TryHackMe- Juicy Details Room

64bitCoder — Sat, 14 Aug 2021 08:46:57 +0000

Hi Everyone.This is my first post on dev.to . This post is dedicated to the attack enumeration and analysis of the Easy room "Juciy Details" on Tryhackme. You can solve this room for free @ https://tryhackme.com/room/juicydetails.

Special Thanks to @kkaosninja for making me aware of this amazing platform.

In this room we are provided with a .zip file which contains 3 .log files. We have to study and enumerate these in order to analyze the attack.

Coming to the Tasks which we are asked to solve.

Task1: The solution for this task is already mentioned in the description of the task.

Task2:
Q1) What tools did the attacker use? (Order by the occurrence in the log)

Solution: On studying the access.log file,we observe:

Line2) ::ffff:192.168.10.5 - - [11/Apr/2021:09:08:34 +0000] "POST / HTTP/1.1" 200 1924 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"

Tool 1: Nmap

Line208) ::ffff:192.168.10.5 - - [11/Apr/2021:09:16:27 +0000] "GET /rest/user/login HTTP/1.0" 500 - "-" "Mozilla/5.0 (Hydra)"

Tool 2: Hydra

Line550) ::ffff:192.168.10.5 - - [11/Apr/2021:09:29:14 +0000] "GET /rest/products/search?q=1 HTTP/1.1" 200 - "-" "sqlmap/1.5.2#stable (http://sqlmap.org)"

Tool 3: Sqlmap

Line631) ::ffff:192.168.10.5 - - [11/Apr/2021:09:32:51 +0000] "GET /rest/products/search?q=qwert%27))%20UNION%20SELECT%20id,%20email,%20password,%20%274%27,%20%275%27,%20%276%27,%20%277%27,%20%278%27,%20%279%27%20FROM%20Users-- HTTP/1.1" 200 3742 "-" "curl/7.74.0"

Tool 4: curl

Line632) ::ffff:192.168.10.5 - - [11/Apr/2021:09:34:33 +0000] "GET /a54372a1404141fe8842ae5c029a00e3 HTTP/1.1" 200 1924 "-" "feroxbuster/2.2.1"

Tool 5: Feroxbuster

(Make sure you write the tools in the correct order and in the mentioned pattern in the answer box. )

Q2) What endpoint was vulnerable to a brute-force attack?
Solution:

Line208) ::ffff:192.168.10.5 - - [11/Apr/2021:09:16:27 +0000] "GET /rest/user/login HTTP/1.0" 500 - "-" "Mozilla/5.0 (Hydra)"

In the above snippet we see that the attacker has discovered a login path where he starts a brute-force attack using Hydra.
This path is the vulnerable endpoint.

Q3)What endpoint was vulnerable to SQL injection?
Solution:
Line550) ::ffff:192.168.10.5 - - [11/Apr/2021:09:29:14 +0000] "GET /rest/products/search?q=1 HTTP/1.1" 200 - "-" "sqlmap/1.5.2#stable (http://sqlmap.org)"

The attacker used this vulnerable endpoint to perform a sql injection attack.

Q4) What parameter was used for the SQL injection?
Solution: q

Q5)What endpoint did the attacker try to use to retrieve files? (Include the /)

Solution:
Line640) ::ffff:192.168.10.5 - - [11/Apr/2021:09:34:33 +0000] "GET /ftp HTTP/1.1" 200 4852 "-" "feroxbuster/2.2.1"

After discovering the '/ftp' directory by feroxbuster,the attacker used this path to retrieve files.

This is it for Task 2. Lets move to Task 3.

Task 3
Q1) What section of the website did the attacker use to scrape user email addresses?
Solution) GET /rest/products/13/reviews HTTP/1.1
This is the place where customers usually comment.

Q2) Was their brute-force attack successful? If so, what is the timestamp of the successful login? (Yay/Nay, 11/Apr/2021:09:xx:xx +0000)
Solution:
Line495) ::ffff:192.168.10.5 - - [11/Apr/2021:09:16:32 +0000] "POST /rest/user/login HTTP/1.0" 401 26 "-" "Mozilla/5.0 (Hydra)"

This is the snippet which shows the successful login attempt by hydra.
So, Yes this method was effective as the attacker was successful in logging.

Q3) What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?
Solution:
Line631) ::ffff:192.168.10.5 - - [11/Apr/2021:09:32:51 +0000] "GET /rest/products/search?q=qwert%27))%20UNION%20SELECT%20id,%20email,%20password,%20%274%27,%20%275%27,%20%276%27,%20%277%27,%20%278%27,%20%279%27%20FROM%20Users-- HTTP/1.1" 200 3742 "-" "curl/7.74.0"

Observing the above snippet of access.log file, we see that the attacker was able to successfully get the email and password .

Q4) What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, question #5)
Solution:
Line37) Sun Apr 11 09:35:45 2021 [pid 8154] [ftp] OK DOWNLOAD: Client "::ffff:192.168.10.5", "/**www-data.bak**", 2602 bytes, 544.81Kbyte/sec
Line38) Sun Apr 11 09:36:08 2021 [pid 8154] [ftp] OK DOWNLOAD: Client "::ffff:192.168.10.5", "/**coupons_2013.md.bak**", 131 bytes, 3.01Kbyte/sec

These are the two files (in bold) which were retrieved by the attacker.

Q5) What service and account name were used to retrieve files from the previous question? (service, username)
Solution:

For this we have to look into the vsftpd.log file.
Line8) Sun Apr 11 08:15:58 2021 [pid 6526] [ftp] OK LOGIN: Client "::ffff:127.0.0.1", anon password "?"
The attacker used ftp service with an anonymous login.

Q6) What service and username were used to gain shell access to the server? (service, username)
Solution:

Moving to auth.log,

Line1) Apr 11 09:38:29 thunt sshd[8162]: Failed password for www-data from 192.168.10.5 port 40066 ssh2

This clearly shows that the attacker was trying to gain a shell by using ssh with a username www-data .

Thats All for this room. Congratulations on completing the room.
See you all in the next post.
Join Me on TryHackMe: https://tryhackme.com/p/64bitCoder
Love-Peace-Hack <3

DEV Community: 64bitCoder

TryHackMe- Juicy Details Room