Room Banner

Cyber Scotland 2021

Follow along tutorials for Scottish Cyberweek Demos

easy

45 min

Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1 Cyber Scotland Week


Welcome to the SBRC Cyber Scotland Week TryHackMe Challenge!

If you've ever wondered how a hacker actually hacks things then you've come to the right place. Using this website you will be able to access a virtual computer and complete 2 hacking challenges where you'll get to employ the tools and techniques used by real hackers to attack real websites. That's right - you'll be hacking for real and hopefully will get a feel for just how easy it is to take advantage of poor cybersecurity practices.

It goes without saying that nothing you learn here should ever be used in real life against a target which you do not have permission to attack.

For the purposes of this exercise we have set up an fake website for you to hack. In order to get everything running properly you will need to carefully follow the steps outlined in Task 2. After that you are free to tackle Tasks 3 and 4 in any order you like!

Answer the questions below
Let's get started!

TryHackMe

TryHackMe is a cybersecurity training company which allows you to deploy vulnerable machines in the cloud. There are a huge range of "rooms" (pages on the site which contain teaching content and/or a challenge) already on the site; however, it is also possible to create private content for a specific use, which is what we've built for you here!

Deployable Machines

One of the biggest strengths of TryHackMe is the ability to upload and deploy vulnerable machines in the cloud. Notice the green "Deploy" button at the top of this task:
Image depicting the deploy button

When this is clicked, it starts up your very own copy of the vulnerable machine attached to the task -- this will take just a short time to start up fully (allow up to five minutes). A box will appear at the top of the page giving you details about this machine:
Machine details are shown at the top of the page

This target is unique to you (it will have a different IP address), and will expire after an hour -- or two, if you hold a subscription to the site. Make sure to click the "Add 1 hour" button if the timer gets close to zero!

We will be using the machine attached to this task throughout the rest of this room, so press the "Deploy" button now.

The AttackBox

TryHackMe provides an in-browser machine which can be used by people who don't have a dedicated hacking setup. To activate this, click the "Start AttackBox" button at the top of the screen:
AttackBox button

This will split your browser window in half. On the left you will be able to see the room. On the right you will have a connection into a hacking environment which you can use to follow through the content on this page. Once again this will take a minute or two to initialise:

AttackBox Window

Users without a subscription to the site only get access to this once for an hour a day, so use your time wisely!

Due to how the AttackBox is accessed in the web browser, if you are copying and pasting things to and from the AttackBox then you need to use the shared clipboard. This is accessed using the arrow at the left of the attackbox window:

You can then click the clipboard icon to access the shared clipboard:

Anything that gets pasted into this box appears in the AttackBox clipboard and can then be pasted into the AttackBox using Ctrl + Shift + V if you're using the terminal, or Ctrl + V elsewhere.

Similarly, anything in the AttackBox clipboard (like a flag, for example), will appear in this window for you to copy out into the clipboard.

If you already have a local hacking environment available (e.g. a Kali virtual machine), you can connect to the TryHackMe network using an OpenVPN Connection pack.

This Room

The machine that you deployed will be used in both of the tasks in this room. First we will look at setting up phishing attacks, then we will hack Wordpress -- the content management system that props up over a third of the internet[1].

Before we can do that though, we need to configure the AttackBox to allow us to access the target website. The inner workings of this don't matter hugely -- all you need to do is follow the instructions below.

  1. Wait until the AttackBox has fully loaded and there is an IP in the box at the top of the screen. Once these are both loaded, open a terminal in the AttackBox by clicking on the terminal Icon at the top of the screen:
    AttackBox Terminal button

  2. A terminal will then open. Type the following command into the command line and press enter:echo "MACHINE_IP repairshop.sbrc" >> /etc/hosts
    Note:     Only execute this command if it contains an IP address     (four numbers separated by dots). If "MACHINE_IP" is present in the command then this indicates that the target box has not fully loaded yet.

  3. Next, type this command and press enter:
    echo "127.0.0.1 fonts.googleapis.com" >> /etc/hosts

Your terminal should now look something like this (with a different IP address in the first command):
Terminal Inputs

The AttackBox should now be set up to access the target!

[1] https://w3techs.com/technologies/details/cm-wordpress

Answer the questions below
Make sure that you have deployed both the machine attached to this task and the AttackBox.

