Overpass 2 Hacked - TryHackMe

 
hackers.png
 

The link for this lab is located here: https://tryhackme.com/room/overpass2hacked


Overpass has been hacked! Can you work out how the attacker got in, and hack your way back into Overpass' production server? You will use Wireshark and hack your way back in


networking-foundations-exploring-udp-via-wireshark-part-1.1280x600.jpg

Full Walkthrough

Downloading the Wireshark file and taking a look at the various HTTP requests, we can see that a GET request was sent first for the /development page. Then, the attackers used a POST request to upload a file called upload.php. Finally, they navigated to the /development/upload.php page to execute the shell.

development.png

Looking into the POST request with the upload.php file, we can see the full reverse shell code that was inside this file - they used a reverse netcat shell found here.

Next, looking at the TCP packets after the payload was executed, we can see the full command list the attacker used. In this case, he ran the sudo -l command and entered the following password:

Looking through more commands, we can see that the attacker used git clone to download a SSH backdoor from GitHub.

backdoor.png

The attacker also was able to extract the /etc/shadow file and gain the hashes. Doing the same thing, we can copy the contents of the file to our Kali machine and try cracking them using the fasttrack wordlist. It returns 4 cracked passwords for us.

cracked4.png

Again, looking through the Telnet logs of commands, we can see that the attacker had to provide a hash for the backdoor. Navigating to the backdoor they downloaded, there is a default hash visible in the source code.

hash.png

There is also a salt in the source code as well further up.

salt.png

Looking at the hash the attacker used, we can see that it is different.

We can try cracking this by first combining the attacker’s hash with the salt found in the source code:

combine.png

Once combined, we can use Hashcat to run it against a password list and hopefully crack it.

hcat.png

After a while, Hashcat comes back with a password

november16.png

Now that we know the password, we can try SSH’ing into the machine on port 2222 as the user james.

port2222.png

Listing the files in /home/james directory, there is a file called .suid_bash which looks interesting considering it will run as the root user.

suidbash.png

Running this binary with the “-p” parameter gives us back a shell that is running as the root user.

root.png

Finally, we can grab both the user and root flag.

usertxt.png

Previous
Previous

Internal - TryHackMe Writeup

Next
Next

Relevant - TryHackMe Room