TryHackMe Overpass 2 – How I Found a Server Backdoor with Wireshark

4.8/5 - (5 votes)

Backdoors are malicious pieces of software that allow attackers to access computers without authorization and bypass security measures. They can control computers remotely, steal data, and bypass safety protocols.

THM Overpass 2 – How I Found a Server Backdoor with Wireshark

Challenge Overview

  • Link: https://tryhackme.com/room/overpass2hacked
  • Difficulty: Easy
  • Target: regain access to the network after a hacker changed passwords
  • Highlight: Using port forwarding to make an internal website accessible  (i.e., hackable) outside the network.
  • Tools used: Wireshark, John the Ripper, Hashcat
  • Tags: backdoor, forensics

👉 Recommended Tutorial: How I Hacked a PW Manager (TryHackMe Overpass 1)

PART 1 – FORENSICS

Part one of this box can be completed by using wireshark to analyze the PCAP (packet capture) file provided by your colleague, Paradox.

The answers to each of the questions can be found by snooping around and clicking on follow TCP stream on several of the line items. 

Another packet from the same IP address is also of interest:

In this stream, we uncover the username and password the attacker used, as well as the contents of the shadow file holding all users and hashed passwords on the system.

The last question requires using a hash cracking tool like hashcat. First, I copied the shadow file contents and made it into a local file on my attack box. Then I used the following command to crack the passwords:

john shadow –wordlist=/path/to/fasttrack.txt

John outputs 4 cracked passwords: 

We’ll save these in our notes.txt file for later reference.

PART 2 – RESEARCH

In part two, we will research the code of an ssh backdoor program used by the hacker.

In Wireshark, we found a link to a GitHub repo of a key generator. Looking through the code, we see that this encryption method uses sha512 and also has a salt. The salt is actually hard-coded into the ssh_backdoor program. 

We can crack the hash used by the hacker using hashcat. Issuing a hashcat -h command allows us to read a chart of available hash types. In my notes.txt file, I’ve noted all the relevant information we need to crack the hash.

After locating the number for the sha512 encryption with salt with the help for hashcat, we can use the following command to decrypt the hash:

hashcat -m 1720 hash -o cracked /usr/share/wordlists/rockyou.txt

My first attempt failed because my hash wasn’t formatted correctly. After replacing the salt:hash with salt.hash, it worked.

Now that we have the ssh key, passcode, and username, we can log in user as james. We’ll use port 2222 because we are looking for a backdoor service, and this is the obvious non-standard ssh port.

PART 3 – PRIVILEGE ESCALATION

Now that we are successfully in user James’ account via ssh, we can search for a backdoor.

I peeked at the hint and remembered never to forget to search for all files (including hidden files) with an “ls -la” command.

Right away, we can spot a curious-looking hidden file: “.suid_bash”. The file permissions read as “-rwsr-sr-x”, with the “s” indicating that the file has SUID permissions.

We can probably assume that this is the backdoor left by the hacker.

To test our assumption let’s try running the program with persistence mode:

./.setuid_bash -p

And it works. We can now cat out the root.txt file:

Keep Hacking!

Feel free to keep learning and improving your hacking skills with this tutorial on the Finxter blog:

👉 Recommended Tutorial: TryHackMe Alfred – How I Solved The Challenge [+Video]

Also, you may want to check out the Overpass 3 tutorial of the TryHackMe challenge.