Skip to main content
HashnodeSOC Analyst LabsSOC Analyst Labs

Command Palette

Search for a command to run...

h4cked | Tryhackme Walkthrough

Published
4 min read
h4cked | Tryhackme Walkthrough
U
Umamaheswari B
👋Hi, I’m Umamaheswari Through this blog, I share visual walkthroughs and hands-on investigations on PCAP, phishing, Splunk, ELK, malware, and digital forensics—based on labs from TryHackMe, HackTheBox and CyberDefenders. Feel free to connect or ask questions — I am more happy to help.

Task 1: Oh no! We've been hacked!

It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened?

Download the .pcap file and use Wireshark to view it.

  1. The attacker is trying to log into a specific service. What service is this?

Ans: ftp

To analyze the PCAP in detail, I used Statistics → Protocol Hierarchy.
FTP has a higher number of packets, indicating more traffic

Lets filter only ftp traffic:

  1. There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?

Ans: Hydra

  1. The attacker is trying to log on with a specific username. What is the username?

Ans: jenny

  1. What is the user's password?

Ans: password123

By filtering FTP traffic and identifying successful login responses, then following the corresponding TCP stream, we can see the password that gave access to jenny account

Right click on the packet - Follow - TCP stream

After logging in, the attacker checked the current working directory. which is /var/www/html
This confirms that the FTP server is mapped to the web root, meaning files uploaded here are accessible via the web server. so can easily access reverse shell.

Then attacker uploaded shelll.php, given full permissions to the file

  1. What is the current FTP working directory after the attacker logged in?

Ans: /var/www/html

  1. The attacker uploaded a backdoor. What is the backdoor's filename?

Ans: shell.php

  1. The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?

Ans: http://pentestmonkey.net/tools/php-reverse-shell

To view the contents of shell.php, inspect FTP-DATA packets.
Under Line-based text data, the actual PHP payload is visible, which includes:

  • The remote URL used to download additional malicious code

  • The attacker’s IP address and listening port for the reverse shell

attacker executed the file on website:

  1. Which command did the attacker manually execute after getting a reverse shell?

Ans: whoami

Since HTTP traffic is unencrypted, filtering HTTP packets and following the TCP stream reveals cleartext commands executed by the attacker after gaining the reverse shell.

  1. What is the computer's hostname?

Ans: winr3

  1. Which command did the attacker execute to spawn a new TTY shell?

Ans: python3 -c 'import pty; pty.spawn("/bin/bash")'

This command is commonly used to upgrade a basic reverse shell into a fully interactive TTY shell.

  1. Which command was executed to gain a root shell?

Ans: sudo su

  1. The attacker downloaded something from GitHub. What is the name of the GitHub project?

Ans: Reptile

  1. The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?

Ans: Rootkit

Reptile installs a kernel-level rootkit, hard to detect because it operates at a low level and hides processes, files, and network activity.

Task 2: Hack your way back into the machine

The attacker has changed the user's password! Can you replicate the attacker's steps and read the flag.txt? The flag is located in the /root/Reptile directory. Remember, you can always look back at the .pcap file if necessary.

Good luck!

Run Hydra (or any similar tool) on the FTP service. The attacker might not have chosen a complex password. You might get lucky if you use a common word list.

Change the necessary values inside the web shell and upload it to the webserver

  • Updated attacker IP and listening port in the payload

Uploaded php-reverse-shell.php via FTP to /var/www/html

Create a listener on the designated port on your attacker machine.

nc -lvnp <port>

Execute the web shell by visiting the .php file on the targeted web server.

  • Accessed the PHP file via the web browser

  • Obtained a reverse shell

“I followed the same steps as the attacker by upgrading the shell, switching to the user jenny, checking sudo permissions using sudo -l, and finally escalating privileges to root using sudo su.”

Read the flag.txt file inside the Reptile directory

Ans: ebcefd66ca4b559d17b440b6e67fd0fd

“I hope you enjoyed this room—happy hacking!”

#socanalyst#blueteam#tryhackme-walkthrough

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

S

SOC Analyst Labs

39 posts

Hands-on blue team journey covering phishing analysis, threat detection, threat intelligence, network and endpoint log analysis, web traffic analysis, and SIEM monitoring on TryHackMe and Let’s Defend