Overpass 2 Hacked - TryHackMe
The link for this lab is located here: https://tryhackme.com/room/overpass2hacked
Overpass has been hacked! Can you work out how the attacker got in, and hack your way back into Overpass' production server? You will use Wireshark and hack your way back in
Full Walkthrough
Downloading the Wireshark file and taking a look at the various HTTP requests, we can see that a GET request was sent first for the /development page. Then, the attackers used a POST request to upload a file called upload.php. Finally, they navigated to the /development/upload.php page to execute the shell.
Looking into the POST request with the upload.php file, we can see the full reverse shell code that was inside this file - they used a reverse netcat shell found here.
Next, looking at the TCP packets after the payload was executed, we can see the full command list the attacker used. In this case, he ran the sudo -l command and entered the following password:
Looking through more commands, we can see that the attacker used git clone to download a SSH backdoor from GitHub.
The attacker also was able to extract the /etc/shadow file and gain the hashes. Doing the same thing, we can copy the contents of the file to our Kali machine and try cracking them using the fasttrack wordlist. It returns 4 cracked passwords for us.
Again, looking through the Telnet logs of commands, we can see that the attacker had to provide a hash for the backdoor. Navigating to the backdoor they downloaded, there is a default hash visible in the source code.
There is also a salt in the source code as well further up.
Looking at the hash the attacker used, we can see that it is different.
We can try cracking this by first combining the attacker’s hash with the salt found in the source code:
Once combined, we can use Hashcat to run it against a password list and hopefully crack it.
After a while, Hashcat comes back with a password
Now that we know the password, we can try SSH’ing into the machine on port 2222 as the user james.
Listing the files in /home/james directory, there is a file called .suid_bash which looks interesting considering it will run as the root user.
Running this binary with the “-p” parameter gives us back a shell that is running as the root user.
Finally, we can grab both the user and root flag.