpn command and start your VPN connection.
Step 3: Can you see the IP address of the machine?
Step 4: You can check your connection.
Answer the questions below
Q1: Read the flag.txt file inside the Reptile directory
A1: ********************************
Firstly, we need to run a nmap scan to find out which ports are open and which services are running on these ports.
Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing.
nmap -A -T4 -Pn -p- 10.10.177.32-A : Enable OS detection, version detection, script scanning and traceroute.
-T4 : Set timing template (higher is faster).
-Pn : Treat all hosts as online — skip host discovery.
-p- : You can specify “-p-” to scan ports from 1 through 65535.
I’m sorry, Jenny. We have to do this…
hydra -l jenny -P /usr/share/wordlists/rockyou.txt 10.10.177.32 ftp-l : Login with LOGIN name.
-P : Load several passwords from FILE.
[machine IP] : The IP address of the target machine.
ftp / protocol : Sets the protocol.
Yes, we are inside!
Let’s use the get command to transfer the file we’ll use for the backdoor to our own device.
We need to change the IP address and port information.
If you have connected via VPN, you have to use the IP address in the tun0 (VPN Interface) section. You can use the ifconfig command to find out.
We can use the put command to transfer the backdoor we created from our device to the target system.
put : To copy a single file, use the put command.
mput : To copy multiple files at once, use the mput command. (A little additional information… 😉)
Don’t forget to run netcat in the background before transfer!
Netcat or nc is a utility tool that uses TCP and UDP connections to read and write in a network.
nc -lvnp 4444-l is used to tell netcat that this will be a listener.
-v is used to request a verbose output.
-n tells netcat not to resolve host names or use DNS.
-p indicates that the port specification will follow.
TTY Shell : python3 -c 'import pty; pty.spawn("/bin/bash")'
Let’s check if we have any permissions to execute specific commands as sudo.
sudo -l : The -l (list) option will print out the commands allowed (and forbidden) the user on the current host.
It appears that we have all of the necessary permissions. Let’s get this done!
Congratulations! You found the flag, and my friend, you were exactly like an attacker! 👌🏻
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://en.wikipedia.org/wiki/Wireshark
https://www.kali.org/tools/hydra
https://www.techtarget.com/searchnetworking/definition/File-Transfer-Protocol-FTP
https://www.wireshark.org/docs/wsug_html_chunked/ChAdvFollowStreamSection.html
https://www.ibm.com/docs/en/aix/7.1?topic=p-pwd-command
https://support.solarwinds.com/SuccessCenter/s/article/STOR-FTP-command?language=en_US
https://linuxize.com/post/whoami-command-in-linux
https://wazuh.com/blog/using-wazuh-rootcheck-to-detect-reptile-rootkit
https://www.crowdstrike.com/cybersecurity-101/malware/rootkits
https://nmap.org/book/man-briefoptions.html
https://docs.oracle.com/cd/E19455-01/805-7229/remotehowtoaccess-60496/index.html
https://www.geeksforgeeks.org/introduction-to-netcat
https://www.geeksforgeeks.org/sudo-command-in-linux-with-examples
