Tryhackme - Juicy Details

Tryhackme – Juicy Details

In this walk through, we will be going through the Juicy Details room from Tryhackme. In this room, we will looked into a popular juice shop that has been breached and we have to analyze the logs in order to figure out what techniques and tools has been used by the attacker, What endpoints were vulnerable and What sensitive data was accessed and stolen from the environment. So, let’s get started without any delay.

Juicy Details

Task 1 – Introduction

Task 1 - Introduction

Task 2 – Reconnaissance

Reconnaissance

Analyze the provided log files.

Look carefully at:

  • What tools the attacker used
  • What endpoints the attacker tried to exploit
  • What endpoints were vulnerable

Question 1 – What tools did the attacker use? (Order by the occurrence in the log)

Nmap

Hydra

sqlmap

curl

feroxbuster

Question 2 – What endpoint was vulnerable to a brute-force attack?

Question 3 – What endpoint was vulnerable to SQL injection?

Question 4 – What parameter was used for the SQL injection?

Question 5 – What endpoint did the attacker try to use to retrieve files? (Include the /)

Task 2 - Reconnaissance

Task 3 – Stolen data

Stolen data

Analyze the provided log files.

Look carefully at:

  • The attacker’s movement on the website
  • Response codes
  • Abnormal query strings

Question 1 – What section of the website did the attacker use to scrape user email addresses?

User email addresses

Question 2 – Was their brute-force attack successful? If so, what is the timestamp of the successful login? (Yay/Nay, 11/Apr/2021:09:xx:xx +0000)

Brute force attack

Question 3 – What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?

SQL Injection attack

Question 4 – What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, question #5)

www-data.bak

Question 5 – What service and account name were used to retrieve files from the previous question? (service, username)

  • Look into the vsftpd.log file.

vsftpd.log file

Question 6 – What service and username were used to gain shell access to the server? (service, username)

  • Look into the auth.log file.

cat auth.log

Task 3 - Stolen data

Also Read: Tryhackme – hackerNote

So that was “Juicy Details” for you. We first looked into the access.log file and found the tools used by the attacker during the attack. Found the endpoints and parameter used by the attacker to exploit the SQL injection. Next, we looked into how attacker scraped the user email address for the bruteforce attack. Further, looked into the data that has been extracted using SQL Injection attack and the service used to retrieve the files. At last, looked into the service that grants attacker the shell access and completed the room. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top