CTF Walkthroughs, TryHackMe

TryHackMe – Overpass 2 – Hacked Walkthrough

Introduction

This was an easy Linux machine and the second in the Overpass TryHackMe series. It involved analyzing a capture file containing requests issued by an attacker to compromise the web server, escalate privileges to root and establish persistence, in order to understand the exact steps followed to do so, and then using that information to hack back into the host.

Analyze the PCAP File

Opening the .pcap file in Wireshar and applying a filter for port 80:

Found a GET request against the /development page:

Searching for requests containing “/development” in the body by clicking on Edit–>Find Packet and selecting string, found a request in /development/upload.php:

Identified a request where a PHP reverse shell was uploaded through the upload.php endpoint, the payload used a Netcat reverse shell:

Searching for requests containing passwords:

Identified a command issued to change to the james user after the attacker logged in as www-data, the password was provided in clear-text:

The user also cloned a Git repository:

This SSH backdoor was used to maintain persistence on the machine:

After obtaining root access, some password hashes from the /etc/passwd file were revealed:

Adding the hashes to a text file:

Downloading the fasttrack wordlist to crack the hashes:

Using John the Ripper with the following flags to crack the previously found hashes:

  • –wordlist to specify the wordlist to be used, in this case, rockyou
  • the text file containing the hashes, one per line

Analyze the Code

Cloning the Git repository used to escalate privileges:

Searching for hashes stored in the code:

Found a hard-coded salt in the main.go file:

The hash used in the backdoor can also be viewed from the PCAP file:

The main.go file indicates the hash is sha512:

Saving the hash to a text file:

Using John the Ripper with the following flags to crack the previously found hashes:

  • –format to specify the hash type, in this case, sha512
  • –wordlist to specify the wordlist to be used, in this case, rockyou
  • the text file containing the hashes, one per line

Get back in!

Visited the web server on the target machine to see the message that was left by the attacker:

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

It appears port 2222 is open. Logging in with the password cracked earlier

Running the following command to identify SUID binaries:

find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000 2>/dev/null

It seems like the attacker has placed a SUID copy of the /bin/bash binary in the home directory of the james user:

Executing the binary with the -p flag, which allows to execute binaries as the owner of it, this grants root access to the host:

Conclusion

I really enjoyed this challenge as it was different from your usual CTF, as this time the task was to trace back the steps performed by an attacker to compromise the server and use that to our advantage to hack into it ourselves.