Follow the instructions above to configure the AttackBox to access the target.

Now that you understand the basics of TryHackMe it's time for us to do some hacking of our own. This task will demonstrate how attackers can impersonate legitimate services in order to steal customers' personal information.  Often hackers will create fake emails pretending to be a bank or online retailer asking users to click on a link and log into their account. The link will lead to a website that looks just like the genuine one but it's actually a fake, owned by the hacker and used to simply trick the victim into giving up their user credentials.

In this task we'll show you how easy it is to clone a website and create your own spoofed version using a tool called the Social Engineering Toolkit.


<blockquote class="imgur-embed-pub" lang="en" data-id="ItbicB0"><a href="https://imgur.com/ItbicB0">View post on imgur.com</a></blockquote><script async src="//s.imgur.com/min/embed.js" charset="utf-8"></script>

This is a text-based application that can be used to launch a variety of cyberattacks, from the aforementioned website spoofing, Wifi attacks, spear phishing and quite a lot more besides. Understanding how cyberattacks are mounted can make them a lot easier to spot before you fall for them and we hope that the following exercises will give a glimpse of cybersecurity from a hacker's perspective.

Make sure that you have run through all the steps in Task 2 before proceeding.

Answer the questions below

First of all open up a Terminal window by either double-clicking on the Terminal icon on the desktop or single clicking the icon on the top menu bar.


https://imgur.com/jFE3wNy

Terminal is a powerful tool that you can use to give instructions to the AttackBox computer and can be used to run applications. To find out the name of the account you're using type whoami into the terminal and press the ENTER key on your keyboard. Write out the response in the answer field below.

If you like you can experiment with the terminal for a while by trying out some of the commands from this howtogeek article. Once you're ready move on to the next step where we'll look at cloning a website.

Let's check out the website that we're going to be cloning. Type firefox into the Terminal window and press the ENTER key. After a few seconds a Firefox web browser should launch. If you're not familiar with Firefox don't worry! It's just another web browser like Google Chrome or Microsoft Edge or Safari etc. We can use it to browse the internet.

First of all we need to choose a website to clone, for this demonstration we'll use a specially created demonstration site but the Social Engineering Toolkit can be used for virtually any website. Navigate tohttp://repairshop.sbrc to see the website that we'll be attacking.


Now we need to launch the Social Engineering Toolkit. Close the Firefox browser and go back to the Terminal window. For this to work you will need to copy and paste the following command into the Terminal window:

sed -i 's/WEB_PORT=80/WEB_PORT=100/g' /etc/setoolkit/set.config


Once you've done that we can launch the Social Engineering Toolkit. In the Terminal window type setoolkit and press the ENTER key.

The application will take a few seconds to load and you will see this text with a number of options.


https://imgur.com/t411qFG

You can select an option by typing in the number next to it and hitting the ENTER key. So for instance if we wanted to conduct a 'Social-Engineering Attack' (where we create a spoof email in order to impersonate someone else) we would type '1' into the Terminal and hit ENTER.

If you like, you can take a moment to navigate through some of the options. You can always return to the main menu by typing '99' and hitting the ENTER key. If you accidentally exit out of the Social Engineering Toolkit application just type setoolkit back into Terminal to relaunch it.

Question; What is the first option under the 'Penetration Testing (Fast Track)' menu?

We're now ready to clone a website. Navigate back to the main menu by typing  in '99'. The main menu looks like this:

We want to mount a Social Engineering attack so select option 1.


The next menu will show a number of different kinds of attack that you may wish to look at later. For now though select option 2 as we'll be attacking a website.


For this particular attack we just want to steal the usernames and passwords (credentials) of unsuspecting victims so select option 3 on this menu.


The Social Engineering Toolkit actually comes preloaded with a number of fake pages for things like Google, Facebook and Twitter etc. You can use one of these by choosing the first option. We're going to use option 2 though as it allows us to clone a site of our choosing.


Now we have to enter the IP address of the server that we'll be hosting our cloned website on. To keep things simple we're just going to host it locally. Type 127.0.0.1 when prompted.


Almost there! Now comes the interesting part - we need to choose a website to clone. Most wordpress sites like repairshop.sbrc have an adminstrator login page. You can find the repairshop one in Firefox by going to http://repairshop.sbrc/wp-login.php


Jump back to the Terminal and type http://repairshop.sbrc/wp-login.php  when asked what URL you would like to clone.

