Room Banner

Initial Access Pot

Investigate the first, Linux part of the Honeynet Collapse!

hard

User avatar

60 min

42

User avatar
User avatar
User avatar
Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1Introduction

Meet DeceptiTech

DeceptiTech is a fast-growing cyber security company specializing in honeypot development and deception technologies. At the heart of their success are DeceptiPots - lightweight, powerful, and configurable honeypots that you can install on any OS and capture every malicious action!

The internal DeceptiTech network is organized around a traditional on-premises Active Directory domain with approximately 50 active users. The product platform, however, is isolated and hosted entirely in the AWS cloud:

A diagram of the DeceptiTech network

Initial Access Pot

One ordinary morning, DeceptiTech's entire network collapsed. Within minutes, all critical on-premises systems were locked down and encrypted. The IT department hurried to restore backups, while the security team rushed to their SIEM - only to find the backups corrupted and all SIEM data wiped clean.

This room is about the first attack stage (#1 on the network diagram). As a part of an external DFIR unit, can you help DeceptiTech to perform a full-scope investigation and explain how the attack started?

Answer the questions below

Let's go!

Set up your virtual environment

To successfully complete this room, you'll need to set up your virtual environment. This involves starting both your AttackBox (if you're not using your VPN) and Target Machines, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.
Attacker machineMachine info
Status:Off
Target machineMachine info
Status:Off
Target Machine card placeholder

Initial Access Pot

We sell hundreds of DeceptiPots to the world every month, but we don't even use them in our network. Show me the value of our product, test it well, and schedule the demo. Deadline - next Monday!

This is the task Emily Ross received from the company CEO. As a newly hired junior IT personnel at DeceptiTech, Emily didn't really know what to do but still decided to prepare for the demo: Configure DeceptiPot to replicate a corporate WordPress blog, deploy the machine in the corporate DMZ, expose it to the Internet, and see what it captures over the weekend. Little did she know, threat actors around the globe enjoyed testing the DeceptiPot, too! Can you find out how the attack on DeceptiTech started?

Friday, Day 1

The threat originates from the Internet and targets the "deceptipot-demo" Linux server.

Credentials

  • IP Address: MACHINE_IP
  • Connection: via SSH
  • Username: ubuntu
  • Password: Secure!

Tips and Tools

  • The system is running WordPress on port 80.
  • Auditd is configured with non-standard audit rules.
  • Emily did not properly configure the DeceptiPot.
Answer the questions below

Which web page did the attacker attempt to brute force?

What is the absolute path to the backdoored PHP file?

Which file path allowed the attacker to escalate to root?

Which IP was port-scanned after the privilege escalation?

What is the MD5 hash of the malware persisting on the host?

Can you access the DeceptiPot in recovery mode?

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information contact us.

Read more