Juicy Details
Date: 21, June, 2021
Author: Dhilip Sanjay S
Click Here to go to the TryHackMe room.
Reconnaissance
What tools did the attacker use?
Answer: nmap, hydra, sqlmap, curl, feroxbuster
Steps to Reproduce:
grep -v Firefox access.log | more
What endpoint was vulnerable to a brute-force attack?
Answer: /rest/user/login
Steps to Reproduce:
grep Hydra access.log
What endpoint was vulnerable to SQL injection?
Answer: /rest/products/search
Steps to Reproduce:
grep sqlmap access.log
What parameter was used for the SQL injection?
Answer: q
What endpoint did the attacker try to use to retrieve files? (Include the /)
Answer: /ftp
Steps to Reproduce:
grep feroxbuster access.log
cat vsftpd.logls
FTP is commonly used for file retrievals.
Stolen Data
What section of the website did the attacker use to scrape user email addresses?
Answer: Product Reviews
Steps to Reproduce:
In the access.log we can find many request with different ids to the Product review:
GET /rest/products/6/reviews HTTP/1.1" 200 170 "http://192.168.10.4/
Was their brute-force attack successful? If so, what is the timestamp of the successful login?
Answer: Yay, 11/Apr/2021:09:16:31 +0000
Steps to Reproduce:
What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?
Answer: email, password
Steps to Reproduce:
Check the last few lines of the result:
grep -i select access.log | grep 200
What files did they try to download from the vulnerable endpoint?
Answer: www-data.bak, coupons_2013.md.bak
Steps to Reproduce:
What service and account name were used to retrieve files from the previous question?
Answer: ftp, anonymous
Steps to Reproduce: Check
vsftpd.log
file
What service and username were used to gain shell access to the server?
Answer: ssh, www-data
Steps to Reproduce:
Last updated