Try Hack Me: Overpass 2 – Hacked

The skills to be tested and needed to solve this room are: Forensics, Wireshark, Hashcat, John, Hydra, and SUID.

Analyzing the PCAP using Wireshark was a great review for me. Cracking the hash with the salt made me do extra researching on how to identify hashes and which hash-type to use to crack the them. The biggest challenge for me was the privilege escalation part. I spent close to three hours last night trying to figure out how to exploit using SUID to escalate privilege. I gave up last night and gave myself a break, then decided to tackle the challenge again today. With a fresh mind and better online researching, I stumbled across a forum that showed me how to exploit SUID and that I understood how it was done. Overpass 2 – Hacked room is awesome, it added something new again to my ctf/pentesting arsenal.

Shout-out to @NinjaJc01 for creating this room. Please visit https://tryhackme.com and create an account for free to take advantage of this great learning platform.

I was assigned an IP address of 10.10.144.62 and 10.10.10.128. If you are following this walk-through, please check your assigned IP address.

I also chose to mask part of the answers so you will have to do the steps and see how things work. I don’t want to take away this learning experience from you.

There are 13 questions to answer to complete the room and get awarded with a badge for completion:

• What was the URL of the page they used to upload a reverse shell?
  • /d*********t/
• What payload did the attacker use to gain access?
  • <?p** ******** /***/*;****** /***/*;*** /***/*|/***/** ** ****|** ***.***.***.*** **** */***/**)?>
• What password did the attacker use to privesc?
  • w********************t
• How did the attacker establish persistence?
  • https://g*****.***/*********/***-******r
• Using the fasttrack wordlist, how many of the system passwords were crackable?
  • *
• What’s the default hash for the backdoor?
  • b*******************************************************************************************************************************3
• What’s the hard-coded salt for the backdoor?
  • 1*******************************5
• What was the hash that the attacker used?
  • 6*******************************************************************************************************************************d
• Crack the hash using rockyou and a cracking tool of your choice. What’s the password?
  • n********6
• The attacker defaced the website. What message did they leave as a heading?
  • H***** ** **********n
• Using the information you’ve found previously, hack your way back in!
  • No answer needed
• What’s the user flag?
  • thm{d******************************7}
• What’s the root flag?
  • thm{d******************************d}

Steps:

1. Download the PCAP file:

2. Open WireShark and load the PCAP that was just downloaded:

3. Look for a HTTP packet with POST request to see what was the page that was used to upload a reverse shell. Right-click on the HTTP packet, then click Follow, then HTTP stream:

• What was the URL of the page they used to upload a reverse shell?

4. From the same HTTP Stream, we can answer the second question.

• What payload did the attacker used to gain access?

5. Next is to look for TCP packet with PSH, ACK flags as they are signs of more data getting transmitted, so mostly a sign of persistence for me. Right-click on the packet you think is interesting and choose Follow, and then TCP Stream:

• What password did the attacker use to privesc?

6. On the same TCP stream where we found James’ password, you can find what the attacker used for persistence.

• How did the attacker establish persistence?

7. On the same TCP Stream, we can see the list of users through the /etc/shadow with their hashed passwords. First, put the entries you found from /etc/shadow to a file and use John the Ripper to crack the hashed passwords. Type sudo john –wordlist=/usr/share/wordlists/fasttrack.txt foundusers.txt

• –wordlist=/usr/share/wordlists/fasttrack.txt – we were asked to use the wordlist fasttrack.txt. By using the –wordlist option, we are telling John to use a specific file instead of using its default john.lst
• foundusers.txt – is the name I gave the file that has the list of users and hashed passwords found in /etc/shadow

• Using fasttrack wordlist, how many of the system passwords were crackable? We will have to use the -show option to display all of the cracked passwords. Type sudo john -show foundusers.txt

8. The next three questions can be answered by analyzing the script that was used for the persistent connection. Google the answer to question number 4 to see the code and answer the next questions

• What’s the default hash for the backdoor?

