Backdoors are malicious pieces of software that allow attackers to access computers without authorization and bypass security measures. They can control computers remotely, steal data, and bypass safety protocols.
- Link: https://tryhackme.com/room/overpass2hacked
- Difficulty: Easy
- Target: regain access to the network after a hacker changed passwords
- Highlight: Using port forwarding to make an internal website accessible (i.e., hackable) outside the network.
- Tools used: Wireshark, John the Ripper, Hashcat
- Tags: backdoor, forensics
👉 Recommended Tutorial: How I Hacked a PW Manager (TryHackMe Overpass 1)
PART 1 – FORENSICS
Part one of this box can be completed by using wireshark to analyze the PCAP (packet capture) file provided by your colleague, Paradox.
The answers to each of the questions can be found by snooping around and clicking on follow TCP stream on several of the line items.
Another packet from the same IP address is also of interest:
In this stream, we uncover the username and password the attacker used, as well as the contents of the shadow file holding all users and hashed passwords on the system.
The last question requires using a hash cracking tool like hashcat. First, I copied the shadow file contents and made it into a local file on my attack box. Then I used the following command to crack the passwords:
john shadow –wordlist=/path/to/fasttrack.txt
John outputs 4 cracked passwords:
We’ll save these in our
notes.txt file for later reference.
PART 2 – RESEARCH
In part two, we will research the code of an
ssh backdoor program used by the hacker.
In Wireshark, we found a link to a GitHub repo of a key generator. Looking through the code, we see that this encryption method uses
sha512 and also has a salt. The salt is actually hard-coded into the
We can crack the hash used by the hacker using
hashcat. Issuing a
hashcat -h command allows us to read a chart of available hash types. In my
notes.txt file, I’ve noted all the relevant information we need to crack the hash.
After locating the number for the sha512 encryption with salt with the help for
hashcat, we can use the following command to decrypt the hash:
hashcat -m 1720 hash -o cracked /usr/share/wordlists/rockyou.txt
My first attempt failed because my hash wasn’t formatted correctly. After replacing the
salt.hash, it worked.
Now that we have the ssh key, passcode, and username, we can log in user as
james. We’ll use port 2222 because we are looking for a backdoor service, and this is the obvious non-standard ssh port.
PART 3 – PRIVILEGE ESCALATION
Now that we are successfully in user James’ account via ssh, we can search for a backdoor.
I peeked at the hint and remembered never to forget to search for all files (including hidden files) with an “
ls -la” command.
Right away, we can spot a curious-looking hidden file: “
.suid_bash”. The file permissions read as “
-rwsr-sr-x”, with the “
s” indicating that the file has SUID permissions.
We can probably assume that this is the backdoor left by the hacker.
To test our assumption let’s try running the program with persistence mode:
And it works. We can now cat out the
Feel free to keep learning and improving your hacking skills with this tutorial on the Finxter blog:
👉 Recommended Tutorial: TryHackMe Alfred – How I Solved The Challenge [+Video]
Also, you may want to check out the Overpass 3 tutorial of the TryHackMe challenge.
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.