Skip to main content

TryHackMe - Overpass 2 - Walkthrough

· 3 min read
Bryan Wendt
Bryan Wendt
Security Enthusiast

This is a walkthrough for the TryHackMe room: Overpass 2. Let’s get started!

Let’s download the provided PCAP file and start taking a look.

First, we are looking for a page that had a file uploaded to it. An upload would require a POST request, so that is what we are looking for.

o1

There’s our first answer!

If we look at that request, we can view the name and contents of the uploaded file.

o2

Next we are looking for a request going to the IP found in the reverse shell.

We need to follow the requests on the proper port and from the attacker machine in order to find the password used.

o3

Continue looking through the PCAP logs in order to find the URL used for the backdoor.

o4

The last step is to find out how many passwords were crackable using the fasttrack wordlist. We can get the /etc/shadow file that the attacker printed out and crack them ourselves. Let’s copy the shadow file and use John the Ripper to crack the hashes.

john shadow.txt --wordlist=fasttrack.txt

Research – Analyze the code

Now we are going to analyze the backdoor! Let’s checkout the link.

Looking at the code, we can see the default hash at the top.

o5

And then we also find the salt:

o6

Go back to the PCAP logs and look for the hash used for the backdoor.

o7

We will use hashcat to crack it! Save the hash and salt in a file and then run it! We can find what hash-type number we need by looking in the hashcat manual.

hashcat --force -m 1710 -a 0 back_hash.txt /home/bw/PenTesting/Tools/SecLists/Passwords/Common-Credentials/rockyou.txt

NOTE: Make sure to add the hardcoded salt to the end of the hash in the format: hash:salt

o8

Attack – Get back in!

Deploy the machine and let’s continue. First, we are looking for headers on the website. Let’s visit the page and see what we can find.

o9

Then, let’s ssh into the box using the backdoor credentials we saw the attacker use previously.

ssh <machine_ip> -p 2222

Now we can find the user flag!

o10

Let’s see what is in james home directory. ls -la

We see that there is a file owned by root with the setuid bit set (user permissions: rws), Let’s execute that file.

./.suid_bash -p

Let’s find the root flag!

o11

Review

This was a good walkthrough room that covered quite a bit. Not only did it allow you to investigate pcap files, which isn’t done very much in these rooms, but also look at the code to an actual backdoor exploit. This was a fun room that was easy enough that most beginners could complete!

References

TryHackMe | Overpass 2 Room