• What’s the hardcoded salt for the backdoor?

• What was the hash that the attacker used? We will have to go back to the PCAP file we downloaded at the beginning of this write-up and go to the same TCP stream that we analyzed to see the hash that was used in the attack:

9. Now, let’s crack the hash to see what was the password so we can use it to SSH on to the victim machine.

10. First, we have to analyze which hash was used in conjunction with the hard-coded salt to retrieve our target password. There are only two hashes to choose from, and unluckily, I chose the wrong hash as my first trial and error. So, I put one of the hashes and the salt together in a $pass:$salt format. And used a hash analyzer, I was able to identify that it was using SHA512 algorithm.

• With the knowledge that the password was hashed using SHA512 algorithm, and it was salted, and uses the $pass:$salt format, I visited hash examples to check what hash mode I have to use when using Hashcat to crack it

• I combined the hash that was used and the hard-coded salt into one line and saved the file as hash.txt (you can name it whatever you want)

• Run Hashcat to crack the hash.txt we saved just above this line. I used a different machine with better GPU to run hashcat. Type hashcat -m 1710 -o results.txt hash.txt /usr/share/wordlists/rockyou.txt
• -m 1710 – This is to tell hashcat to crack a file that was hashed with SHA512 algorithm and in a $pass:$salt format
• -o results.txt – is where I want the cracked hash to get redirected
• hash.txt – is the file where the hashed and salted password are put together in one line
• /usr/share/wordlists/rockyou.txt – we were instructed to use the rockyou wordlists to crack the hash

• Crack the hash using rockyou and a cracking tool of your choice. What’s the password?

• The attacker defaced the website. What message did they leave as a heading? Just visit the site by typing the IP address on the URL bar of a browser.

*****I stepped out for a little bit and my machine expired, so I had to start a new instance, and from now on, I will be using a new IP address of 10.10.10.128*****

11. Now, let’s SSH into the victim machine using the password that we found in question 9. Type ssh james@10.10.10.128 -p 2222

• james – we are using the username james to authenticate through SSH
• -p 2222 – is to specify that we want to use port 2222 and not the default port 22 for SSH. From the nmap scan result, we saw that there are 2 open SSH service, and it just makes sense that a backdoor will use a non-default port to gain access

12. Do a search for user.txt by typing find / -name user.txt 2>/dev/null

• Have to use 2>/dev/null so we don’t get all the permission denied messages entries

13. Now type cat /home/james/user.txt to retrieve the flag

• What’s the user flag?

14. I tried to do sudo -l to check if user james has any sudo permissions. It came back negative. I ran LinEnum.sh to enumerate any privilege escalation vectors that we can use to get root, and all I found was a membership of the lxd group as something to be a possible attack vector. After so much researching and trial, this was when I gave up last night and called it quits because it was actually 3 AM and I was feeling exhausted. Came back later to finish what I have started. I started to focus on the SUID set binary file named .suid_bash. I did an extensible research on this one since the lxd from LinEnum was not really working. After a lot of researching, I realized that the answer was right before my eyes, and I just missed it because I was stressing on typing what I see on my research. GTFObins would have been the answer if I wasn’t copying exactly what was on the page. I should have looked and understand the commands on GTFObins for bash SUID. Of course it wasn’t working because I was typing the commands on the example and not the binary file from the target machine.

15. I should have been using the binary file .suid_bash to escalate my privilege. Type ./.suid_bash -p to execute the bash file and the -p to exploit the SUID binary

16. We are ROOT, but when typing pwd, we can see that we are still in /home/james directory, we have to type find / -name root.txt 2>/dev/null again to search for the root flag location

• What’s the root flag?

I hope you guys learned something from this walk-through. This was another fun room coming from NinjaJc01. Please subscribe to my blog to get updates when something new is posted. Much mahalos!