In this walk through, we will be going through the Juicy Details room from Tryhackme. In this room, we will looked into a popular juice shop that has been breached and we have to analyze the logs in order to figure out what techniques and tools has been used by the attacker, What endpoints were vulnerable and What sensitive data was accessed and stolen from the environment. So, let’s get started without any delay.
Table of Contents
Task 1 – Introduction
Task 2 – Reconnaissance
Reconnaissance
Analyze the provided log files.
Look carefully at:
- What tools the attacker used
- What endpoints the attacker tried to exploit
- What endpoints were vulnerable
Question 1 – What tools did the attacker use? (Order by the occurrence in the log)
nmap, hydra, sqlmap, curl, feroxbuster
Question 2 – What endpoint was vulnerable to a brute-force attack?
/rest/user/login
Question 3 – What endpoint was vulnerable to SQL injection?
/rest/products/search?q=
Question 4 – What parameter was used for the SQL injection?
q
Question 5 – What endpoint did the attacker try to use to retrieve files? (Include the /)
/ftp
Task 3 – Stolen data
Stolen data
Analyze the provided log files.
Look carefully at:
- The attacker’s movement on the website
- Response codes
- Abnormal query strings
Question 1 – What section of the website did the attacker use to scrape user email addresses?
product reviews
Question 2 – Was their brute-force attack successful? If so, what is the timestamp of the successful login? (Yay/Nay, 11/Apr/2021:09:xx:xx +0000)
11/Apr/2021:09:16:32 +0000
Question 3 – What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?
email, password
Question 4 – What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, question #5)
coupons_2013.md.bak, www-data.bak
Question 5 – What service and account name were used to retrieve files from the previous question? (service, username)
- Look into the vsftpd.log file.
ftp, anonymous
Question 6 – What service and username were used to gain shell access to the server? (service, username)
- Look into the auth.log file.
ssh, www-data
Also Read: Tryhackme – hackerNote
So that was “Juicy Details” for you. We first looked into the access.log file and found the tools used by the attacker during the attack. Found the endpoints and parameter used by the attacker to exploit the SQL injection. Next, we looked into how attacker scraped the user email address for the bruteforce attack. Further, looked into the data that has been extracted using SQL Injection attack and the service used to retrieve the files. At last, looked into the service that grants attacker the shell access and completed the room. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.