Featured image of post TryHackMe: Juicy Details Writeup
TryHackMe

TryHackMe: Juicy Details Writeup

This room explores reading and understanding log files from web, ssh and ftp services.

Play

Task 1. Reconnaissance

What tools did the attacker use? (Order by the occurrence in the log)

Explore the file access.log. We see the following, in order:

  • nmap
  • hydra
  • sqlmap
  • curl
  • feroxbuster

Check the last part of the line. For example, the hydra tool uses the (Hydra) marker at the end. sqlmap similarly has (http://sqlmap.org).

What endpoint was vulnerable to a brute-force attack?

In access.log we check the endpoint where Hydra is being used.

/rest/user/login

What endpoint was vulnerable to SQL injection?

Similar to above, we look for user-agents specified as sqlmap.

/rest/products/search

What parameter was used for the SQL injection?

Any one line would tell you the parameter. How? /rest/products/search?q=...

The parameter is thus q.

What endpoint did the attacker try to use to retrieve files? (Include the /)

So, we are looking for file retrieving. This is found at the very end, once the hacker has done both the Hydra and sqlmap attacks.

/ftp

Task 2. Stolen data

What section of the website did the attacker use to scrape user email addresses?

We are looking for something related to users. Maybe socre board? Nope. Looking a bit earlier, we see product reviews! These are given as /rest/product/x/reviews where x is the product number (I’m guessing).

Was their brute-force attack successful? If so, what is the timestamp of the successful login? (Yay/Nay, 11/Apr/2021:09:xx:xx +0000)

Yes it was. That’s how they were able to login. It is clear we are looking for Hydra part, since that is what was being used for bruteforcing.

Now, we know Hydra stops after its found a password. So, we are looking at the last line? No! Hydra runs with a deafault thread size of 16. Which means we are looking at one of the last 16 attempts.

We then find one with size that is anomalous and has a response of 200. That’s the one!

What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?

Check the last UNION SELECT operations. We see id, email, password, ... from Users table. id is not relevant for us.

What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, question #5)

We know the hackers were trying to get into ftp, which is what the question asks for.

Checking the vsftpd.log, we see the last two lines trying to get the two files!

What service and account name were used to retrieve files from the previous question? (service, username)

We see that anonymous login has been used for ftp.

What service and username were used to gain shell access to the server? (service, username)

Take a wild guess :kekw: It is present in the auth.log file, when the access was successful, on Apr 11 09:41:32.

Figured the log files. Job done!

© 2020 - 2021 Tanishq Chaudhary
Built with Hugo
Theme Stack designed by Jimmy