TryHackMe - Overpass 2
The second part of Overpass brings a mixture of network packet capture analysis, some code review and the usual step of gaining access on the machine and escalating the privileges in order to get root.
[Task 1] Forensics - Analyse the PCAP
The first part of this challenge focuses on finding information in a PCAP file. I downloaded the file and opened it with Wireshark, in order to find out the necessary stuff to answer the questions.
1. What was the URL of the page they used to upload a reverse shell?
Since we were being told that a web page is involved, the first thing I did was to apply a filter in Wireshark, more specific, http. The next step was to see the request sent to that specific page. The way I did it was to select the first packet, right click on it, then go to “Follow” and then choose “TCP Stream”. A new window appeared, with the content of the request that was sent, window where we can see the URL required.
2. What payload did the attacker use to gain access?
We know from the previous question that a reverse shell was uploaded. So it should be a file and we should be looking for a POST request. Using the same window where we found the URL, we just go to Stream 1 (for the previous question it was Stream 0) and we find there the whole content we need.
Another way to find this file (upload.php) would be to export the objects from the PCAP. To do this, in the main window of Wireshark, where the network capture is opened, go to File -> Export Objects ->HTTP. From there, select the multipart/form-data from packet 14 and you will save locally the php file with the reverse shell used. Then, you just open it and get the content.
3. What password did the attacker use to privesc?
Continuing to advance through the streams in the window we opened in Wireshark, at Stream 3 we get the password required for this question.
4. How did the attacker establish persistence?
In the same stream as above, if we scroll down more, we see that the attacker cloned a repository from github and so we get the answer for this question.
5. Using the fasttrack wordlist, how many of the system passwords were crackable?
Still in the same stream, before cloning the repository but after logging in, the attacker exposed the /etc/shadow file, revealing the information there. We can see that there are several users and their hashed passwords.
For the next step, I saved them in a local file and tried to crack them with John The Ripper. However, I didn’t have the fasttrack.txt file on my Kali Machine so I had to download it from the internet. As far as I understood, it is missing on some versions or above a specific version. If you don’t have it, get it first.
From the screenshot above we can see that some of the passwords found were cracked.
[Task 2] Research - Analyse the code
For the second part of this challenge, we will focus on some code review. Using the answer from Task 1, Question 4, I also cloned the github repository and started to analyze the code.
1. What’s the default hash for the backdoor?
After downloading the files from github, I had a look and verified the code for main.go file. Inside, I found the default hash for the backdoor.
2. What’s the hardcoded salt for the backdoor?
In the same file, at the end, there is a function called passwordHandler, there you can find the hardcoded salt for the backdoor.
3. What was the hash that the attacker used? - go back to the PCAP for this!
As suggested, I returned to the Wireshark capture and, again, in Stream 3, at the end, we find the answer for this question.
4. Crack the hash using rockyou and a cracking tool of your choice. What’s the password?
I used hashcat for this one but I wasted some time here. This happened because, even though I identified the correct mode, I haven’t properly created the hash file. We know that is a salted hash but I didn’t pay attention and failed several attempts just because I wasn’t adding the salt. The format is $pass:$salt and the hashcat mode is 1710. Below you have the command I used, where salted_hash is the file with the hash.
hashcat --force -m 1710 -a 0 salted_hash rockyou.txt
[Task 3] Attack - Get back in!
The last part of this challenge is the one where we must get back in. I deployed the machine and accessed the website.
1. The attacker defaced the website. What message did they leave a heading?
When I accessed the website, I checked the source code (the heading was covered by an image and I couldn’t see it) and got it from there.
Another option to get this, even though it’s quite redundant, is to go to Wireshark, scroll through streams like we did in the first part and check the request made in Stream 8. There, you can find the same source code like above.
2. Using the information you’ve found previously, hack your way back in!
Well, I knew that in the first part I found a password (there was also an user), when I checked the Wireshark Stream where the attacked gained access to the machine. I tried to ssh via the standard port 22 and use that password but didn’t work. I got connection refused. Then I performed a scan with nmap.
We can see that there is another ssh service running on port 2222. Initially I tried with the same password and also with the user:password pairs that I cracked in the first part but it didn’t work. Then I used the first user and the cracked password from the last question in the second part and I was able to get in.
3. What’s the user flag?
For this question, I just had to go to the home folder of the user, the user.txt file was there and I read the content and got the flag.
4. What’s the root flag?
I checked the groups where this user is a member and I found that it is part of the lxd one. I tried to exploit this but it didn’t work. Anyway, the answer was closer than I thought. In the home directory, I listed also the hidden files and I saw a very interesting file, .suid_bash, which had root for both owner and group, executable by everybody and was also a SUID and GUID file. I ran it and got a shell, but when I checked, I still wasn’t root. Then I tried with -p flag and boom, I was root. From this point, getting the root flag was simple, I just had to read the content from /root/root.txt.
Thanks for reading and I hope you liked this walkthrough!