Overpass 2 - Hacked — TryHackMe
This is a walkthrough on Overpass 2 — Hacked machine on TryHackMe, it focuses on analysing the captured packet using Wireshark and breaking back into the hacked machine.
We’ll download the captured packet ‘overpass2.pcpang’ and open it in Wireshark.
We can see all the traffic transported using different protocols, we’ll filter out the HTTP traffic by typing ‘http’ into the filter bar
Now, think of these packets as a series of actions done by the attacker, first few packets show us that a POST request was made to a directory or URL which answers our first question.
Right-click on the first packet and go to Follow & TCP stream, this will help us to track the actions in a sequence
We can follow the stream using this button in the bottom right,
The ‘Stream 0’ shows nothing interesting and just encrypted data, let’s move on to ‘Stream 1’
We can see a script/payload that was uploaded to a directory, which answers our second question.
Moving on to ‘Stream 3’, we can see that the attacker spawned an interactive shell using python and we also have the password that was used by the attacker, which answers the third question.
The attacker has also dumped the /etc/shadow file containing the usernames & password hashes on the machine and then he grabbed a backdoor from GitHub and cloned it. The GitHub URL is the answer to our fourth question.
Now, copy and paste all five hashes into a text file and get ‘fasttrack’ wordlist from GitHub, and crack them using ‘john’
john — wordlist=/home/kali/Desktop/fasttrack.txt /home/kali/Desktop/hashes.txt
John was able to crash 4 out of 5 hashes, which answers our fifth question.
Let’s analyse the GitHub code used by the attacker, download or clone the folder from GitHub to your local machine, checking out ‘main.go’ reveals the default hash for the backdoor stored as a variable
And also the salt in the last line of code,
Now, we need to find the hash that the attacked used, so let’s get back to PCAP file ‘Stream 3',
At the bottom, we found the hash used by the attacker.
Let’s launch ‘hashcat’ and try cracking this hash using ‘rockyou’ wordlist as mentioned, please don’t forget to add the salt to the hash before attempting.
Please use this hashcat cheatsheet to identify which hash-mode to use for different hash types. Hashcat will take some time depending on the resources available on your local machine.
hashcat -m 1710 hash.txt /home/kali/Documents/rockyou.txt -O
(-m for hash-mode, -O for using optimized kernel)
Moving on to our last Task, let’s checkout what is running on Port 80, enter the machine IP into any web browser
The title answers our first question here.
Running a quick Nmap scan
sudo nmap 10.10.247.141 -sCV -O -v
(-sCV for using default NSE scripts and for detecting service version, -O for OS detection, -v for verbose output)
Nmap scan shows that ssh is running on port 2222
Let’s try SSHing into the machine using the username ‘james’ from /etc/passwd and password that we cracked using hashcat after mixing password with salt
After getting in and looking around, we found user.txt in james’s home directory which contains our user flag.
Listing hidden files using ‘ls -la’ shows us there is a file named ‘suid_bash’ and it has SUID bit set, means it can can be exploited
Let’s go to GTFObins and look for ‘SUID’ function in ‘bash’ binary
We can use ‘-p’ with the hidden file we found in home directory
It worked and we are root, checking out root.txt in /root directory which contains our root flag.
That was it, longer than usual but that’s excepted as machines keep getting difficult, I am trying to be as detailed as possible here.
Thank you for reading once again! :)
