H4cked
🔗 H4cked
Task 1 - Starting
Description/Note: Find out what happened by analysing a .pcap file and hack your way back into the machine
Task 2 - Reconnaissance
Create a directory for machine on the Desktop and a directory containing the scans with nmap.
In the task 2, we don't need to deploy machine, but we need to analyze pcap file to explore activities and answer at questions.
Source IP that sent SYN is 192.168.0.147
then, it's Attacker IP, while destination/victim IP is: 192.168.0.115.
2.1 - The attacker is trying to log into a specific service. What service is this?
Following first message, we can find that attacker brute force FTP port.
FTP
2.2 - There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?
Hydra
2.3 - The attacker is trying to log on with a specific username. What is the username?
Looking FTP request we can find it:
jenny
2.4 - What is the user's password?
Following TCP stream we found that correct psw is:
password123
2.5 - What is the current FTP working directory after the attacker logged in?
/var/www/html
2.6 - The attacker uploaded a backdoor. What is the backdoor's filename?
shell.php
2.7 - The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?
2.8 - Which command did the attacker manually execute after getting a reverse shell?
whoami
2.9 - What is the computer's hostname?
wir3
2.10 - Which command did the attacker execute to spawn a new TTY shell?
python3 -c 'import pty; pty.spawn("/bin/bash")'
2.11 - Which command was executed to gain a root shell?
sudo su
2.12 - The attacker downloaded something from GitHub. What is the name of the GitHub project?
Reptile
2.13 - The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?
rootkit
Task 3 - Hack your way back into the machine
Deploy the machine.
The attacker has changed the user's password! Can you replicate the attacker's steps and read the flag.txt? The flag is located in the /root/Reptile directory. Remember, you can always look back at the .pcap file if necessary. Good luck!
🎯 Target IP: 10.10.123.131
3.1 - Run Hydra (or any similar tool) on the FTP service. The attacker might not have chosen a complex password. You might get lucky if you use a common word list.
We can use hydra with wordlist to find psw for 'jenny' user:
987654321
3.2 - Change the necessary values inside the web shell and upload it to the webserver
We can download php web shell on pentester monkey website: https://pentestmonkey.net/tools/web-shells/php-reverse-shell
and custom it with our local IP:
After that, we can connect with FTP credentials and put in our custom php reverse shell.
3.3 - Create a listener on the designated port on your attacker machine. Execute the web shell by visiting the .php file on the targeted web server.
Now, we need to listen on the port setted on reverse shell, and access to machine.
As you can see, this shell is not stable. So, we can use the traditional Python script to make it more stable.
3.4 - Become root!
We know that www-data user haven't root privileges. But we also know that Jenny has root privileges on the machine. So, let us change the user to Jenny and become root.
3.5 - Read the flag.txt file inside the Reptile directory
We just say that flag is in path /root/Reptile, then we quickly go them.
Last updated