h4cked TryHackMe writeup

Find out what happened by analysing a .pcap file and hack your way back into the machine

Hello Guys welcome back to Ayush Bagde aka Overide and in this writeup we’re gonna see the recently launched machine h4cked. Let’s Start.

TASK 1: Oh no! We’ve been hacked!

Firstly download the Task files. After Downloading open it with WireShark.

I attached the screenshot now let’s answer the following questions

#1 It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened? Download the .pcap file and use Wireshark to view it.

Answer: No answer Needed

#2 The attacker is trying to log into a specific service. What service is this?

Answer: FTP

#3 There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?

Answer: Hydra

Note: If you’ve used hydra before you will know this answer.

#4 The attacker is trying to log on with a specific username. What is the username?

Answer: jenny

#5 What is the user’s password?

Answer: password123

Note: Scroll down a little bit to see the answer

#6 What is the current FTP working directory after the attacker logged in?

Answer: /var/www/html

Note: You can see the answer in two ways first is to right click on Login successful then follow the TCP stream.

Second is to directly scroll down a little bit to see the directory

#7 The attacker uploaded a backdoor. What is the backdoor’s filename?

Just right click the login successful event then Follow -> TCP Stream or jsut press Ctrl + Alt + Shift + T

Answer: shell.php

#8 The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?

Note: Found the FTP-DATA Protocol. Just press Ctrl + Shift + Alt + T to follow the TCP stream.

Answer: http://pentestmonkey.net/tools/php-reverse-shell

#9 Which command did the attacker manually execute after getting a reverse shell?

Answer: whoami

Note: If you’re experienced hacker or even a noob in hacking everyone knows first command is always to type whoami. Or else you can follow the stream to TCP sequence

As you can see the First command is whoami.

#10 What is the computer’s hostname?

Answer: wir3

Note: Just the above screenshot and the first line.

#11 Which command did the attacker execute to spawn a new TTY shell?

Answer: python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

Note: Just see the TCP stream we followed all the answers is there only.

#12 Which command was executed to gain a root shell?

Answer: sudo su

#13 The attacker downloaded something from GitHub. What is the name of the GitHub project?

Answer: Reptile

#14 The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?

Answer: rootkit

Note: I got it from the hint. That it is rootkit or else you can research using browser and you’ll find it.

TASK 2: Hack your way back into the machine.

Deploy the machine.

#1 The attacker has changed the user’s password! Can you replicate the attacker’s steps and read the flag.txt? The flag is located in the /root/Reptile directory. Remember, you can always look back at the .pcap file if necessary. Good luck!

Answer: No answer Needed

Now I don’t think so we need to do any kind of formalities like nmap, Gobuster, subdomains crawler. We can see from the .pcap file we got in Task 1 that FTP is open and HTTP is open. Now we don’t know the password because password is changed by the hacker. I thought to run the hydra here as it is possible that it might not set up a complex password. Let’s Do hydra. Now we know the username so the command will be.

$ hydra -l jenny -P /home/overide/rockyou.txt

I run the hydra using the wordlist rockyou.txt. I waited till it got completed.

#2 Run Hydra (or any similar tool) on the FTP service. The attacker might not have chosen a complex password. You might get lucky if you use a common word list.

Answer: No answer Needed

Now the next thing is to upload the shell for that if you remember it was php shell uploaded. We’ll do the same but with some changes. This is the link of the php reverse shell. I have the file downloaded now let’s quickly change some things. We have to change IP address to Tryhackme vpn IP and Port can be random its upto you.

#3 Change the necessary values inside the web shell and upload it to the webserver

Answer: No answer Needed

I changed the IP and kept the port default. Save this file now. At this point still my hydra was not finished so i waited until it get finished. Once it get’s finished I got the password. Huray!! After waiting so long.

password: 987654321

Now we have found the password lets login to FTP

We’re logged in now let’s upload our shell.

Now we’ve successfully uploaded our shell. Now the important thing let’s start our netcat listener.

Let’s now execute the shell by visiting the IP address as we know http was also open.

We got the shell. Let’s make it stable

$ python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

#4 Create a listener on the designated port on your attacker machine. Execute the web shell by visiting the .php file on the targeted web server.

Answer: No Answer Needed

Now we’re currently www-data let’s switch it to jenny.

Now let’s type sudo -l to see what we can run to switch to root user without password.

As you can see we can run anything. So we’all know to change your access from super user to root user we use sudo su. Let’s run it here.

We’re now root user. How I know? see the symbol before typing sudo su it was $ sign after is #. # represents that you’re root user.

#5 Become root!

Answer: No answer Needed

Let’s visit the Reptile directory and read the Flag.txt

#6 Read the flag.txt file inside the Reptile directory.

Answer: ebcefd66ca4b559d17b440b6e67fd0fd

Connect to me on:

LinkedIn: https://www.linkedin.com/in/ayush-bagde-49660219a/

TryHackMe: https://tryhackme.com/p/Overide

Discord: https://discord.gg/5FzevEjqGj

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store