In this write up, we will be playing the role of an incident responder, post compromise of a system. The task is to identify what the attackers initial attack vector was and then hack our way back into the compromised server. This is a very short write up for a quick lab I did on Tryhackme.
Post compromise analysis
We are supplied with a Pcap file and we need to identify what the URL was that the hacker used to upload a reverse shell. We know we are looking for a HTTP POST request, and when we find it we see that the reverse shell was uploaded to "/development/upload.php".
Taking a closer look at the POST request, we see that the reverse shell was a PHP reverse shell named "payload.php". We also can see that we have the full URI request path.
Following the TCP stream we can see the full contents of the PHP reverse shell that was uploaded. Below we can see that the PHP script is executing a bash reverse shell over port 4242 to 192.168.170.145.
We know that the attacker gained a shell over port 4242, so we can filter in wireshark to show all traffic over this port to see what commands were issued and what was accessed.
Following the TCP stream of a TCP packet over this port shows us what commands were issued during the reverse shell session. We can even see that the attacker escalated their privileges to the James user by using their password.
Investigating further, we notice that the attacker issued a git command to download a backdoor to the machine.
The attacker used the James user to set up the SSH backdoor service and we can see what hash the attacker used for the backdoor.
The Backdoor also has a hardcoded salt value, we can find this by downloading the backdoor locally and performing a code review. The below function takes a salt with the password to produce a resulting hash.
The below code snippet displays what the salt is, as it verifies the password entered during authentication.
To identify what password the attacker used with the backdoor, we take the salt and the hash used and crack it with hashcat.
hashcat -m 1710 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
Below the cracked password is identified as being November16.
Hacking our way back in
We have gathered enough intelligence at this point to understand what the attackers initial attack vector was, how they escalated privileges and set up persistence. We can try and hack our way into the system in the same manor the attacker would using their method of persistence.
It seems that the backdoor checks the password value and potentially doesn't check the user that is trying to SSH in. In any case, we will use the James user to SSH in over port 2222 and use the password we cracked 'november16'.
Once on the system, we take a look around for any files left behind by the attacker or any other methods of persistence and privilege escalation. We notice in the home directory of James that there is a Bash binary with the SUID bit set.
Running this binary with the -p flag, we are able to spawn a root shell and grab the last flag.
We have now walked through a scenario in which we play an incident responder analysing a PCAP file after a system was compromised. We analysed how the attacker gained access to the system and set up persistence and then gained access to the system ourselves using the same method of persistence.
I hope I explained my method clearly and provided justified reasoning for the actions I took. If you have any feedback, I would love to hear it as I want to keep improving.