Overpass 2 rated as an easy machine on TryHackMe, and it belongs to the Offensive Pentesting series.
|Room||Overpass 2 - Hacked|
|Description||Overpass has been hacked! Can you analyze the attacker’s actions and hack back in?|
Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late-night shift while looking at shibes, and managed to capture packets as the attack happened.
Can you work out how the attacker got in, and hack your way back into Overpass’ production server?
md5sum of PCAP file: 11c3b2e9221865580295bc662c35c6dc
We are given an overpass2.pcapng file to look at using Wireshark
Open Wireshark and load the PCAP file which we downloaded to analyze network traffic and investigate packets of data.
There are few HTTP packets let’s analyze them first.
(http.request or tls.handshake.type == 1) and !(udp.port eq 1900)
Follow > HTTP Stream
It’s a GET request to a file uploading form.
If you take a look at the POST method request. You’ll found the path which the attacker used to upload the payload in order to gain access to the system.
The attacker used PHP one-liner reverse shell to gain access.
After the attacker has gained low-privilege access to the machine we can see the unencrypted HTTP traffic and what the attacker has done.
We know the reverse shell listened on port 4242 so let’s filter that and we can see the flow of reverse shell traffic.
tcp.port == 4242
Follow > TCP Stream
And we found the password.
Following the same stream, the attacker was able to elevate to user “James” then used
sudo -l to find which commands it can run as root. This allowed the attacker to read /etc/shadow file to find passwords for users.
Below the attacker cloned a github repo named “SSH backdoor” which answered this question.
As we found few hashes for users let’s crack them using fasttrack wordlist.
john --wordlist=fasttrack.txt hash.txt
Now that you’ve found the code for the backdoor, it’s time to analyse it. To analyze the code we’re gonna download that github repo.
By looking at the main.go we can find the default hash for the backdoor.
Continuing through the file we’ll find the hardcoded salt at the bottom.
Going back to the same TCP stream where attacker generated ssh-keygen.
Now we know which hash we’re cracking let’s use Hashcat or John to crack it, as it is salted it won’t work on online cracking sites.
hashcat -m <HASH_TYPE> -a 0 -o <outfile> <HASH:SALT> <wordlist>
Now that the incident is investigated, Paradox needs someone to take control of the Overpass production server again.
There are flags on the box that Overpass can’t afford to lose by formatting the server!
During this step, we’re gonna identify the target to see what we have behind the IP Address.
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e4:3a:be:ed:ff:a7:02:d2:6a:d6:d0:bb:7f:38:5e:cb (RSA) | 256 fc:6f:22:c2:13:4f:9c:62:4f:90:c9:3a:7e:77:d6:d4 (ECDSA) |_ 256 15:fd:40:0a:65:59:a9:b5:0e:57:1b:23:0a:96:63:05 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: LOL Hacked 2222/tcp open ssh OpenSSH 8.2p1 Debian 4 (protocol 2.0) | ssh-hostkey: |_ 2048 a2:a6:d2:18:79:e3:b0:20:a2:4f:aa:b6:ac:2e:6b:f2 (RSA)
Navigate to the webpage to find out whats the message.
Now that we have few passwords let’s try them to login via “James” on ssh port 2222 because the backdoor was set up there.
Navigate to the home directory and you’ll find user.txt.
In TCP stream the attacker was able to escalate to root user through
sudo -l but this isn’t working here. So if we take a good look at the directory.
There’s a binary file owned by root and executable by James. We can exploit this SUID binary to escalate to root using GTFOBINs.