Overpass 2 - Hacked
Last updated
Last updated
Room Link: https://tryhackme.com/room/overpass2hacked
What was the URL of the page they used to upload a reverse shell?
Wireshark
TCPDump
What payload did the attacker use to gain access?
Wireshark
TCPDump
What password did the attacker use to privesc?
I realized I can just change the steam to find this result.
How did the attacker establish persistence?
Using the fasttrack wordlist, how many of the system passwords were crackable?
In the same stream for the previous question we can see the attacker cat the shadow file, I took the results of the command and saved them to a file called dump.txt then ran john against it.
What's the default hash for the backdoor?
It's in the code on github
What's the hardcoded salt for the backdoor?
What was the hash that the attacker used? - go back to the PCAP for this!
Crack the hash using rockyou and a cracking tool of your choice. What's the password?
The attacker defaced the website. What message did they leave as a heading?
Using the information you've found previously, hack your way back in!
The development page doesn't exist so we can't get the initial shell like the attacker did so we can just use the information we found in wireshark and login with james credentials
For some reason james password doesn't work and it was the other password that we cracked. SSH was also running on port 22 and 2222 but the credentials only worked for 2222. I guess it has to do with the exploit the attacker used.
There is a hidden file in james home directory owned by root. When we execute it we become root. -p flag is to turn on privilege's mode. Without it we still are james when we execute the script.
