+1 (512) 588 6950

Juicy Details — TryHackMe Writeup

Home/Juicy Details — TryHackMe Wr...
Juicy Details — TryHackMe Writeup

Task 2:

  1. What tools did the attacker use? (Order by the occurrence in the log)
cat access.log| awk -F " " '{print $12,$13,$14}' 
Ans: nmap, hydra, sqlmap, curl, feroxbuster

2. What endpoint was vulnerable to a brute-force attack?

Ans: /rest/user/login

3. What endpoint was vulnerable to SQL injection?

Ans: /rest/products/search

4. What parameter was used for the SQL injection?

Ans: q

5. What endpoint did the attacker try to use to retrieve files? (Include the /)

cat access.log | grep “feroxbuster” | awk -F “/” ‘{print $4}’
Ans: ftp

Task 3:

  1. What section of the website did the attacker use to scrape user email addresses?
Hint: Where can customers usually comment on a shopping website?
Ans: product review

2. Was their brute-force attack successful? If so, what is the timestamp of the successful login? (Yay/Nay, 11/Apr/2021:09:xx:xx +0000)

cat access.log | grep “Hydra”
Ans: Yay, 11/Apr/2021:09:16:31 +0000

3. What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?

Using the information gathered from the previous task we get to know that the attacker’s endpoint was /rest/products/search. So Analyze the log file, we found that the attacker gathered information on the users email and password.

Ans: email,password

4. What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, question #5)

Using the information gathered from the previous question the attacker successfully downloaded backup files (.bk) form the server.

The files are and www-data.bak


5. What service and account name were used to retrieve files from the previous question? (service, username)

Using data obtained from vsftpd.log the attacker used FTP and anonymous to retrieve the backup files.

Ans: ftp,anonymous

6. What service and username were used to gain shell access to the server? (service, username)

After multiple attempts, the attacker gained access to the server using ssh and www-data for the username

Ams: ssh,www-data

Leave a Reply