The final thing we need to do is check if we've successfully cloned the website. Launch Firefox and in the URL bar type 127.0.0.1:100 We should see a login page that's identical to the real thing - with one important caveat: We now get to see whatever credentials are typed in.

Try it out! Type in a random username and password and click the 'Log In' button.


Now hop back over to the Terminal window with the Social Engineering Toolkit running. We should see the credentials we've just entered.

If you jump back over to Firefox you'll notice that the webpage has reloaded, but now it's back to the real repairshop.sbrc page. This is particularly useful as an unsuspecting victim will just assume they typed in their credentials incorrectly and hopefully won't realise that they initially typed their password into a spoofed site. 

So what did we just do?

To summerize we cloned someone else's website and hosted it on our own server. A real attacker would then need to trick someone into visiting their cloned website instead of the real one. This would normally be achieved with a phishing email. You may have noticed that the Social Engineering toolkit actually provides this functionality as well.


We could very easily create an email using the repairshop logo; sending it out to their customers with a disguised link that will take them back to our websites. Hiding links is easy - think that this will take you to the bbc? www.bbc.co.uk Click it and find out!

So how can we protect ourselves? Well the obvious clue with our cloned website was the URL - we had to navigate to http://127.0.01. This is the achilles heel of all spoofed sites, although it's not always so obvious. Hackers will use URLs that are visually similar to the real thing in order to fool victims. For instance if they wanted to clone the login page for 'google.com' they might register a site called 'göögle.com' in order to fool a visitor. There's a number of tricks that can be used, like using zeros in place of 'O's (g00le.com vs google.com) and so on. Hacker's don't just use emails either. Here's an example of the same thing using a text message, where the attacker was pretending to be the Royal Mail:


In this case the attacker was using the uppercase 'I' instaed of a lowercase 'l' in 'royaImaiI'.

The only surefire way to make sure the website that we've been linked to is safe is to inspect the URL carefully, which can be difficult. A better idea is not to rely on links that have been sent to you but instead navigate to the site independently. So if you get an email from a service provider saying to login, access the site through a google search instead.

Wordpress is an easy-to-use Content Management System (CMS) which has been used to build a vast number of websites world-wide. Unfortunately, it can be relatively easy to hack if out of date or configured incorrectly.

There are three main things which can lead to the compromise of a Wordpress site:

  • Human Error: There is a common saying in hacker circles:- "The weakest link is the human link". This is very often the case. For example, if a site administrator happens to have a weak password then the site can easily be compromised. This includes things which adhere to password requirements but are easy to guess, such as their child's name followed by date of birth; despite the password being technically difficult to crack, the personally identifiable information makes it easy to generate a custom password list to attack the site with.
    Equally, humans are often vulnerable to social engineering attacks. A charismatic hacker phoning around may be able to obtain credentials to access a site without undue difficulty if staff are not aware of the dangers.
  • Vulnerabilities in Wordpress: Vulnerabilities in the Wordpress core software are rare, but are often very dangerous. If the site has not been updated in a while then the chance of finding a vulnerability in the core software are high.
  • Wordpress Plugins: One of the things that makes Wordpress so easy to work with is the plugin-based system employed by the software. Plugins can be used to add a lot of functionality to the Wordpress core -- everything from email forms, to online shops, to simple photo galleries. The problem with plugins is that they greatly increase the attack surface available to an attacker. The Wordpress core software is very well-known, and thus is frequently targetted by ethical bug bounty hunters; meaning that vulnerabilities are quickly found and patched. Plugins, on the other hand, are usually not nearly as well audited -- especially are there are millions of them available. As such, it's common to find vulnerabilities in (especially less common) plugins; some of which can be very serious indeed.
    As with the Wordpress core software, outdated plugins are much more likely to be vulnerable.

Ultimately, an attacker usually only needs one thing to be wrong for them to get their hook into the site. An attacker with administrative access to a Wordpress website can cause chaos. As a worst case scenario they can use the access to gain access to the server (and anything else hosted on it); this is usually a very easy task with the default configuration of Wordpress as the system's features lend themselves well to executing arbitrary code. An attacker could also use their access to deface the site, host malicious files on the server, or perform a wide range of other less than savoury actions -- limited only by their imagination.

