 Hello everyone, my name is John Hammond. Welcome back to the YouTube video We're still looking at some try hack me and I want to continue off of the steam of yesterday's video where we took a look at Overpass now I want to showcase overpass to hacked this room has been out for just a few days I think my face is in the way, but it's four days old at the time recording. I've gone through the room already So forgive me the answers are kind of in the try hack me prompts But hey, let's dive in it says overpass has been hacked Can you analyze the attackers action and hack back in so it says here forensics analyze the p-cap? Let's open that tab up and it says overpass has been hacked the sock team or security operation center team Paradox congratulations on the promotion notice suspicious activity on a late-night shift while looking at Whatever that is it managed to capture packets as the attack happened Can you work out how the attacker got in and hack your way back into the overpass production server? Although this room is a walkthrough it expects merely with tools and Linux Some good stuff. Okay. It gives us a p-cap file to download So I will download that and let me hop over and make a directory YouTube overpass to let's hop into that and We've downloaded that p-cap already. So let's actually just make a directory p-cap and let's move that Downloads overpass in here. That is a p-cap ng file or p-cap next generation I Don't like to work with those because skatey doesn't like to work with those. I think from the last time I checked so Just for safety. I tend to change that into a regular p-cap You can do that with edit cap if you don't have edit cap. It's part of the wire shark hyphen common I'm mistyping everything already and the video has like not even started So if you want to install that you can edit cap just to create overpass to Overpass to p-cap on its own without that p-cap ng. Okay, so let's fire that up in wire shark just to take a look at it overpass to p-cap and We have a lot of seemingly HTTP packets to kind of start with looking over on the side menu here We have some other TCP things But the first question is what was the URL the page that they used to upload a river shell that looks like? Checking out the first couple of packets here. They make a get request to slash development I'll go ahead and follow that TCP stream just so I can see what they do here and Looks like they just get the development page. Nothing else interesting in there. They do post here So let's check that out to an upload page upload and Looks like they're sending a file payload dot PHP, which is peculiar and this syntax is definitely Trying to have PHP execute a shell command Which and this is clearly boilerplate for a regular bash reverse shell? Okay, so that answers a couple questions off the bat this slash development slash page is kind of the format that try hack Me asked for so that's what I ended up putting in I think that original get request is actually a redirect, right? If I see the HTTP stream Where does that bring them does it just put them in? Yeah, yeah, okay upload so upload is the post form or like action that that's going to where they upload this file What is that Murie tells me this is insecure. I only their PHP this week. So maybe just let him fix it Something about PHP. I and I I like that a lot the PHP configuration file the dot I and I file Okay, cool. So development is that answer and the payload the attacker used to gain access We just saw that entire syntax in that post request there. It's the PHP exec with that bash Session it said what password did the attacker use to prevesc? So while we've seen that post just after that he starts to get that uploads and Then we also see him try to get this uploads payload dot PHP, which is what he just uploaded So that's a simple get request, but then after that we make some TCP connections And since this is all through a kind of bare bones simple like netcat reverse shell with bash We can see all of that kind of in clear text. So we can see the conversation from the client and the server client in this case is actually the server and at least according to wire shark here the server being The victim and the attacker being in blue, right? Okay. So he just checks who he is ID, he's running his dub dub data, then he elevates his shell to get a more stable bin bash and checks out overpass Okay, cool. And then he's able to grab the password for the James user and he changes into that user with Whenever not your Tinson what whatever that is the password that he used to prevesc into James How did the attacker establish persistence? So we can go back to the conversation here See he commands that he ran. Okay. He cat it out. It's that reshadow. So we actually have some password hashes That's kind of useful. Let's copy that just to have it Let me actually just make another one here. I will sub all I guess shadow is a better name for that Slap those in so we can save them. I don't need this other Post requests. So let me close that window and we'll keep looking now. We get clone github ninjas account and SSH backdoor Interesting so he grabs that project and packaging moves into that generates a key public and private key to use and Saves it as ID RSA. Okay, and then he runs this backdoor program seemingly that's part of that Also has a tack a interesting thing Oddball if you take a look at kind of the format of the answer that try hack me's asking for you We'll see the colon slash-slash and the notes there. So that will indicate, okay That github link is what he was using this utility and tool that will actually allow him to grab And make persistence with an SSH backdoor using the fast track word list. How many of the system passwords were crackable? Hmm. I've not actually used the fast track word list before so I ended up going to download it I just kind of found it here and I just simply copy and paste it all this and made a file Again in my op directory. So now alongside of rock you we have this opt fast track file And that has all those passwords So let's get started on trying to crack some of those passwords and thankfully we shave that we save that Excuse