Post

TryHackMe - OverPass2


Description

Hello l33ts, I hope you are doing well. We are doing OverPass 2 - Hacked from TryHackMe, it’s a medium machine where we are given a pcap file to analyze that contains packets captured during an attack, let’s download the file and open it with wireshark.

Forensics - PCAP Analysis

When we open the pcap file with wireshark, we see a GET request for /development page.

dev

The attacker used this page to upload a php reverse shell.

up

We need to follow the tcp stream of the POST request packet to see more information, we can do that by right clicking the POST packet > follow > tcp stream

payload

With that, we can see what payload the attacker has used to get a reverse shell.

Looking trought the packets, we see that a new tcp connection is being established right after the attacker has uploaded the php payload.

syn

Let’s follow the tcp stream of the 29th packet.

shell

We can see what the attacker has executed after gaining a shell, we see that he changed user to james using james’s password. Scrolling down, we see that the attacker cloned a repository from github.

backdoor

we can also see hashes of deferent users.

hashes

Research - Code Analysis

Let’s navigate to the ssh-backdoor repository on github https://github.com/NinjaJc01/ssh-backdoor

Click main.go to see the source code.

code

We can see the default hash for the backdoor.

If you scroll down to the bottom of the file we can see the hardcoded salt for the backdoor.

salt

Returning to the pcap file where the attacker got into the machine, we can see the hash he used for the backdoor.

back

Using hash-identifier, we see that the hash is sha512

We can now copy that hash and add the salt we found earlier to it and try to crack it. the final string will look like this.

str

I will be using hashcat to crack the password, but we need to find the mode to use for sha512 hash.

mode

The mode we’ll use is 1710, the final command will look like this : hashcat -m 1710 hash.txt /usr/share/wordlists/rockyou.txt

Attack - Get back in!

Visiting the webpage, we see that the attacker has changed the face of the website.

page

Let’s now try to get if we look at one of the packets of the pcap file, we can see that the attacker started SSH backdoor on port 2222.

port

We are provided with a hint that tells us that the backdoor only checks the password, so we can only specify the host and the port, provide the password we cracked and get in.

ssh

We are in, let’s see if we can get root.

root

We moved to james home directory and see that the attacker made a copy of bash owned by root and gave it suid permission, we are able to execute it as root and get root privileges.


Thank you for taking the time to read my writeup, I hope you have learned something with this, if you have any questions or comments, please feel free to reach out to me. See you in the next hack :) .

This post is licensed under CC BY 4.0 by the author.