Overpass 2 - Hacked Walkthrough - Offensive Pentesting

CTF Walkthroughs
, , ,
1

Overpass 2 rated as an easy machine on TryHackMe, and it belongs to the Offensive Pentesting series.

Room Overpass 2 - Hacked
Target OS Linux
Difficulty Easy
Description Overpass has been hacked! Can you analyze the attacker’s actions and hack back in?
Maker NinjaJc01

Task 1 - Forensics - Analyse the PCAP

Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late-night shift while looking at shibes, and managed to capture packets as the attack happened.

Can you work out how the attacker got in, and hack your way back into Overpass’ production server?

md5sum of PCAP file: 11c3b2e9221865580295bc662c35c6dc

We are given an overpass2.pcapng file to look at using Wireshark

image
image893×116 30.8 KB

wireshark overpass2.pcapng

Open Wireshark and load the PCAP file which we downloaded to analyze network traffic and investigate packets of data.

image
image1718×1019 262 KB

Task 1.1 - What was the URL of the page they used to upload a reverse shell?

There are few HTTP packets let’s analyze them first.

(http.request or tls.handshake.type == 1) and !(udp.port eq 1900)

image
image1246×278 73.1 KB

Follow > HTTP Stream

It’s a GET request to a file uploading form.

image
image730×413 56.7 KB

If you take a look at the POST method request. You’ll found the path which the attacker used to upload the payload in order to gain access to the system.

image
image898×706 93 KB

Task 1.2 - What payload did the attacker use to gain access?

The attacker used PHP one-liner reverse shell to gain access.

image
image890×154 13.7 KB

Task 1.3 - What password did the attacker use to privesc?

After the attacker has gained low-privilege access to the machine we can see the unencrypted HTTP traffic and what the attacker has done.

We know the reverse shell listened on port 4242 so let’s filter that and we can see the flow of reverse shell traffic.

tcp.port == 4242

image
image1552×70 13.7 KB

Follow > TCP Stream

TCP Stream
TCP Stream1109×866 119 KB

And we found the password.

Task 1.4 - How did the attacker establish persistence?

Following the same stream, the attacker was able to elevate to user “James” then used sudo -l to find which commands it can run as root. This allowed the attacker to read /etc/shadow file to find passwords for users.

How did the attacker establish persistence
How did the attacker establish persistence1136×830 109 KB

Below the attacker cloned a github repo named “SSH backdoor” which answered this question.

image
image722×109 18.6 KB

Task 1.5 - Using the fasttrack wordlist, how many of the system passwords were crackable?

As we found few hashes for users let’s crack them using fasttrack wordlist.

john --wordlist=fasttrack.txt hash.txt

Task 2 - Research - Analyse the code

Now that you’ve found the code for the backdoor, it’s time to analyse it. To analyze the code we’re gonna download that github repo.

image
image1166×250 67.9 KB

Task 2.1 - What’s the default hash for the backdoor?

By looking at the main.go we can find the default hash for the backdoor.

image

Task 2.2 - What is the hardcoded salt for the backdoor?

Continuing through the file we’ll find the hardcoded salt at the bottom.

image
image771×77 12 KB

Task 2.3 - What is the hash the attacker used? - go back to the PCAP for this!

Going back to the same TCP stream where attacker generated ssh-keygen.

image

Task 2.4 - Crack the hash using rockyou and a cracking tool of your choice. What is the password?

Now we know which hash we’re cracking let’s use Hashcat or John to crack it, as it is salted it won’t work on online cracking sites.

hashcat -m <HASH_TYPE> -a 0 -o <outfile> <HASH:SALT> <wordlist>

image
image1728×541 99.1 KB

Task 3 - Attack - Get back in!

Now that the incident is investigated, Paradox needs someone to take control of the Overpass production server again.

There are flags on the box that Overpass can’t afford to lose by formatting the server!

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

image
image1060×490 96.4 KB 

22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e4:3a:be:ed:ff:a7:02:d2:6a:d6:d0:bb:7f:38:5e:cb (RSA)
|   256 fc:6f:22:c2:13:4f:9c:62:4f:90:c9:3a:7e:77:d6:d4 (ECDSA)
|_  256 15:fd:40:0a:65:59:a9:b5:0e:57:1b:23:0a:96:63:05 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LOL Hacked
2222/tcp open  ssh     OpenSSH 8.2p1 Debian 4 (protocol 2.0)
| ssh-hostkey: 
|_  2048 a2:a6:d2:18:79:e3:b0:20:a2:4f:aa:b6:ac:2e:6b:f2 (RSA)

Task 3.1 - The attacker defaced the website. What message did they leave as a heading?

Navigate to the webpage to find out whats the message.

image
image963×939 112 KB

Task 3.2 - Using the information you’ve found previously, hack your way back in!

Now that we have few passwords let’s try them to login via “James” on ssh port 2222 because the backdoor was set up there.

image
image1057×601 130 KB

Task 3.3 - What is the user flag?

Navigate to the home directory and you’ll find user.txt.

image

Task 3.4 - What is the root flag?

In TCP stream the attacker was able to escalate to root user through sudo -l but this isn’t working here. So if we take a good look at the directory.

ls -lah

image
image706×405 75.9 KB

There’s a binary file owned by root and executable by James. We can exploit this SUID binary to escalate to root using GTFOBINs.

image
image1398×135 21.6 KB

image

1 Like