me in shadow. So let's use John the Ripper for that. So all opt run from John the Ripper John and shadow is the file that we want and we'll specify a word list and we'll use that fast track list That they just suggested we use okay, so I probably still have a lot of those already present in my John List so if I use tack tack show, okay. Yeah, this is everything that is already cracked Where is that John dot pot file? Do they store it in my home directory or like in John the Ripper run? I'm just going to locate that file real quick. Sorry. Hope you don't mind John dot pot. Yeah, that guy. Okay. Let's let's just nerf him so I can run that command one more time for you And I don't need show in that case So it'll actually just pump out all those passwords that it was able to crack real quick and easy Okay, so there are four right there are four passwords that we were able to crack Let's go ahead and submit that as our answer for great now because we know this SSH backdoor We move into a second phase here. It wants us to analyze this backdoor So we can go ahead and clone that repository. Let me get clone that guy Pull that down because that's a real thing right if I were to hop over to github that's legitimate project that Ninja had put together So kudos to you Very neat very neat Let's explore What's in here we have The backdoor as a binary itself. We have a build script build please Sudo for cabinet binded Okay, and we have the server if it wants to work with that The source code is main.go read me. We just saw on github. What is in that setup script? Okay, just getting all the Libraries that are necessary to work with and go and creating a little SSH key gen easy enough Let's Check out that source code. Okay, so examining this regular go-ling kind of just what we looked at previously In the old overpass room it has a var hash as a string What is that? Checking out the main function. We have a local port to listen on quad 2 L host so we're gonna listen on Everything bind all interfaces key path. Okay our IDR say and just add a regular SSH banner Looks like flaggy is that module used to actually carve out and then Retrieve the command line arguments that we passed to this program then we settle a prefix with SSH for logging good reading private key and Starts a simple SSH server there easy enough. Okay, then we verify the password. That's another function We could use and it uses a salt. Ah Okay, so that looks like it's passed in as an argument Same thing with hash password. They use that and we're looking with Shaw 512 hashes good to know SSH handler Okay Simple SSH session same thing with an SSH terminal That's kind of cool that go can just like wrap around SSH as needed with those libraries again Makes me want to learn and be better at go Okay password handler actually calls this verify pass Function it looks like that argument the second argument here is going to take the place of the salt So Going back to the try hack me questions What are we looking at the default hash is that one at the very very top of the source code that we saw previously? The hash is excuse me the salt is just this line here. You can see it. That's being passed And that's the hard-coded salt for the backdoor And now what was the hash the attacker use you can go back to the p-cap for this So I still have that and that was that weird backdoor tack a that specified We could copy that and slap that in as the answer for number three That you will know Specifically with kind of the options here that flag is using hash a as the argument or the command line Kind of parameter and tag to use for that Okay, the next part is interesting It asks us to crack the hash using rock you and a cracking tool of your choice So rock you being rock you dot text that giant dictionary wordless and a cracking tool of your choice So I kind of fumbled with this. I had not previously worked with a regular Shaw 512 hash with a salt that I needed to crack right that's just kind of Normally you get easy cheesy stupid like it's that reshadow. It's a repass with things to crack and I can run through that with John the Ripper This time I needed to use Hash cat or I wanted to use hash cat because I just wasn't getting it right with John the Ripper So I went ahead and installed hash cat that is a if you don't know Pseudo apt install hash cat and you could certainly get it from the repositories I don't exactly know what version this hash cat one is on Hash cat do I get a version with side deck version? Yeah, okay, whatever 5.1.0 Slick so We have all this code. We have the hash that they use and let me try and crack their password Let's prepare that. I just want to get all this info. So I'm just gonna save this as whatever like hash I guess and We also know the salt that is this guy here So we need both of these key ingredients to be able to crack that hash right actually figure out the password that was used here I needed to learn a little bit of hash cap methods Because hash cat will do a lot of interesting and peculiar things that it can hash crack a lot of different hashes But it has a lot of command line arguments and I am not super duper smart on this So I had to go take a look. What can I use to crack Shaw 512 hashes that also include a salt? looks like if I keep searching for these I see syntax where you use a pass and assault and Shaw 512 that's what it's gonna end up being that mode or kind of the method that it has to use with the tack M argument is 1710 I guess you could do that in reverse order if for some reason you wanted to or other elements and things that you might Need but that's what I ended up just working with so Let's build that out if I were to run a hash cat I Specify that 1710 and I want you to supply the hash arguments there. It also winds on my computer I have to use tack tack force for it to actually work with things But it isn't able to load a hashes here because I obviously haven't provided them So with that kind of specification using 1710 We have the pass the hash itself first in a period and then the salt to work with so Let's just grab these and slap them in. I'm going to paste in this blob here, and then I will paste in just as