Try Hack Me: Overpass 2 – Hacked

The skills to be tested and needed to solve this room are: Forensics, Wireshark, Hashcat, John, Hydra, and SUID.

Analyzing the PCAP using Wireshark was a great review for me. Cracking the hash with the salt made me do extra researching on how to identify hashes and which hash-type to use to crack the them. The biggest challenge for me was the privilege escalation part. I spent close to three hours last night trying to figure out how to exploit using SUID to escalate privilege. I gave up last night and gave myself a break, then decided to tackle the challenge again today. With a fresh mind and better online researching, I stumbled across a forum that showed me how to exploit SUID and that I understood how it was done. Overpass 2 – Hacked room is awesome, it added something new again to my ctf/pentesting arsenal.

Shout-out to @NinjaJc01 for creating this room. Please visit https://tryhackme.com and create an account for free to take advantage of this great learning platform.

I was assigned an IP address of 10.10.144.62 and 10.10.10.128. If you are following this walk-through, please check your assigned IP address.

I also chose to mask part of the answers so you will have to do the steps and see how things work. I don’t want to take away this learning experience from you.

There are 13 questions to answer to complete the room and get awarded with a badge for completion:

  • What was the URL of the page they used to upload a reverse shell?
    • /d*********t/
  • What payload did the attacker use to gain access?
    • <?p** ******** /***/*;****** /***/*;*** /***/*|/***/** ** ****|** ***.***.***.*** **** */***/**)?>
  • What password did the attacker use to privesc?
    • w********************t
  • How did the attacker establish persistence?
  • Using the fasttrack wordlist, how many of the system passwords were crackable?
    • *
  • What’s the default hash for the backdoor?
    • b*******************************************************************************************************************************3
  • What’s the hard-coded salt for the backdoor?
    • 1*******************************5
  • What was the hash that the attacker used?
    • 6*******************************************************************************************************************************d
  • Crack the hash using rockyou and a cracking tool of your choice. What’s the password?
    • n********6
  • The attacker defaced the website. What message did they leave as a heading?
    • H***** ** **********n
  • Using the information you’ve found previously, hack your way back in!
    • No answer needed
  • What’s the user flag?
    • thm{d******************************7}
  • What’s the root flag?
    • thm{d******************************d}

Steps:

  1. Download the PCAP file:
overpass2.pcapng

2. Open WireShark and load the PCAP that was just downloaded:

Open Wireshark with sudo privilege

3. Look for a HTTP packet with POST request to see what was the page that was used to upload a reverse shell. Right-click on the HTTP packet, then click Follow, then HTTP stream:

Follow HTTP Stream
  • What was the URL of the page they used to upload a reverse shell?
Page that was used to upload the reverse shell using upload.php

4. From the same HTTP Stream, we can answer the second question.

  • What payload did the attacker used to gain access?
The payload that was used can be seen from the same HTTP stream

5. Next is to look for TCP packet with PSH, ACK flags as they are signs of more data getting transmitted, so mostly a sign of persistence for me. Right-click on the packet you think is interesting and choose Follow, and then TCP Stream:

TCP Stream with PSH, ACK flags
  • What password did the attacker use to privesc?
James’ password to do privesc

6. On the same TCP stream where we found James’ password, you can find what the attacker used for persistence.

  • How did the attacker establish persistence?
Backdoor to establish persistence

7. On the same TCP Stream, we can see the list of users through the /etc/shadow with their hashed passwords. First, put the entries you found from /etc/shadow to a file and use John the Ripper to crack the hashed passwords. Type sudo john –wordlist=/usr/share/wordlists/fasttrack.txt foundusers.txt

  • –wordlist=/usr/share/wordlists/fasttrack.txt – we were asked to use the wordlist fasttrack.txt. By using the –wordlist option, we are telling John to use a specific file instead of using its default john.lst
  • foundusers.txt – is the name I gave the file that has the list of users and hashed passwords found in /etc/shadow
List of users with hashed passwords from /etc/shadow
  • Using fasttrack wordlist, how many of the system passwords were crackable? We will have to use the -show option to display all of the cracked passwords. Type sudo john -show foundusers.txt
Answer to question 5

8. The next three questions can be answered by analyzing the script that was used for the persistent connection. Google the answer to question number 4 to see the code and answer the next questions

  • What’s the default hash for the backdoor?
The default hash visible inside the code
  • What’s the hardcoded salt for the backdoor?
Hardcoded salt visible in the script
  • What was the hash that the attacker used? We will have to go back to the PCAP file we downloaded at the beginning of this write-up and go to the same TCP stream that we analyzed to see the hash that was used in the attack:
Hash that was used in the attack

9. Now, let’s crack the hash to see what was the password so we can use it to SSH on to the victim machine.

10. First, we have to analyze which hash was used in conjunction with the hard-coded salt to retrieve our target password. There are only two hashes to choose from, and unluckily, I chose the wrong hash as my first trial and error. So, I put one of the hashes and the salt together in a $pass:$salt format. And used a hash analyzer, I was able to identify that it was using SHA512 algorithm.

