TryHackMe: Overpass 2 — Hacked Writeup
IP = 10.10.223.88*
Machine OS: Linux
Learning Platform: tryhackme.com
Finished on: Arch Linux
This is the 2nd part of the Overpass series which includes packet analysis and source code analysis. Click here if you wish to read the walkthrough for the first part of this series. I hope you enjoy this kind of writeups!
Scoping and Preparation
Connect to OpenVPN Server using:
sudo openvpn [.ovpn_file]
Download the file provided in Task 1.
In Task 3, let's start the machine to do some recon and enumeration while we analyze the
.pcap file provided in Task 1.
I used my tool CTFRecon-Go to automate directory creation, port scanning, web directory brute-forcing and adding entry to
1. git clone https://github.com/hambyhacks/CTFRecon-Go && cd CTFRecon-Go
2. go build .
3. sudo ./CTFRecon-Go -d [DIRECTORY_NAME] -p [PLATFORM] -i [IP] -w [WORDLIST_TO_USE_FOR_GOBUSTER]
CTFRecon-Go if installed using
go install github.com/hambyhacks/CTFRecon-Go@latest
Let's look at the
.pcap file provided in Task 1.
Opening up the file, we can see that there is a HTTP request on a page named
Follow the TCP stream so we can clearly see where the HTTP request go. To follow TCP stream:
At TCP stream 1, there is a POST request on
/development/upload.php, where the uploaded file is named as
payload.php with a content that looks like a reverse shell!
It seems the reverse shell payload was successfully uploaded.
Let's look further in the TCP streams.
The attacker requests for his/her uploaded reverse shell to compromise the server.
In the image above, we can see that the attacker successfully gained a shell access to the web server as
www-data. The attacker immediately upgraded the shell and got the password from
.overpass file which in
Overpass 1, is a
ROT47 encrypted password.
The attacker also immediately switched user using
James after decrypting the
The image above shows that
sudo privilege on the server which allows him to do any actions as the root user.
The attacker dumped the
/etc/shadow file which contains the password for the users in the machine which is encrypted using
SHA-512 by looking at the start of the password string.
We can test the password strength of these credentials using any password cracking tool such as
The attacker downloaded a file named
git. Let's look the contents of that repository after we analyzed the
ssh-keygen the attacker created a private key
id_rsa for easy backdoor access. The attacker also make the
backdoor file executable and the
ssh-backdoor is listening to port
Looking on the command used by the attacker,
backdoor is supplied with some type of hash.
Fast forward to TCP stream 7, we can see from the image above that the attacker downloaded a file named
At TCP stream 8, the attacker decides to deface the website by using the
cooctus.png file downloaded earlier.
Let's look at the contents of the
github repository from which the
ssh-backdoor was downloaded.
Source Code Analysis
Navigate to the Github Repository by visiting the URL: https://github.com/NinjaJc01/ssh-backdoor
Let's look at the file
There is a hardcoded hash on the file. Let's take note of this for later.
Also, there is a hardcoded salt which the function
verifyPass needed as an argument.
Knowing we have the password hash and salt, we can now try to crack the password.
First, identify the type of hash used in the
ssh-backdoor. We can use Name That Hash and paste the hash on the textbox. Since we have salt identified on the
.pcap file. We should use
Using Colabcat, I managed to crack the hash with salt given on the
.pcap file and
main.go. I used
Colabcat because I don't have
John configured properly.
Table 1.1: Credentials
We can now look at the result of our Nmap and Gobuster scan earlier from
Preliminary Enumeration via nmap
Table 1.2: nmap Results Summary
Machine OS: Based on OpenSSH version on port 22, machine is Ubuntu Bionic.
Let's look at the
HTTP server on port 80.
We can see that the web page has been defaced by Cooctus Clan.
Knowing the credentials for
james, we can now try to hack our way back in!
We have the credentials for
SSH-backdoor, we can try to login via ssh.
To login via
ssh james@[IP] -p 2222
- With password:
november16see credentials table above.
We logged in via port 2222 because it is where the
Let's enumerate further more.
Table 1.3: Checklist for Linux Internal Enumeration
Notes: For more information about the commands look here
Let's navigate to the home directory of
james and see its contents.
.suid_bash and user.txt are the files which are interesting to see.
.suid_bash gives us a shell but notice the permissions on that file. It is owned by root and having
SUID permissions on it which means we can run it as root without escalating privileges. Taking the explanation from https://www.redhat.com/sysadmin/suid-sgid-sticky-bit:
"A file with SUID always executes as the user who owns the file, regardless of the user passing the command."
We can try to escalate our privileges knowing that
SUID bit set on its permissions.
Looking at the flags for
bash, we can use
-p flag for the
.suid_bash run as root.
Also from GTFOBins, we can see that
-p flag is used in privilege escalation.
Let's try to use it in
Now we are root!
The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.
Copied the /etc/shadow file for user identification and their passwords.
Added another root user for easy access.
Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.
Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated! :D
Not required but appreciated! :D
Originally published at https://hambyhacks.hashnode.dev.