# Juicy Details Room on TryHackMe: Complete Walkthrough and Guide

---

**LINK -** [https://tryhackme.com/room/juicydetails](https://tryhackme.com/room/juicydetails)

---

So for this challenge we have given Download Files So let’s download those

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759318437197/d3c71dcb-29be-48da-b381-eb6240dd93bf.png align="center")

Now We are asked to answer the question based on the logs files we got so

**Ques 1) What tools did the attacker use? (Order by the occurrence in the log)?** Given Hint: Look at access.log. User-Agent headers are helpful

So let’s inspect the **access.log** file to see the lines of tool attacker used line by line

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759318962604/8b4bec63-489b-4483-8a04-ae223befbbbf.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759318979427/8dd8b19d-880e-424e-860b-f427c3160761.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759318988754/cf774673-d217-4f91-816c-f9f07ef15be2.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759319001169/245ac806-94ff-4974-b681-ade5bbe5b3d3.png align="center")

So as you can see we found all the tools used by occurrences which is **<mark>nmap,hydra,sqlmap,curl,feroxbuster</mark>**

**Ques 2) What endpoint was vulnerable to a brute-force attack?**

So as we saw above in **access.log** that Hydra is used so let’s see the endpoint in which it was brute forcing

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759319207065/e8e75797-bd80-4c31-a3d5-ab20b2dd242e.png align="center")

So we can see the endpoint was **<mark>/rest/user/login</mark>**

**Ques 3) What endpoint was vulnerable to SQL injection?**

Now in the 1st Ques we saw that it is using sqlmap tool to inject sql payloads thus performing sql injecting attack so let’s see what endpoint was it

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759319370916/69541434-463e-4a35-b979-429137ecd887.png align="center")

So as we can see it was **<mark>/rest/products/search</mark>**

**Ques 4) What parameter was used for the SQL injection?**

So in the above ques we can actually see the parameter used which is **<mark>q</mark>**

**Ques 5) What endpoint did the attacker try to use to retrieve files? (Include the /) ?**

So now let’s see the access.log to find what endpoint does the attacker use to retrieve the files

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759319611631/2281a625-2dca-4327-9ede-8d0fb6d6451f.png align="center")

As obvious it is **<mark>/ftp</mark>** which is used to retrieve the files

**Ques 6) What section of the website did the attacker use to scrape user email addresses? Hint:** Where can customers usually comment on a shopping website?

So I thought about reviews obviously now search up the term review to see what king of review is there

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759319767474/d3c99a61-491c-4675-871e-fac659daee93.png align="center")

As we guessed it is **<mark>product reviews</mark>** which is the answer of this question

**Ques 7) Was their brute-force attack successful? If so, what is the timestamp of the successful login? (Yay/Nay, 11/Apr/2021:09:xx:xx +0000)**

To see the brute force got successful or not we have to see the logs of hydra tool that which one result in 200 status code

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759321667800/d08c4328-925f-4fcc-be6e-9df63f1a7f42.png align="center")

We found it which was **<mark>Yay, 11/Apr/2021:09:16:31 +0000</mark>**

**Ques 8) What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?**

Let’s check the sqlmap results in the access.log file

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759321797592/a05850fa-6e8e-4ddb-b133-1a8c9bf8f757.png align="center")

We found it which was **<mark>email, password</mark>**

**Ques 9) What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, Ques 5)**

Lets check the FTP service logs in **vsftpd.log** file as its about files

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759321966605/580f83f2-e672-45cf-80b4-ab18e940cc6d.png align="center")

Here we go we found the files name which is **<mark>coupons_2013. md.bak, www-data.bak </mark> *(Please don’t copy the name exactly as given in this ques so type it yourself as given in image or just trim the space in the given answer because it was referring to link that’s why i added space after 2013. )***

**Ques 10) What service and account name were used to retrieve files from the previous question? (service, username)**

Again its about files so we will look the vsftpd.log file again to find the username since service would be obviously ftp

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759322087598/ee60c809-b6ba-4815-b818-b5f1aba04a86.png align="center")

Yep we found it , it is anonymous so the answer would be **<mark>ftp,anonymous</mark>**

**Ques 11) What service and username were used to gain shell access to the server? (service, username)**

Now since its about authentication so let’s check **auth.log** file to find the service and username

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759322291946/5d0d7a5a-1ac9-4907-b697-4162e01ece88.png align="center")

Well, we came to know that the service and username was **<mark>ssh, www-data</mark>**

# **WE FINALLY DID IT !!!! CHALLENGE SOLVED !!**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759322383315/b87e2209-5182-4f9a-ab3e-10dc77f73e92.png align="center")

For Any Query Or Problem Either Leave A Comment Or Contact At [**reapsec.com**](http://reapsec.com/)

THANK YOU FOR READING!!
