Backdoors are malicious pieces of software that allow attackers to access computers without authorization and bypass security measures. They can control computers remotely, steal data, and bypass safety protocols.
Challenge Overview
- Link: https://tryhackme.com/room/overpass2hacked
- Difficulty: Easy
- Target: regain access to the network after a hacker changed passwords
- Highlight: Using port forwarding to make an internal website accessible (i.e., hackable) outside the network.
- Tools used: Wireshark, John the Ripper, Hashcat
- Tags: backdoor, forensics
π Recommended Tutorial: How I Hacked a PW Manager (TryHackMe Overpass 1)
PART 1 – FORENSICS
Part one of this box can be completed by using wireshark to analyze the PCAP (packet capture) file provided by your colleague, Paradox.
The answers to each of the questions can be found by snooping around and clicking on follow TCP stream on several of the line items.
Another packet from the same IP address is also of interest:
In this stream, we uncover the username and password the attacker used, as well as the contents of the shadow file holding all users and hashed passwords on the system.
The last question requires using a hash cracking tool like hashcat. First, I copied the shadow file contents and made it into a local file on my attack box. Then I used the following command to crack the passwords:
john shadow βwordlist=/path/to/fasttrack.txt
John outputs 4 cracked passwords:
Weβll save these in our notes.txt file for later reference.
PART 2 – RESEARCH
In part two, we will research the code of an ssh backdoor program used by the hacker.
In Wireshark, we found a link to a GitHub repo of a key generator. Looking through the code, we see that this encryption method uses sha512 and also has a salt. The salt is actually hard-coded into the ssh_backdoor program.
We can crack the hash used by the hacker using hashcat. Issuing a hashcat -h command allows us to read a chart of available hash types. In my notes.txt file, Iβve noted all the relevant information we need to crack the hash.
After locating the number for the sha512 encryption with salt with the help for hashcat, we can use the following command to decrypt the hash:
hashcat -m 1720 hash -o cracked /usr/share/wordlists/rockyou.txt
My first attempt failed because my hash wasnβt formatted correctly. After replacing the salt:hash with salt.hash, it worked.
Now that we have the ssh key, passcode, and username, we can log in user as james. Weβll use port 2222 because we are looking for a backdoor service, and this is the obvious non-standard ssh port.
PART 3 – PRIVILEGE ESCALATION
Now that we are successfully in user Jamesβ account via ssh, we can search for a backdoor.
I peeked at the hint and remembered never to forget to search for all files (including hidden files) with an βls -laβ command.
Right away, we can spot a curious-looking hidden file: β.suid_bashβ. The file permissions read as β-rwsr-sr-xβ, with the βsβ indicating that the file has SUID permissions.
We can probably assume that this is the backdoor left by the hacker.
To test our assumption letβs try running the program with persistence mode:
./.setuid_bash -p
And it works. We can now cat out the root.txt file:
Keep Hacking!
Feel free to keep learning and improving your hacking skills with this tutorial on the Finxter blog:
π Recommended Tutorial: TryHackMe Alfred β How I Solved The Challenge [+Video]
Also, you may want to check out the Overpass 3 tutorial of the TryHackMe challenge.
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.