H4cked

Task 1: Oh no! We've been hacked!

Lets download the file they have given. The answer to the first question is FTP as looking at the protocols in the pcapng file, FTP is the service that has been getting a lot of Requests. We can also see someone using different password trying to login to FTP

The very popular tool which is used to brute force is called hydra.

We can find the username of the person trying to login by looking at the stream of any packet,

The user is jenny

Looking at this packet, we can see that the password password123 allowed her to login which means that it is the right password.

Going further down in the packets, we can find the packets with logs about the commands used after the user logged in.

The current FTP working directory the user is in is /var/www/html.

The backdoor the attacker uploaded is called shell.php

For the next question lets go to the ftp-data packets

The backdoor was downloaded from a specific URL, this can be found in the file.

Going further through the packets, we find the packets that have the commands that we executed after receiving the reverse shell

The command the attacker manually executed after getting the reverse shell is whoami

We can see the computer host name in the image above.

The command the attacker used to spawn a new TTY shell is

Looking at the screenshot above, we can see that after executing the sudo su command, the user has privileged escalated to root.

The attacker downloaded something from GitHub, this is seen in the image.

The name of the GitHub project is Reptile

A backdoor that is stealthy and can be very hard to detect is called a Rootkit

Task 2: Hack your way back into the machine

Lets run hydra to find the password of the user jenny so that we can retrieve the shell.php file on the ftp server and change the IP to ours and then upload it back to get a reverse shell when we navigate to the page.

hydra -l jenny -P /usr/share/wordlists/rockyou.txt ftp://10.10.14.155

We found the password, lets now login to FTP

ftp 10.10.14.155

We are logged in, lets list and retrieve the shell.php file

Back on our machine, lets modify the IP to our IP and then upload the file back to the ftp server.

Now lets upload the file. On the ftp server use the command put.

Now lets start a netcat listener on the port you mentioned in the file and navigate to the web page where the file is.

Once you navigate to the page, you should get a reverse shell.

Lets stabilize the shell.

Lets now switch users to Jenny with the password we found earlier

Lets now run sudo -l to see what Jenny can run as another user.

Looks like she can run all commands, so lets switch users to root

We are now root.