OverPass 2 - Hacked
Last updated
Last updated
Lets download the PCAP file and open it in wireshark
As they asked what is the URL of the page they used to upload a reverse shell lets look at the http packets
Lets follow the TCP Stream
We have the page
Next we need to find the payload the attacker used to gain access.
Looking at another http file, we can see this
Next lets look at a random file in wireshark, we see this
We have the password. Scrolling down a bit we see the link the attacker downloaded that is used for persistent on the machine
In the same file, we can see how many of the system passwords were cracked.
We are done with the questions in this task
Lets look at the code of the backdoor the attacker downloaded by downloading it to our machine
Looking at the main.go file, we see the default hash for the backdoor
Scrolling to the end of the file, we see the salt for the backdoor
We can find the hash the attacker used in the same pcap file we opened earlier
Lets crack the hash using hashcat
Lets run a nmap scan to see open ports on the machine
Lets visit the website
Lets now follow what the attacker did and get into the machine. Lets login through ssh on port 22 as the user james and use the password we cracked earlier.
Lets read the user flag
Lets look for SUID files and see if we can find any interesting ones.
This is one is interesting and not common, lets check it out
So it gives us a shell as the user we want, lets try running it so that we can get a root shell. This can be found on GTFOBins
We are now root , lets read the root flag