This is an easy room on TryHackMe, consisting of an analysis of a simple attack and using the attackers’ own methods to break back into the machine.
You won’t find any flags here, or in any of my posts. If you already know what to do and are using this for easy answers, then you need to find more difficult boxes.
For those who are stuck and need help, I hope this is about the right mixture of pointing you in the right direction while holding back enough to make you do the work. Remember that google is indeed your friend, but while there are easy answers out there… you aren’t learning much.
We begin with a .pcap file. This is a packet capture file, commonly captured with a tool such as Wireshark or Tshark.
Syntax to capture this traffic in tshark would be as follows:
sudo tshark -i eth0 -w /filename.pcap -F pcap
This runs tshark as root (sudo), capturing on interface eth0. We are then writing the file to a file called filename.pcap and finally setting the file type to pcap.
However, we have been given a file from a previous capture, so let’s download that and open it with Wireshark (Graphical alternative to tshark).
So going into this blindly, take a scroll down the file and try to see what you can spot in the first 200 lines or so. While scrolling we can see a service being used by line 50, scrolling further you can see a wordlist attack being carried out against that service.
In those first 200 lines of the packet capture and a simple google search you can find the answers to the first three questions on TryHackMe.
Now… depending how much work you like creating for yourself, you can filter Wireshark in multiple different ways. I’m going to be going with the display filter:
tcp.port == 21 || tcp.port == 20
This gives you a view of not only the FTP and FTP-DATA traffic, but also the TCP communications to those port numbers that established the connections. Transmission control protocol is a step down in the TCP/IP model and gives us slightly more information about the connection being made. Luckily for us, we don’t need to do much digging on the connection, only the application layer service File Transfer Protocol.
To further filter these results we can instead use the display filter:
ftp || ftp-data
This removes the TCP traffic and leaves us only with the communications of the FTP server and client.
So, now we can answer questions 4-7 from the information in those FTP and FTP-DATA packets.
Now this is where this information no longer becomes useful, we have identified the user account and the password the attacker has used to gain access. But the attacker has uploaded a backdoor…
Few ways of going about this, you can go through the .pcap and look for interesting traffic, if you look closely. Immediately after the attacker does a HTTP GET on the shell.php, we have a whole bunch of traffic between the attacker’s port of 53734 and our port of 80 (HTTP). Some of this traffic is particularly large and contains PSH,ACK packets. Not all of this is cause for concern, but let’s have a further look by following the TCP stream of this traffic.
Due to the way this type of shell works, we can see the commands run by the attacker and the output from the server, use the information gathered from the TCP stream to answer questions 7-12.
Finally for question 13, if you need to, google the GitHub project and it should tell you what it is.
I’m going to leave out the second task, if you have followed the steps then you can use the same tools against the server to break back in.
But I will not leave you in the dark and give you the missing pieces of information… use the tool netcat (to spawn a listener, socat if you’re feeling fruity). To upload the file there are a few methods that can be used, depending on the target system and preference. The ways this takes place are plentiful, but you can use FTP commands to place the file on the target system in this scenario. To gain root, it’s much simpler than you may think, ensure you read the TCP stream thoroughly… the rest you need is all there in the information we gathered about the attacker’s actions.
AACYBER 