TryHackMe — Juicy Details Writeup
For this challenge, I recommend that you get familiar with:-
- Linux logs and web logs
- Linux services
- SQL / SQL Injections
- HTTP Requests and Response Codes
A good room to complete prior to this challenge is “HTTP in detail”.
Reconnaissance
What tools did the attacker use?
When taking a look at the access.log file, we can manually observe a lot of the tools the attacker used which are:
nmap,hydra,sqlmap,curl,feroxbuster
To get an idea of what each of these tools are used for, check out these resources:-
What endpoint was vulnerable to a brute-force attack?
Again, manually searching for Hydra attempts yields many GET and POST requests to /rest/user/login.
/rest/user/login
What endpoint was vulnerable to SQL injection?
You can see the SQL injection string being passed in the search query using sqlmap.
/rest/products/search
What parameter was used for the SQL injection?
Taking a look at the /rest/products/search url, the search parameter is “q”.
::ffff:192.168.10.5 - - [11/Apr/2021:09:29:15 +0000] "GET /rest/products/search?q=1&QKqc=7074%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2CNULL%2C%27%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%27%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%2F%2A%2A%2F%3B%20EXEC%20xp_cmdshell%28%27cat%20..%2F..%2F..%2Fetc%2Fpasswd%27%29%23 HTTP/1.1" 200 - "-" "sqlmap/1.5.2#stable (http://sqlmap.org)"What endpoint did the attacker try to use to retrieve files? (Include the /)
The attacker is trying to get two files from /ftp. As you can see in the logs, the request returns 403/Forbidden.
This part is important later on.
Stolen Data
What section of the website did the attacker use to scrape user email addresses?
product reviews
Was their brute-force attack successful? If so, what is the timestamp of the successful login?
Look for the login attempt with Hydra that returns 200.
Yay,11/Apr/2021:09:16:31 +0000
What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?
For this question, you will need to look at the SQL injections, and try to interpret what attributes are requested from the SQL tables.
User’s emails
And user’s passwords
What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, question #5)
Looking at the vsftpd.log file, we see two OK DOWNLOAD events for two files.
www-data.bak,coupons_2013.md.bak
What service and account name were used to retrieve files from the previous question?
The attacker exploited CVE-1999–0497, if you would like to research this vulnerability, its quite common in CTFs that you might stumble upon in the future.
ftp,anonymous
What service and username were used to gain shell access to the server?
After many failed login attempts in the file auth.log, the attacker successfully logged in as the user “www-data” using ssh.
