Overpass II

Overpass II

Try Hack Me Walkthrough

- ALi3nW3rX -

Non Spoiler Nudge

  1. Follow the entries in Wireshark
  2. Examine the GIT
  3. You CAN crack the hash
  4. Getting back in is easy
  5. Root is right in front of your face

Attack Path

  1. Wireshark
  2. Git Code
  3. Retrace Foot Steps
  4. SUID

Video Walkthrough

Walkthrough

What was the URL of the page they used to upload a reverse shell?

After looking over the PCAP file we notice that there is a few references to GET /development/, so this is where we started. If you right click and then click follow either the HTTP stream or TCP stream it will show the communication for that session.


What payload did the attacker use to gain access?

So, we found where and what they were exploiting to gain access to the server but now we have to find how they exploited it. If you scroll through the PCAP file a little more you will notice a POST command instead of a GET command. Meaning they uploaded something. Let's right click and follow that also.


What password did the attacker use to privesc?

If we keep digging in these questionable GET and POST commands we will come across the communication where we see them activate the payload and gain access to the machine. It's notable to look at the previous instance where we found the payload to see what port and IP they were having the payload redirect them back to.


How did the attacker establish persistence?

This one was fairly obvious by looking through the PCAP files. After seeing this and then copy and pasting this web address it brings you right to the github of the exploit.....obviously.


Using the Fasttrack wordlist, how many of the system passwords were crackable?

We found this in the same PCAP file and simply copy and paste the /etc/shadow file that they opened and pasted it into a text file called pass.txt. We then can use john and the fasttrack wordlist to crack the passwords as seen below.


Part 2 - Reasearch - Analyze the Code

What's the default hash for the backdoor?

This is pretty self explanatory. We simply go through the github exploit and take a look at the code to find the next couple of answers.

What's the hardcoded salt for the backdoor?
What was the hash the attacker used? - Go back to the PCAP for this!

What was the hash that the attacker used? - Go back to the PCAP for this!

Again this is in the same PCAP entries that we looked at before. Just follow everything starting with that GET command.


Crack the hash using rockyou and a cracking tool of your choice. What's the password?

Okay, so we used hashcat for this. You want to take the hash and hard coded salt you found in the exploit code and paste into a file named hash.txt it should look like this:

6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05

Take note that there is semi-colon ( : ) between the hash and the salt.
Now we can use the command below to get hashcat to crack the password.

hashcat -m 1710 -o results.txt hash.txt /usr/share/wordlists/rockyou.txt
  • -m 1710 is telling hashcat that this is a sha512 hash
  • -o results.txt is sending the output of the cracked hash to a file named results.txt
  • hash.txt is our hash and salt string in a file
  • /usr/share/wordlists/rockyou.txt is our password file that we want hashcat to use.

Once it has finished you can simply cat results.txt to get the password. It will be at the end of the hash so don't miss it!


Attack and Get Back In!

The attacker defaced the website. What message did they leave as a heading?

Using the information you've found previously, hack your way back in!

You might think this should be easy lol. Simply use their back door and creds to get in. Well you'd be right! However I ran into the issue above ^. However with a little bit of googling I was able to get around it and get in as seen below.

ssh -o HostKeyAlgorithms\ ssh-rsa 10.10.128.159 -p 2222

What's the user flag?

Now that we are in as James we can simply cat out the user.txt to get the flag no problem.


What's the root flag?

So, while we are in James's folder we instantly notice something wrong or out of place. Correct! the .suid_bash file that is in his folder. Were not going to get into all the specifics but we can see it runs as root and we can execute this as root. Beautiful!!!

I did try a few things before actually getting it to work and give me root. The command from GTFO bins shows ./bash -p. However that didn't work for me.

Then I got the idea to add it to the .suid_bash and see if it would work. You can see the results below. And yes I had to add the /home/james before. So the whole command would be:

james@overpass-production:/home/james$ /home/james/.suid_bash -p

WE ARE ROOT!!!


References

GitHub - NinjaJc01/ssh-backdoor
Contribute to NinjaJc01/ssh-backdoor development by creating an account on GitHub.
Unable to negotiate with <ip address> port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
I am trying to use the command:ssh -i id_rsa root@&lt;ip&gt; This gave me the error as: Unable to negotiate with port 22: no matching host key typefound. Their offer: ssh-rsa,ssh-dss Also after
hashcat - cracking a salted sha256
Given a SHA256 hash, and a salt, I am trying to crack the hash using hashcat. Every example I’ve found used a hashfile as input, is there way to provide salt and hash via commandline without the ne...