Overpass 2 - Hacked Walkthrough - Offensive Pentesting

Overpass 2 rated as an easy machine on TryHackMe, and it belongs to the Offensive Pentesting series.

Room Overpass 2 - Hacked
Target OS Linux
Difficulty Easy
Description Overpass has been hacked! Can you analyze the attacker’s actions and hack back in?
Maker NinjaJc01

Task 1 - Forensics - Analyse the PCAP

Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late-night shift while looking at shibes, and managed to capture packets as the attack happened.

Can you work out how the attacker got in, and hack your way back into Overpass’ production server?

md5sum of PCAP file: 11c3b2e9221865580295bc662c35c6dc

We are given an overpass2.pcapng file to look at using Wireshark

wireshark overpass2.pcapng

Open Wireshark and load the PCAP file which we downloaded to analyze network traffic and investigate packets of data.

Task 1.1 - What was the URL of the page they used to upload a reverse shell?

There are few HTTP packets let’s analyze them first.

(http.request or tls.handshake.type == 1) and !(udp.port eq 1900)

Follow > HTTP Stream

It’s a GET request to a file uploading form.

If you take a look at the POST method request. You’ll found the path which the attacker used to upload the payload in order to gain access to the system.

Task 1.2 - What payload did the attacker use to gain access?

The attacker used PHP one-liner reverse shell to gain access.

Task 1.3 - What password did the attacker use to privesc?

After the attacker has gained low-privilege access to the machine we can see the unencrypted HTTP traffic and what the attacker has done.

We know the reverse shell listened on port 4242 so let’s filter that and we can see the flow of reverse shell traffic.

tcp.port == 4242

Follow > TCP Stream

And we found the password.

Task 1.4 - How did the attacker establish persistence?

Following the same stream, the attacker was able to elevate to user “James” then used sudo -l to find which commands it can run as root. This allowed the attacker to read /etc/shadow file to find passwords for users.

Below the attacker cloned a github repo named “SSH backdoor” which answered this question.

Task 1.5 - Using the fasttrack wordlist, how many of the system passwords were crackable?

As we found few hashes for users let’s crack them using fasttrack wordlist.

john --wordlist=fasttrack.txt hash.txt

Task 2 - Research - Analyse the code

Now that you’ve found the code for the backdoor, it’s time to analyse it. To analyze the code we’re gonna download that github repo.

Task 2.1 - What’s the default hash for the backdoor?

By looking at the main.go we can find the default hash for the backdoor.


Task 2.2 - What is the hardcoded salt for the backdoor?

Continuing through the file we’ll find the hardcoded salt at the bottom.

Task 2.3 - What is the hash the attacker used? - go back to the PCAP for this!

Going back to the same TCP stream where attacker generated ssh-keygen.


Task 2.4 - Crack the hash using rockyou and a cracking tool of your choice. What is the password?

Now we know which hash we’re cracking let’s use Hashcat or John to crack it, as it is salted it won’t work on online cracking sites.

hashcat -m <HASH_TYPE> -a 0 -o <outfile> <HASH:SALT> <wordlist>

Task 3 - Attack - Get back in!

Now that the incident is investigated, Paradox needs someone to take control of the Overpass production server again.

There are flags on the box that Overpass can’t afford to lose by formatting the server!

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e4:3a:be:ed:ff:a7:02:d2:6a:d6:d0:bb:7f:38:5e:cb (RSA)
|   256 fc:6f:22:c2:13:4f:9c:62:4f:90:c9:3a:7e:77:d6:d4 (ECDSA)
|_  256 15:fd:40:0a:65:59:a9:b5:0e:57:1b:23:0a:96:63:05 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LOL Hacked
2222/tcp open  ssh     OpenSSH 8.2p1 Debian 4 (protocol 2.0)
| ssh-hostkey: 
|_  2048 a2:a6:d2:18:79:e3:b0:20:a2:4f:aa:b6:ac:2e:6b:f2 (RSA)

Task 3.1 - The attacker defaced the website. What message did they leave as a heading?

Navigate to the webpage to find out whats the message.

Task 3.2 - Using the information you’ve found previously, hack your way back in!

Now that we have few passwords let’s try them to login via “James” on ssh port 2222 because the backdoor was set up there.

Task 3.3 - What is the user flag?

Navigate to the home directory and you’ll find user.txt.


Task 3.4 - What is the root flag?

In TCP stream the attacker was able to escalate to root user through sudo -l but this isn’t working here. So if we take a good look at the directory.

ls -lah

There’s a binary file owned by root and executable by James. We can exploit this SUID binary to escalate to root using GTFOBINs.


1 Like