So, how can you protect against these attacks?

  • Make sure that all passwords are randomly generated and stored in a password manager, or carefully chosen pass phrases. A good way to choose passwords is by taking an old copy of a book, choosing a random sentence, and marking it (e.g. with a highlighter). This sentence then serves as a passphrase which will be nearly impossible to crack.
  • Keep your Wordpress installation (and all themes/plugins) up to date. Don't miss any patches!
  • Check any plugins you install for vulnerabilities using a site such as Exploit-DB before installing them. Also think twice before installing lesser-known plugins which don't have many installations.
  • Protect your site with software such as a fail2ban which will detect bruteforce attempts and block the IP address of the attacker. This will not stop a skilled hacker, but it does make life more difficult for them.

With the theory out of the way, it's time to hack a site!

Answer the questions below

Open up the web browser in your AttackBox and navigate to:
http://repairshop.sbrc

You should see the front page for "Theo's Computer Repair Shop":
Website home page

Take a look around the site. In the footer at the bottom of the page you will find confirmation this site is running on Wordpress:
Website Footer

If this wasn't here then we would often be able to identify that the site is using Wordpress through one of the common pages used by Wordpress. For example, if the site has a page called /wp-login.php then it's almost certainly going to be using Wordpress.

A hacker will usually spend a fair deal of time just looking around the site and getting to grips with the functionality available. For example, they may try to see if there are protections around the login page, or scrape useful information such as email addresses, names, and phone numbers.

Switch to the "Contact" page. What is the phone number given for the company?

When enumerating Wordpress, hackers will often use a tool called wpscan. This tool enumerates a variety of things on a Wordpress site, including users, plugins, version numbers, themes, and many more. If the hacker has downloaded a token to access the (free) wpscan API then they are also able to see if any part of the site has components with known vulnerabilities, completely automatically. Wpscan also provides us with the ability to easily bruteforce credentials, which is a handy feature when there are no protective measures on the login page.

Let's perform a simple enumeration of the target site.

In a terminal on the AttackBox, type this command and press enter:
wpscan --url http://repairshop.sbrc --no-update -e u

This performs basic enumeration against the target, as well as specifically enumerating users.

When the results are returned, you can see that there is one user on the website: "theo"
User Enumeration results

We have a username -- now let's get a password!

This is an IT company, so we'd hope that Theo's password is not in any default password lists. Instead, we will use a tool called cewl to scan the site for possible passwords and save them to a file:
cewl http://repairshop.sbrc > wordlist

In the real world we would usually perform "mutations" on this list to add things like common numbers and symbols on at the end, and otherwise customise the list for the target. This is a complicated process, so in the interests of keeping this simple, we will assume that the password policy is lax and the list that we've just created will be enough to bruteforce the password.

Let's try this now:
wpscan --url http://repairshop.sbrc -U theo -P wordlist

This will once again run a scan against the site, but it will also attempt to bruteforce Theo's password using the list that we generated.

You should find that a password is found!
Password cracked!

What is Theo's password?

Now that we have credentials, we can do basically anything that we want to this site.

First, let's login. Head to http://repairshop.sbrc/wp-login.php in your AttackBox web browser and login using the credentials that you found.

The page that loads is the administrative interface for Wordpress.

What kind of hack wouldn't be complete without some mindless defacement?

Hover over the "Pages" button in the left hand menu then click "All Pages":
Wordpress Dashboard

Next, click the "Edit" button for the home page:
Page Edit button

You can now do whatever you want with the home page (remember that this is a lab environment with no bearing on real life). Deface it however you like. Maybe delete all the text? Go nuts!

We're hackers here -- we have to fit in with the stereotype and leave a calling card!

Add a message somewhere on the home page that says:
Hacked By YOUR-USERNAME-HERE

Hacked By You!

Note: the wording here is very important. Make sure to get "Hacked By" into the page somewhere!

Once you've added the message, make sure to click the blue "Update" button at the top right of the screen.

Time to claim your prize!

Navigate to MACHINE_IP:9999 in your AttackBox web browser.

If you successfully added the "Hacked By" message into the home page then there should be a flag displayed on the page which loads.

What is this flag?

Created by

User avatar
CptRaddigan
User avatar
MuirlandOracle

Room Type

Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!

Users in Room

4,015

Created

1650 days ago

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information contact us.

Read more