I did a new and interesing kind of room over at Tryhackme called Overpass 2. This is a remake of an original Overpass room. Lots More CTF fun with Overpass 2 – Hacked!

Quick Review

This room involed being on a Blue team, and working from a Packet Capture to figure out what clues might have been left as to why/who/what/where this may have happened. Then you are to take that information, and use it to break back into the system and take back control of your long lost (and very sad) flags. 😉

I use Wireshark a lot at work, being in networking. I haven’t seen such blatently left breadcrumbs in all my years but it was a lot of fun doing this room.

It didn’t take long to gather all of the intial answers for the first few Tasks in this room.

I found it interesting to download the backdoor that they used, and analyse it to figure out how it worked. The backdoor was used to maintain persistence by setting up another ssh server on a separate port.

Where I did have some trouble was with technical issues with hashcat. It kept refusing to run on my vm due to how I am setup with no PCI passthrough for my graphics card. It seems like it wants to only use GPU, even though there are flags there for using CPU.

At any rate, I found a work around and was able to start the crack. I had forgotten that it was salted however, and had to do it again after figuring out the correct syntax.

The last Task of getting back in was quite easy. I just SSH’d back into the attackers’ backdoor using the their own credentials I had cracked, then I immediately found a SUID copy of bash sitting (.hidden) in their home as .suid_bash.

I just ran ./.suid_bash -p to get root and the last flag.

james@overpass-production:/home/james$ ./.suid_bash -p
.suid_bash-4.4# whoami
root

Spoilers/Walkthrough

If you want the spoilers and need help with the room you can read my complete walkthrough here: https://github.com/c0ri/PentestingDocs/blob/main/CTFs/THM/Overpass%202%20-%20Hacked.md

Like what I do? https://www.buymeacoffee.com/c0ri