Juicy Details Room on TryHackMe: Complete Walkthrough and Guide
LINK - https://tryhackme.com/room/juicydetails
So for this challenge we have given Download Files So let’s download those
Now We are asked to answer the question based on the logs files we got so
Ques 1) What tools did the attacker use? (Order by the occurrence in the log)? Given Hint: Look at access.log. User-Agent headers are helpful
So let’s inspect the access.log file to see the lines of tool attacker used line by line
So as you can see we found all the tools used by occurrences which is nmap,hydra,sqlmap,curl,feroxbuster
Ques 2) What endpoint was vulnerable to a brute-force attack?
So as we saw above in access.log that Hydra is used so let’s see the endpoint in which it was brute forcing
So we can see the endpoint was /rest/user/login
Ques 3) What endpoint was vulnerable to SQL injection?
Now in the 1st Ques we saw that it is using sqlmap tool to inject sql payloads thus performing sql injecting attack so let’s see what endpoint was it
So as we can see it was /rest/products/search
Ques 4) What parameter was used for the SQL injection?
So in the above ques we can actually see the parameter used which is q
Ques 5) What endpoint did the attacker try to use to retrieve files? (Include the /) ?
So now let’s see the access.log to find what endpoint does the attacker use to retrieve the files
As obvious it is /ftp which is used to retrieve the files
Ques 6) What section of the website did the attacker use to scrape user email addresses? Hint: Where can customers usually comment on a shopping website?
So I thought about reviews obviously now search up the term review to see what king of review is there
As we guessed it is product reviews which is the answer of this question
Ques 7) Was their brute-force attack successful? If so, what is the timestamp of the successful login? (Yay/Nay, 11/Apr/2021:09:xx:xx +0000)
To see the brute force got successful or not we have to see the logs of hydra tool that which one result in 200 status code
We found it which was Yay, 11/Apr/2021:09:16:31 +0000
Ques 8) What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?
Let’s check the sqlmap results in the access.log file
We found it which was email, password
Ques 9) What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, Ques 5)
Lets check the FTP service logs in vsftpd.log file as its about files
Here we go we found the files name which is coupons_2013. md.bak, www-data.bak (Please don’t copy the name exactly as given in this ques so type it yourself as given in image or just trim the space in the given answer because it was referring to link that’s why i added space after 2013. )
Ques 10) What service and account name were used to retrieve files from the previous question? (service, username)
Again its about files so we will look the vsftpd.log file again to find the username since service would be obviously ftp
Yep we found it , it is anonymous so the answer would be ftp,anonymous
Ques 11) What service and username were used to gain shell access to the server? (service, username)
Now since its about authentication so let’s check auth.log file to find the service and username
Well, we came to know that the service and username was ssh, www-data
WE FINALLY DID IT !!!! CHALLENGE SOLVED !!
For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com
THANK YOU FOR READING!!
