Overpass 2 - Hacked
Room Link: https://tryhackme.com/room/overpass2hacked
Forensics - Analyze the PCAP
What was the URL of the page they used to upload a reverse shell?
Wireshark
TCPDump
tcpdump -r overpass2.pcapng | grep GET
What payload did the attacker use to gain access?
Wireshark
TCPDump
tcpdump -vvv -r overpass2.pcapng | grep -i payload.php -A 5
What password did the attacker use to privesc?
I realized I can just change the steam to find this result.
How did the attacker establish persistence?
Using the fasttrack wordlist, how many of the system passwords were crackable?
In the same stream for the previous question we can see the attacker cat the shadow file, I took the results of the command and saved them to a file called dump.txt then ran john against it.
sudo john --wordlist=/usr/share/wordlists/fasttrack.txt dump.txt
Research - Analyze the code
What's the default hash for the backdoor?
It's in the code on github
What's the hardcoded salt for the backdoor?
What was the hash that the attacker used? - go back to the PCAP for this!
Crack the hash using rockyou and a cracking tool of your choice. What's the password?
hashcat -m 1710 -w /usr/share/wordlists/rockyou.txt hash.txt
hashcat -m 1710 hash.txt --show
Attack - Get back in!
The attacker defaced the website. What message did they leave as a heading?
Using the information you've found previously, hack your way back in!
The development page doesn't exist so we can't get the initial shell like the attacker did so we can just use the information we found in wireshark and login with james credentials
nmap -A 10.10.167.112
For some reason james password doesn't work and it was the other password that we cracked. SSH was also running on port 22 and 2222 but the credentials only worked for 2222. I guess it has to do with the exploit the attacker used.
ssh james@10.10.167.112 -p2222
Password: november16ls -lah
./.suid_bash -pThere is a hidden file in james home directory owned by root. When we execute it we become root. -p flag is to turn on privilege's mode. Without it we still are james when we execute the script.
Last updated