# OverPass 2 - Hacked ![](/files/-MdYJUfyt-p9KbpoO9eL) ## Task 1: Forensics - Analyze the PCAP Lets download the PCAP file and open it in wireshark ![](/files/-MdYK6GCLYMBcxb1FZEK) As they asked what is the URL of the page they used to upload a reverse shell lets look at the http packets ![](/files/-MdYKpC9cZ9kj41GwjUw) Lets follow the TCP Stream ![](/files/-MdYL0cjjQzUpq2dJCo0) We have the page Next we need to find the payload the attacker used to gain access. Looking at another http file, we can see this ![](/files/-MdYLXLOrhwYj_jgZfCF) Next lets look at a random file in wireshark, we see this ![](/files/-MdYLyZIw_55zFNZTnOH) We have the password. Scrolling down a bit we see the link the attacker downloaded that is used for persistent on the machine ![](/files/-MdYMGPhY0T1_Pdx8ng8) In the same file, we can see how many of the system passwords were cracked. ![](/files/-MdYMfyQ9gjX55jVtErw) We are done with the questions in this task ![](/files/-MdYMmRBhSOFpVmf9oM9) ## Task 2: Research - Analyze the code Lets look at the code of the backdoor the attacker downloaded by downloading it to our machine Looking at the main.go file, we see the default hash for the backdoor ![](/files/-MdYPUCoUWecfHFlt8nj) Scrolling to the end of the file, we see the salt for the backdoor ![](/files/-MdYPdht8KzUDb5cOPxa) We can find the hash the attacker used in the same pcap file we opened earlier ![](/files/-MdYPttHWn2Wz1v6KWE2) Lets crack the hash using hashcat ![](/files/-MdYTeYRs2RgFhK5-JGn) ![](/files/-MdYTi_gkqooj2I63RxY) ## Task 3: Attack - Get back in Lets run a nmap scan to see open ports on the machine ![](/files/-MdYUb0vtsCpqkK8btyk) Lets visit the website ![](/files/-MdYUk9w5-A_xabsESt5) Lets now follow what the attacker did and get into the machine. Lets login through ssh on port 22 as the user james and use the password we cracked earlier. ![](/files/-MdYVe3ClALmoZXIrhqL) Lets read the user flag ![](/files/-MdYVqf6hBRdcbqxZbpS) Lets look for SUID files and see if we can find any interesting ones. ![](/files/-MdYWKFZkfLCT0d6cxvm) This is one is interesting and not common, lets check it out ![](/files/-MdYWUYE7MZvgjgVEEAx) So it gives us a shell as the user we want, lets try running it so that we can get a root shell. This can be found on GTFOBins ![](/files/-MdYWje7E_Pc9WCFwx6Y) ![](/files/-MdYWqwRaLEO15FL0gLb) We are now root , lets read the root flag ![](/files/-MdYWzRsU0eGkJSXc0l0) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/walkthroughs-easy/overpass-2-hacked.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.