Date: 21, June, 2021
Author: Dhilip Sanjay S
Click Here to go to the TryHackMe room.
- Answer: nmap, hydra, sqlmap, curl, feroxbuster
- Steps to Reproduce:
grep -v Firefox access.log | more
- Answer: /rest/user/login
- Steps to Reproduce:
grep Hydra access.log
- Answer: /rest/products/search
- Steps to Reproduce:
grep sqlmap access.log
- Answer: q
- Answer: /ftp
- Steps to Reproduce:
grep feroxbuster access.log
cat vsftpd.logls
- FTP is commonly used for file retrievals.
- Answer: Product Reviews
- Steps to Reproduce:
- In the access.log we can find many request with different ids to the Product review:
GET /rest/products/6/reviews HTTP/1.1" 200 170 "http://192.168.10.4/
- In the access.log we can find many request with different ids to the Product review:
- Answer: Yay, 11/Apr/2021:09:16:31 +0000
- Steps to Reproduce:
$ grep Hydra access.log | grep 200
::ffff:192.168.10.5 - - [11/Apr/2021:09:16:31 +0000] "POST /rest/user/login HTTP/1.0" 200 831 "-" "Mozilla/5.0 (Hydra)"
What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?
- Answer: email, password
- Steps to Reproduce:
- Check the last few lines of the result:
grep -i select access.log | grep 200
- Check the last few lines of the result:
- Answer: www-data.bak, coupons_2013.md.bak
- Steps to Reproduce:
$ grep download vsftpd.log -i
Sun Apr 11 09:35:45 2021 [pid 8154] [ftp] OK DOWNLOAD: Client "::ffff:192.168.10.5", "/www-data.bak", 2602 bytes, 544.81Kbyte/sec
Sun Apr 11 09:36:08 2021 [pid 8154] [ftp] OK DOWNLOAD: Client "::ffff:192.168.10.5", "/coupons_2013.md.bak", 131 bytes, 3.01Kbyte/sec
- Answer: ftp, anonymous
- Steps to Reproduce: Check
vsftpd.log
file
- Answer: ssh, www-data
- Steps to Reproduce:
grep accepted -i auth.log
Apr 11 09:41:19 thunt sshd[8260]: Accepted password for www-data from 192.168.10.5 port 40112 ssh2
Apr 11 09:41:32 thunt sshd[8494]: Accepted password for www-data from 192.168.10.5 port 40114 ssh2