well This other hash has that salt included. So I'll run this and Separator unmatch. Mmm. I Kind of fumbled with this a little bit as well I think I need to specify like some user or a colon here. Yeah. Yeah. Yeah, okay this actually already found it so it is the colon that I have to specify not a period and Tack tack shows already can display these do I have like a hash cat dot pot file? Is that a thing hash cat? Pot Yeah, yeah, yeah, so let me nerf that guy So I'll actually run and crack again, but of course I need to actually specify a word list So let's use opt rock you dot text as the last argument to run for hash cat And then let's see if you will start to work through it It looks like a hash cat kind of needs a kickstart figure everything out on my computer And then it goes through and it says okay. I've already cracked it. So Pretty good. I think running this again. It gives me that error like hey We already did this all the hashes are found in the pot file You can use tack tack show to display them. So I'll do that I'll use tack tack show and remove the word list and it tells me that this hash with that salt has been cracked to the password November 16. So that's it. That's the password. That was that syntax that I needed to use with hash cat just tack em specifying the mode and the hash or the pass and the salt, right? Okay Slap that in get your points for November 16 And now let's get to the phase 3 now the incident is investigated paradox needs someone to take control the overpass production server again There's flags in the box overpass can't afford to lose by formatting the server. So let's go ahead and deploy this machine I guess it will take a little bit. So My bad. I'll have to wait on that. I'll just pause the video as we get started Alrighty now our machine is up. So we have an IP address Let me just kind of sanity check and make sure I can ping that guy. Yep, I can Okay, let's close out a wire shark because I don't think we particularly need that anymore But it says the attacker defaced the website. What message do they leave behind as a heading? So let's go visit that in a web browser And it says simply hacked by Cooctus clan with that adorable image of a cactus eating a cookie fantastic Now we need to get back into the server. Okay So we know there's an ssh backdoor We know from the source code that this is running on quad 2 As a local port and if you wanted to we could do a simple nmap Let me make Just completely out of habit, right? Let's do a simple nmap tack sc tack sv taco n nmap initial on that ip address and It'll come back and tell us that okay port 2 2 2 2 Is open So we can connect to the and we know that that was the james user that that account or that kind of a hacker was was working in So let's go ahead and ssh tack p quad 2 to that account ip address With james as the account from what i've seen it actually doesn't matter what user you connect us It's just checking that password and we know the password as we just cracked it with hash cat is november 16 All right, okay Check it out. We are on the server back as james And we are in the directory where they stored and started this ssh backdoor So we have the private key. We have all the code. We have the backdoor service We have some interesting things here, but let's go to his home directory because that's where the good stuff is user dot text Simply cat that out And there is that flag we could go ahead and submit that Pace that in there get your points and now we need to know what is the root flag Okay So i thought going through this because obviously we could just run like lin p's we could run lin enum We could do whatever enumeration we want to do, but a man again like immediate quick low hanging fruit Will november 16 work as a password for the james user Can i log in or switch to some of the other passwords that we cracked earlier? I wasn't able to log in with any of those Admittedly, I couldn't switch user to psi or anything um So I thought like well, maybe he still has passwords in that dot overpass file So I started to look with an lstack la just if I could grab that overpass file But obviously immediately it should catch your eye. We have a red suede bash Program here. It's owned by root and it's a set uid binary So Very very likely this will be our quick route to root. Maybe the attacker just left this in here So they have a quick and easy privisk We could just simply run like a dot slash suede bash If I invoke it just with just that I won't get my effective user id as root Because it's bash, right? You need to invoke it with that tack p argument So you keep your permissions and your privileges now when I check out id My effective user id is root and you can see my prompt here with little hashtag pound symbol octothorpe That's the real scientific word man Check it out I am in fact root So we can hop on over to the root directory and we have control over this system So we can do anything we really want to but for the proof of that proof is in the pudding Let's grab root dot text and submit that Done great Holy cow All the questions answered all the tasks complete analyze the p-cap to kind of do some Investigation and figure out how what was done and how they got in and Simple reverse shell you could see kind of in clear text same thing with okay Analyzing the code because we were able to just pull down the tool that the attacker used Kind of neat kind of cool reverse engineer that go language not there was much to reverse engineer He just read through the source code and made sense of it But uh jumping back in and kind of seeing what the hacker left in their traces. So Cool, I hope you guys enjoyed that one I think that one was kind of fun overpass had a lot of really neat interesting tricks in it And it was kind of cool to take a different perspective in this case to kind of analyze some else and other work And other things, but thank you guys so much for watching I hope you enjoyed this video if you did please do do those youtube algorithm things You know, I love you so much for that like comment subscribe Algorithm things thanks for watching everybody. I love you. I'll see you in the next video. Take care