H4cked
Task 1: Oh no! We've been hacked!
Lets download the file they have given. The answer to the first question is FTP as looking at the protocols in the pcapng file, FTP is the service that has been getting a lot of Requests. We can also see someone using different password trying to login to FTP
The very popular tool which is used to brute force is called hydra
.
We can find the username of the person trying to login by looking at the stream of any packet,
The user is jenny
Looking at this packet, we can see that the password password123
allowed her to login which means that it is the right password.
Going further down in the packets, we can find the packets with logs about the commands used after the user logged in.
The current FTP working directory the user is in is /var/www/html
.
The backdoor the attacker uploaded is called shell.php
For the next question lets go to the ftp-data
packets
The backdoor was downloaded from a specific URL, this can be found in the file.
Going further through the packets, we find the packets that have the commands that we executed after receiving the reverse shell
The command the attacker manually executed after getting the reverse shell is whoami
We can see the computer host name in the image above.
The command the attacker used to spawn a new TTY shell is
Looking at the screenshot above, we can see that after executing the sudo su command, the user has privileged escalated to root.
The attacker downloaded something from GitHub, this is seen in the image.
The name of the GitHub project is Reptile
A backdoor that is stealthy and can be very hard to detect is called a Rootkit
Task 2: Hack your way back into the machine
Lets run hydra to find the password of the user jenny so that we can retrieve the shell.php
file on the ftp server and change the IP to ours and then upload it back to get a reverse shell when we navigate to the page.
We found the password, lets now login to FTP
We are logged in, lets list and retrieve the shell.php
file
Back on our machine, lets modify the IP to our IP and then upload the file back to the ftp server.
Now lets upload the file. On the ftp server use the command put.
Now lets start a netcat listener on the port you mentioned in the file and navigate to the web page where the file is.
Once you navigate to the page, you should get a reverse shell.
Lets stabilize the shell.
Lets now switch users to Jenny
with the password we found earlier
Lets now run sudo -l
to see what Jenny can run as another user.
Looks like she can run all commands, so lets switch users to root
We are now root.
Last updated