TryHackMe: Overpass 2 — Hacked Writeup

IP =* 
Difficulty: Easy
Machine OS: Linux
Learning Platform:
Finished on: Arch Linux

Brief Description

This is the 2nd part of the Overpass series which includes packet analysis and source code analysis. Click here if you wish to read the walkthrough for the first part of this series. I hope you enjoy this kind of writeups!


Scoping and Preparation

Connect to OpenVPN Server using:

  • sudo openvpn [.ovpn_file]

Download the file provided in Task 1.

In Task 3, let's start the machine to do some recon and enumeration while we analyze the .pcap file provided in Task 1.

I used my tool CTFRecon-Go to automate directory creation, port scanning, web directory brute-forcing and adding entry to /etc/hosts file.

1. git clone && cd CTFRecon-Go 
2. go build .

To use CTFRecon-Go if installed using go install: go install

PCAP Analysis

Let's look at the .pcap file provided in Task 1.

Opening up the file, we can see that there is a HTTP request on a page named /development.

Follow the TCP stream so we can clearly see where the HTTP request go. To follow TCP stream:

At TCP stream 1, there is a POST request on /development/upload.php, where the uploaded file is named as payload.php with a content that looks like a reverse shell!

It seems the reverse shell payload was successfully uploaded.

Let's look further in the TCP streams.

The attacker requests for his/her uploaded reverse shell to compromise the server.

In the image above, we can see that the attacker successfully gained a shell access to the web server as www-data. The attacker immediately upgraded the shell and got the password from .overpass file which in Overpass 1, is a ROT47 encrypted password.

The attacker also immediately switched user using su as James after decrypting the .overpass file.

The image above shows that james has sudo privilege on the server which allows him to do any actions as the root user.

The attacker dumped the /etc/shadow file which contains the password for the users in the machine which is encrypted using SHA-512 by looking at the start of the password string.


We can test the password strength of these credentials using any password cracking tool such as hashcat or JohnTheRipper.

The attacker downloaded a file named ssh-backdoor using git. Let's look the contents of that repository after we analyzed the .pcap file.

Using ssh-keygen the attacker created a private key id_rsa for easy backdoor access. The attacker also make the backdoor file executable and the ssh-backdoor is listening to port 2222.

Looking on the command used by the attacker, backdoor is supplied with some type of hash.

Fast forward to TCP stream 7, we can see from the image above that the attacker downloaded a file named cooctus.png.

At TCP stream 8, the attacker decides to deface the website by using the cooctus.png file downloaded earlier.

Let's look at the contents of the github repository from which the ssh-backdoor was downloaded.

Source Code Analysis

Navigate to the Github Repository by visiting the URL:

Let's look at the file main.go:

There is a hardcoded hash on the file. Let's take note of this for later.

Also, there is a hardcoded salt which the function verifyPass needed as an argument.

Knowing we have the password hash and salt, we can now try to crack the password.

Password Cracking

First, identify the type of hash used in the ssh-backdoor. We can use Name That Hash and paste the hash on the textbox. Since we have salt identified on the .pcap file. We should use hashcat mode 1710.

Using Colabcat, I managed to crack the hash with salt given on the .pcap file and main.go. I used Colabcat because I don't have hashcat and John configured properly.

Table 1.1: Credentials

We can now look at the result of our Nmap and Gobuster scan earlier from CTFRecon-Go.

External Enumeration

Preliminary Enumeration via nmap

Table 1.2: nmap Results Summary

Machine OS: Based on OpenSSH version on port 22, machine is Ubuntu Bionic.

Let's look at the HTTP server on port 80.

Web Enumeration

We can see that the web page has been defaced by Cooctus Clan.

Knowing the credentials for james, we can now try to hack our way back in!


We have the credentials for james in SSH-backdoor, we can try to login via ssh.

To login via ssh:

  • ssh james@[IP] -p 2222
  • With password: november16 see credentials table above.

We logged in via port 2222 because it is where the ssh-backdoor serves SSH service.

Let's enumerate further more.


Internal Enumeration

Table 1.3: Checklist for Linux Internal Enumeration

Notes: For more information about the commands look here

Tip: When nothing else makes sense, try to use LinPEAS (winPEAS for windows machines.).

Let's navigate to the home directory of james and see its contents.

.suid_bash and user.txt are the files which are interesting to see.

Running .suid_bash gives us a shell but notice the permissions on that file. It is owned by root and having SUID permissions on it which means we can run it as root without escalating privileges. Taking the explanation from "A file with SUID always executes as the user who owns the file, regardless of the user passing the command."

We can try to escalate our privileges knowing that .suid_bash has SUID bit set on its permissions.

Privilege Escalation

Looking at the flags for bash, we can use -p flag for the .suid_bash run as root.

Also from GTFOBins, we can see that -p flag is used in privilege escalation.

Let's try to use it in .suid_bash:

Now we are root!


The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.


Copied the /etc/shadow file for user identification and their passwords.

Added another root user for easy access.

Clearing Tracks

Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.

Status: Finished

Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated! :D

Donation Box

Not required but appreciated! :D


Originally published at



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store