The link for this lab is located here: https://tryhackme.com/room/overpass2hacked

Overpass has been hacked! Can you work out how the attacker got in, and hack your way back into Overpass' production server? You will use Wireshark and hack your way back in

networking-foundations-exploring-udp-via-wireshark-part-1.1280x600.jpg

Full Walkthrough

Downloading the Wireshark file and taking a look at the various HTTP requests, we can see that a GET request was sent first for the /development page. Then, the attackers used a POST request to upload a file called upload.php. Finally, they navigated to the /development/upload.php page to execute the shell.

Looking into the POST request with the upload.php file, we can see the full reverse shell code that was inside this file - they used a reverse netcat shell found here.

Next, looking at the TCP packets after the payload was executed, we can see the full command list the attacker used. In this case, he ran the sudo -l command and entered the following password:

Looking through more commands, we can see that the attacker used git clone to download a SSH backdoor from GitHub.

The attacker also was able to extract the /etc/shadow file and gain the hashes. Doing the same thing, we can copy the contents of the file to our Kali machine and try cracking them using the fasttrack wordlist. It returns 4 cracked passwords for us.

Again, looking through the Telnet logs of commands, we can see that the attacker had to provide a hash for the backdoor. Navigating to the backdoor they downloaded, there is a default hash visible in the source code.