h4cked
Task 1: Oh no! We've been hacked!
It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened? Download the .pcap file and use Wireshark to view it.
We can open the PCAP file in Wireshark after downloading it.
No answer needed
The attacker is trying to log into a specific service. What service is this?
If we scroll a bit we can see the following packets.
We can
Follow > TCP Stream
.
This does look like a login attempt.
Answer
There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?
Answer
The attacker is trying to log on with a specific username. What is the username?
We saw the in TCP Stream that the username was
jenny
.
Answer
What is the user's password?
If we change the stream to 7, we can find the correct password.
Answer
What is the current FTP working directory after the attacker logged in?
We can find the current working directory on setting the stream to 16.
Answer
The attacker uploaded a backdoor. What is the backdoor's filename?
We can find the answer in the same stream.
Answer
The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?
In order to answer this question we have to filter the packets using the following filter:
On inspecting the second packet, we can find the URL.
Answer
Which command did the attacker manually execute after getting a reverse shell?
Let's navigate to stream 20.
Answer
What is the computer's hostname?
In the same stream, we can find the computer's host name.
Answer
Which command did the attacker execute to spawn a new TTY shell?
The answer is in the same stream.
Answer
Which command was executed to gain a root shell?
Again in the same stream, we can find the answer.
Answer
The attacker downloaded something from GitHub. What is the name of the GitHub project?
We can find the git clone that the attacker used.
Answer
The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?
This type of backdoor is called a Rootkit.
Answer
Task 2: Hack your way back into the machine
The attacker has changed the user's password! Can you replicate the attacker's steps and read the flag.txt? The flag is located in the /root/Reptile directory. Remember, you can always look back at the .pcap file if necessary. Good luck!
No answer needed
Run Hydra (or any similar tool) on the FTP service. The attacker might not have chosen a complex password. You might get lucky if you use a common word list.
Let's first scan the target using
nmap
.
As we can see there are three open ports:
Port | Service |
---|---|
21 | ftp |
80 | http |
We know that the user
jenny
changed the password.Let's brute force it using
hydra
.
No answer needed
Change the necessary values inside the web shell and upload it to the webserver
Let's login through FTP using
jenny
as the username and987654321
as the password.
Let's look around to find something important.
We can download these files using the
get
command.
We have to modify the shell a bit.
We set he IP address to our
tun0
interface and the port to any port we like.Let's upload the modified
shell.php
using theput
command.
We have successfully uploaded our
shell.php
file to the FTP server.
No answer needed
Create a listener on the designated port on your attacker machine. Execute the web shell by visiting the .php file on the targeted web server.
Let's start listening for connections using
nc
.
Now we have to download the shell through our browser.
Let's check our listener.
Let's stabilize the shell and switch user to
jenny
.
Let's check what
sudo
commandsjenny
can execute.
We have permissions to switch user to
root
.
No answer needed
Become root!
No answer needed
Read the flag.txt file inside the Reptile directory
Let's read the flag.txt file inside the Reptile directory.
Answer
Last updated