  • With the knowledge that the password was hashed using SHA512 algorithm, and it was salted, and uses the $pass:$salt format, I visited hash examples to check what hash mode I have to use when using Hashcat to crack it
Hashmode 1710 is what we will use in Hashcat to crack this
  • I combined the hash that was used and the hard-coded salt into one line and saved the file as hash.txt (you can name it whatever you want)
File containing the hash and salt
  • Run Hashcat to crack the hash.txt we saved just above this line. I used a different machine with better GPU to run hashcat. Type hashcat -m 1710 -o results.txt hash.txt /usr/share/wordlists/rockyou.txt
  • -m 1710 This is to tell hashcat to crack a file that was hashed with SHA512 algorithm and in a $pass:$salt format
  • -o results.txt – is where I want the cracked hash to get redirected
  • hash.txt – is the file where the hashed and salted password are put together in one line
  • /usr/share/wordlists/rockyou.txt – we were instructed to use the rockyou wordlists to crack the hash
  • Crack the hash using rockyou and a cracking tool of your choice. What’s the password?
Got the password
  • The attacker defaced the website. What message did they leave as a heading? Just visit the site by typing the IP address on the URL bar of a browser.

*****I stepped out for a little bit and my machine expired, so I had to start a new instance, and from now on, I will be using a new IP address of 10.10.10.128*****

11. Now, let’s SSH into the victim machine using the password that we found in question 9. Type ssh james@10.10.10.128 -p 2222

  • james – we are using the username james to authenticate through SSH
  • -p 2222 – is to specify that we want to use port 2222 and not the default port 22 for SSH. From the nmap scan result, we saw that there are 2 open SSH service, and it just makes sense that a backdoor will use a non-default port to gain access
SSH to target machine

12. Do a search for user.txt by typing find / -name user.txt 2>/dev/null

  • Have to use 2>/dev/null so we don’t get all the permission denied messages entries
Location of the user flag

13. Now type cat /home/james/user.txt to retrieve the flag

  • What’s the user flag?
User flag found!

14. I tried to do sudo -l to check if user james has any sudo permissions. It came back negative. I ran LinEnum.sh to enumerate any privilege escalation vectors that we can use to get root, and all I found was a membership of the lxd group as something to be a possible attack vector. After so much researching and trial, this was when I gave up last night and called it quits because it was actually 3 AM and I was feeling exhausted. Came back later to finish what I have started. I started to focus on the SUID set binary file named .suid_bash. I did an extensible research on this one since the lxd from LinEnum was not really working. After a lot of researching, I realized that the answer was right before my eyes, and I just missed it because I was stressing on typing what I see on my research. GTFObins would have been the answer if I wasn’t copying exactly what was on the page. I should have looked and understand the commands on GTFObins for bash SUID. Of course it wasn’t working because I was typing the commands on the example and not the binary file from the target machine.

I was typing the ./bash -p, copying the example from the screenshot above and that was the reason why it was not working, and I started looking away somewhere else for answers

15. I should have been using the binary file .suid_bash to escalate my privilege. Type ./.suid_bash -p to execute the bash file and the -p to exploit the SUID binary

Now, we are ROOT!

16. We are ROOT, but when typing pwd, we can see that we are still in /home/james directory, we have to type find / -name root.txt 2>/dev/null again to search for the root flag location

Root flag located in /root/root.txt
  • What’s the root flag?
Root flag FOUND!!!!!!!

I hope you guys learned something from this walk-through. This was another fun room coming from NinjaJc01. Please subscribe to my blog to get updates when something new is posted. Much mahalos!

Please subscribe if you want to receive updates
Answered all questions

Published by lightkunyagami

https://tryhackme.com/badge/18276

Join the Conversation

2 Comments

  1. When ever I have a feeling I have I got all that i need but I still feel stuck, I take a peek at the write-ups and most of them just steamroll you with commands not explaining anything, I appreciate how you laid out what each argument meant and why you used it, as well as you mentioning where you fumbled, esp. in this example at SUID escalation, where you copy pasted the example without realizing you had to use /.suid_bash. In conclusion, It’s enjoyable to look at a write-up and feel like i have a “study-buddy” to go through the room with rather than a show-off who bulldozes through everything.

    Like

    1. Hey, thanks a lot for the nice comment. This is the kind of comment that makes me want to keep doing this. I’ve had some mean comments (not here though) and that makes me feel discouraged, like I am not doing this to make money or something. But anyway, I have to work on ignoring some negativity, and again, I appreciate the kind words.

      Like

Leave a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: