OverPass 2 - Hacked

Task 1: Forensics - Analyze the PCAP

Lets download the PCAP file and open it in wireshark

As they asked what is the URL of the page they used to upload a reverse shell lets look at the http packets

Lets follow the TCP Stream

We have the page

Next we need to find the payload the attacker used to gain access.

Looking at another http file, we can see this

Next lets look at a random file in wireshark, we see this

We have the password. Scrolling down a bit we see the link the attacker downloaded that is used for persistent on the machine

In the same file, we can see how many of the system passwords were cracked.

We are done with the questions in this task

Task 2: Research - Analyze the code

Lets look at the code of the backdoor the attacker downloaded by downloading it to our machine

Looking at the main.go file, we see the default hash for the backdoor

Scrolling to the end of the file, we see the salt for the backdoor

We can find the hash the attacker used in the same pcap file we opened earlier

Lets crack the hash using hashcat

Task 3: Attack - Get back in

Lets run a nmap scan to see open ports on the machine

Lets visit the website

Lets now follow what the attacker did and get into the machine. Lets login through ssh on port 22 as the user james and use the password we cracked earlier.

Lets read the user flag

Lets look for SUID files and see if we can find any interesting ones.

This is one is interesting and not common, lets check it out

So it gives us a shell as the user we want, lets try running it so that we can get a root shell. This can be found on GTFOBins

We are now root , lets read the root flag