This can give insight to what url was used to gain the reverse shell.
Now that the packet is filtered, we can view the TCP stream to read conversations between two or more hosts communicating with each other through TCP. Using http.request, our filter is applied and our results are narrowed to just a few results. Since the reverse shell was connected through a webpage, we can filter out the pcap capture data to view http data.įiltering out the packets can be useful for pinning down relevant information for the investigation. A reverse shell is a connection established by the attacker in order to gain access to the targeted machine. Our first question asks us to view the URL of the page where a reverse shell was uploaded. Nice! Our file has moved locations, we can begin our investigation.įirst, Wireshark was fired up using: wireshark overpass2.pcapng Once inside let’s move(mv) the pcap file using: Now that the directories are created, navigate back to the Downloads folder where our pcap is downloaded. Now we can properly place our files inside this directory! Let’s create our directories using: mkdir THMĪdd our directory for this room: mkdir OverPass2 A good ol’ bit of housekeeping don’t hurt no one. These directories will be designated specifically for ‘TryHackMe’ and the room we are in: ‘OverPass2’ so we know the files are placed in the TryHackMe directory with the room directory being Overpass 2: From the now on, we can add more directories in the TryHackMe directory as more rooms are completed from TryHackMe. >=)įirst, let’s create a set of two directories where our files can be properly allocated. Before we actually open the file, a bit of housekeeping is good practice to organize our files and to keep a clean machine.
Once logged in, download the pcap file and save it to your machine. While on a late night shift, we received messages of suspicious activity, were tasked with analyzing a packet capture file containing this suspicious activity, and hacking our way into the compromised production server.īefore we begin, we will spin up our kali machine in order to view the pcap file the room provides us.
Overpass 2 is the second room from the Overpass series in TryHackMe designed from a SOC team’s point of view.
0 kommentar(er)
