TryHackMe: Overpass 2 — Hacked Writeup

Photo by Jared Murray on Unsplash

IP = 10.10.223.88* 
Difficulty: Easy 
Machine OS: Linux 
Learning Platform: tryhackme.com 
Finished on: Arch Linux

Brief Description

This is the 2nd part of the Overpass series which includes packet analysis and source code analysis. Click here if you wish to read the walkthrough for the first part of this series. I hope you enjoy this kind of writeups!

Reconnaissance

Scoping and Preparation

Connect to OpenVPN Server using:

• sudo openvpn [.ovpn_file]

Download the file provided in Task 1.

In Task 3, let's start the machine to do some recon and enumeration while we analyze the .pcap file provided in Task 1.

I used my tool CTFRecon-Go to automate directory creation, port scanning, web directory brute-forcing and adding entry to /etc/hosts file.

1. git clone https://github.com/hambyhacks/CTFRecon-Go && cd CTFRecon-Go 
2. go build . 
3. sudo ./CTFRecon-Go -d [DIRECTORY_NAME] -p [PLATFORM] -i [IP] -w [WORDLIST_TO_USE_FOR_GOBUSTER]

To use CTFRecon-Go if installed using go install: go install github.com/hambyhacks/CTFRecon-Go@latest

PCAP Analysis

Let's look at the .pcap file provided in Task 1.

.pcap file included in Task 1.

Opening up the file, we can see that there is a HTTP request on a page named /development.

Follow the TCP stream so we can clearly see where the HTTP request go. To follow TCP stream:

At TCP stream 1, there is a POST request on /development/upload.php, where the uploaded file is named as payload.php with a content that looks like a reverse shell!

TCP stream 1

It seems the reverse shell payload was successfully uploaded.

Let's look further in the TCP streams.

TCP stream 2

The attacker requests for his/her uploaded reverse shell to compromise the server.

TCP stream 3.0

In the image above, we can see that the attacker successfully gained a shell access to the web server as www-data. The attacker immediately upgraded the shell and got the password from .overpass file which in Overpass 1, is a ROT47 encrypted password.

The attacker also immediately switched user using su as James after decrypting the .overpass file.

TCP Stream 3.1.

The image above shows that james has sudo privilege on the server which allows him to do any actions as the root user.

The attacker dumped the /etc/shadow file which contains the password for the users in the machine which is encrypted using SHA-512 by looking at the start of the password string.

Example:

TCP Stream 3.2.

We can test the password strength of these credentials using any password cracking tool such as hashcat or JohnTheRipper.

TCP Stream 3.3.

The attacker downloaded a file named ssh-backdoor using git. Let's look the contents of that repository after we analyzed the .pcap file.

TCP stream 3.4.

Using ssh-keygen the attacker created a private key id_rsa for easy backdoor access. The attacker also make the backdoor file executable and the ssh-backdoor is listening to port 2222.

Looking on the command used by the attacker, backdoor is supplied with some type of hash.

TCP stream 7.

Fast forward to TCP stream 7, we can see from the image above that the attacker downloaded a file named cooctus.png.

TCP stream 8.

At TCP stream 8, the attacker decides to deface the website by using the cooctus.png file downloaded earlier.

Let's look at the contents of the github repository from which the ssh-backdoor was downloaded.

Source Code Analysis

Navigate to the Github Repository by visiting the URL: https://github.com/NinjaJc01/ssh-backdoor

Let's look at the file main.go:

hardcoded hash in main.go.

There is a hardcoded hash on the file. Let's take note of this for later.

hardcoded salt in main.go

Also, there is a hardcoded salt which the function verifyPass needed as an argument.

Knowing we have the password hash and salt, we can now try to crack the password.

Password Cracking

First, identify the type of hash used in the ssh-backdoor. We can use Name That Hash and paste the hash on the textbox. Since we have salt identified on the .pcap file. We should use hashcat mode 1710.

hashcat mode for SHA512 with salt.

Using Colabcat, I managed to crack the hash with salt given on the .pcap file and main.go. I used Colabcat because I don't have hashcat and John configured properly.

Colabcat (hashcat on Google Colab notebooks)

Table 1.1: Credentials

Credentials found using colabcat.

We can now look at the result of our Nmap and Gobuster scan earlier from CTFRecon-Go.

External Enumeration

Preliminary Enumeration via nmap

Table 1.2: nmap Results Summary

nmap result summary.

Machine OS: Based on OpenSSH version on port 22, machine is Ubuntu Bionic.

Let's look at the HTTP server on port 80.

Web Enumeration

We can see that the web page has been defaced by Cooctus Clan.

Knowing the credentials for james, we can now try to hack our way back in!

Exploitation

We have the credentials for james in SSH-backdoor, we can try to login via ssh.

To login via ssh:

• ssh james@[IP] -p 2222
• With password: november16 see credentials table above.

We logged in via port 2222 because it is where the ssh-backdoor serves SSH service.

Let's enumerate further more.

Post-Exploitation

Internal Enumeration

Table 1.3: Checklist for Linux Internal Enumeration

Linux checklist for privilege escalation.

Notes: For more information about the commands look here

Tip: When nothing else makes sense, try to use LinPEAS (winPEAS for windows machines.).

Let's navigate to the home directory of james and see its contents.

.suid_bash and user.txt are the files which are interesting to see.

Running .suid_bash gives us a shell but notice the permissions on that file. It is owned by root and having SUID permissions on it which means we can run it as root without escalating privileges. Taking the explanation from https://www.redhat.com/sysadmin/suid-sgid-sticky-bit: "A file with SUID always executes as the user who owns the file, regardless of the user passing the command."

We can try to escalate our privileges knowing that .suid_bash has SUID bit set on its permissions.

Privilege Escalation

Looking at the flags for bash, we can use -p flag for the .suid_bash run as root.

Also from GTFOBins, we can see that -p flag is used in privilege escalation.

Let's try to use it in .suid_bash:

Now we are root!

STATUS: ROOTED

The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.

Persistence

Copied the /etc/shadow file for user identification and their passwords.

Added another root user for easy access.

Clearing Tracks

Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.

Status: Finished

Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated! :D

Donation Box

Not required but appreciated! :D

Socials

• Twitter
• Github

Originally published at https://hambyhacks.hashnode.dev.