Overpass 2 rated as an easy machine on TryHackMe, and it belongs to the Offensive Pentesting series.
|Room||Overpass 2 - Hacked|
|Description||Overpass has been hacked! Can you analyze the attacker’s actions and hack back in?|
Task 1 - Forensics - Analyse the PCAP
Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late-night shift while looking at shibes, and managed to capture packets as the attack happened.
Can you work out how the attacker got in, and hack your way back into Overpass’ production server?
md5sum of PCAP file: 11c3b2e9221865580295bc662c35c6dc
We are given an overpass2.pcapng file to look at using Wireshark
Open Wireshark and load the PCAP file which we downloaded to analyze network traffic and investigate packets of data.
Task 1.1 - What was the URL of the page they used to upload a reverse shell?
There are few HTTP packets let’s analyze them first.
(http.request or tls.handshake.type == 1) and !(udp.port eq 1900)
Follow > HTTP Stream
It’s a GET request to a file uploading form.
If you take a look at the POST method request. You’ll found the path which the attacker used to upload the payload in order to gain access to the system.
Task 1.2 - What payload did the attacker use to gain access?
The attacker used PHP one-liner reverse shell to gain access.
Task 1.3 - What password did the attacker use to privesc?
After the attacker has gained low-privilege access to the machine we can see the unencrypted HTTP traffic and what the attacker has done.
We know the reverse shell listened on port 4242 so let’s filter that and we can see the flow of reverse shell traffic.
tcp.port == 4242
Follow > TCP Stream
And we found the password.
Task 1.4 - How did the attacker establish persistence?
Following the same stream, the attacker was able to elevate to user “James” then used
sudo -l to find which commands it can run as root. This allowed the attacker to read /etc/shadow file to find passwords for users.
Below the attacker cloned a github repo named “SSH backdoor” which answered this question.
Task 1.5 - Using the fasttrack wordlist, how many of the system passwords were crackable?
As we found few hashes for users let’s crack them using fasttrack wordlist.
john --wordlist=fasttrack.txt hash.txt
Task 2 - Research - Analyse the code
Now that you’ve found the code for the backdoor, it’s time to analyse it. To analyze the code we’re gonna download that github repo.
Task 2.1 - What’s the default hash for the backdoor?
By looking at the main.go we can find the default hash for the backdoor.
Task 2.2 - What is the hardcoded salt for the backdoor?
Continuing through the file we’ll find the hardcoded salt at the bottom.
Task 2.3 - What is the hash the attacker used? - go back to the PCAP for this!
Going back to the same TCP stream where attacker generated ssh-keygen.
Task 2.4 - Crack the hash using rockyou and a cracking tool of your choice. What is the password?
Now we know which hash we’re cracking let’s use Hashcat or John to crack it, as it is salted it won’t work on online cracking sites.
hashcat -m <HASH_TYPE> -a 0 -o <outfile> <HASH:SALT> <wordlist>
Task 3 - Attack - Get back in!
Now that the incident is investigated, Paradox needs someone to take control of the Overpass production server again.
There are flags on the box that Overpass can’t afford to lose by formatting the server!
During this step, we’re gonna identify the target to see what we have behind the IP Address.
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e4:3a:be:ed:ff:a7:02:d2:6a:d6:d0:bb:7f:38:5e:cb (RSA) | 256 fc:6f:22:c2:13:4f:9c:62:4f:90:c9:3a:7e:77:d6:d4 (ECDSA) |_ 256 15:fd:40:0a:65:59:a9:b5:0e:57:1b:23:0a:96:63:05 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: LOL Hacked 2222/tcp open ssh OpenSSH 8.2p1 Debian 4 (protocol 2.0) | ssh-hostkey: |_ 2048 a2:a6:d2:18:79:e3:b0:20:a2:4f:aa:b6:ac:2e:6b:f2 (RSA)
Task 3.1 - The attacker defaced the website. What message did they leave as a heading?
Navigate to the webpage to find out whats the message.
Task 3.2 - Using the information you’ve found previously, hack your way back in!
Now that we have few passwords let’s try them to login via “James” on ssh port 2222 because the backdoor was set up there.
Task 3.3 - What is the user flag?
Navigate to the home directory and you’ll find user.txt.
Task 3.4 - What is the root flag?
In TCP stream the attacker was able to escalate to root user through
sudo -l but this isn’t working here. So if we take a good look at the directory.
There’s a binary file owned by root and executable by James. We can exploit this SUID binary to escalate to root using GTFOBINs.