{THM}H4cked
Last updated
Last updated
Hai hello, This machine contains 2 parts which part 1 to investigate the incident happen and part 2 to take over the account.
It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened? Download the .pcap file and use Wireshark to view it.
Download the file. I do open it with wireshark. My first step and things will see any object can be export.
After checking all this object, I can conclude that attacking happen in ftp port. And payload being upload.
Let check timeline of attacking happen.
It show attacker try to brute-force password using username jenny.
After few stream, notice that login successfully. That mean attacker already manage to get password for this user.
Next I do check what attacker do in this machine,
OHHNOO, shell being upload via ftp port. And it successful being listen with attacker ip and port.
Attacker also do check for escalate root, and it successful!!.
After being root, attacker import file reptile from github. This payload known as rootkit where attacker can login and cannot be notice by user.
As we know, this attack happen in port ftp. But the password already change. HURM. !!>
But donβt worry, we will use same step as attacker to gain password. HYDRA, yes, we bruteforce it back .
We got the password, not to hard to guest this password. Let login with given password,
So we got in just like that, but how can gain flag??.
The answer is we need to put our payload to listener. Same step as attacker.
HEHEHE.
Let upload same payload but modify it with our machine ip and listening port.
Once successful, let open it and put our listener on.
Now we in, we know the user and credential, let change it.
Finish change user, let checking sudo permission to privilege escalate.
SODANGEROUSSSS!!! It allow all without password.
Sudo su
Just like that we in as root. Next find our objective and flag.
Thanks for reading.