Overpass 2
Last updated
Last updated
Compared to Overpass, I found this sequel to be a bit more difficult but I'd still agree that this is a beginner level room. The initial foothold is based on Packet Analysis. From there we would move to some code analysis and then privilege escalation.
So, without further ado let's begin!
For this task, we are provided a PCAP file that we can open using Wireshark and analyze the traffic. There are more than 3.8K packets that we can see have been transferred.
We can analyze these packets by going to the oldest packet first (which is the first packet itself) and then analyzing the flow.
From the flow data, we can see that a GET request for a specific URL was made immediately after the 3-way handshake that can be observed in the first 3 packet transmissions. Later, we can see a POST request was made on the same URL by sending a file named upload.php. The answer to the first question is the same directory. (Hint: /dXXXXXXXXXt)
We can see that the attacker uploaded a .php file, which suggests that using this file he might have tried to gain a remote shell from the target machine. On analyzing the packet for the POST request through which the file was uploaded, we can find the payload that was used by the attacker to gain access.
To copy this we can right-click on the payload part and select as printable text. Once formatted properly, we can submit it as the answer to the second question.
From the data in subsequent packets, we can figure out that the attacker got into the machine as www-data. On analyzing further packets we can find a packet that contains the commandsu james , which means the attacker was trying to escalate his privileges to user james level. And a few packets after that (in packet number 76), we can find the password for user james. This is the password that the attacker used for privesc and can be submitted as the answer to the third question.
In packet number 120, we can see that the attacker cloned a GitHub repository. We can go and check out that repository to see what it exactly does. And it turns out to be an SSH backdoor. This confirms that the user used this repo to get backdoor SSH access to the machine. Hence, we can submit the URL of this repo as the answer to the fourth question.
Using the fasttrack wordlist, how many of the system passwords were crackable?
While going through various packets, we can see that at one point (packet 114) the attacker viewed the/etc/shadowfile. We can usejohnalong with the fasttrack wordlist to try to crack passwords in that/etc/shadowfile.
Before running john, remove any garbage values from the copied content.
Now, we know the number of system passwords that were crackable and we can submit this number as the answer to the fifth question.
We have the SSH backdoor code in the GitHub repository which we can analyze to look for further details. After going through the code in main.go the file, we can find a stored hash value named as default hash. This value can be submitted as the answer to the first question.
What's the hardcoded salt for the backdoor?
In the code, we can see that there is a function namedverifyPass, which takes three arguments which are hash, salt and password string. At the end of the code, we can see a line where theverifyPassfunction is called and all three arguments are also passed. We can find the hardcoded salt value in those arguments themselves and submit it as the answer to the second question.
What was the hash that the attacker used? - go back to the PCAP for this!
We can see packets to and from port 4242 after the GitHub repo was cloned on the system which is usually used for remote sessions. Using this information, we can filter and view only the packets for port 4242 using the search filter tcp.port == 4242 and then analyze that traffic.
It can be seen that the attacker created an SSH key using ssh-keygen and also made the backdoor file executable. After that in packet 3479, we can see that a value was passed as an argument while calling the\backdoorfile. This passed value is the hash that is required for the answer to the third question.
Crack the hash using rockyou and a cracking tool of your choice. What's the password?
To crack the hash, the first thing that we need to do is determine the type of hashing algorithm that has been used. This can be done using hash-identifier tool.
We can use hashcat to crack the hash. But for that, we need to find the mode value that needs to be used which can be found here. We can see that the code for SHA-512 is 1700 which we can use to crack the hash but apparently this does not work. Now, if we recall then in the SSH backdoor code, there was a hardcoded salt involved. We need to add this salt value to the hash as:
Once, this new hash value is saved we can again run hashcat but this time with mode 1710 which is used for salted hashes.
This password can be submitted as the answer to the fourth question.
First, we need to deploy the machine in order to access the web page. The heading of the web page needs to be submitted as the answer to the first question.
We can run a nmap scan in order to see all the open ports on the machine.
Here, we can see that SSH is enabled on port 2222. So, we can login using the obtained credentials from this port via SSH. We know that the attacker stored the SSH key in user 'james' .ssh folder. Hence, we will use the username 'james' and the password that we obtained in the fourth question in the last task to login.
Now that we have the access to the machine we can start looking for the flags.
The user flag can be found at its usual place in the user's directory.
What's the root flag?
In the user james directory, we can see a file named.suid_bashthat is owned by root. We can to GTFOBins and look for bash with SUID. There we can see that with SUID bit set we can run bash as root using the flag -p.
And we get the root flag!
Try to determine the flow of connection when analysing packet data.
If you find traffic for specific odd ports, filter traffic for those specific ports.
Try to look for hardcoded values, comments or other hints when you have a code.