Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late night shift while looking at shibes, and managed to capture packets as the attack happened.
Can you work out how the attacker got in, and hack your way back into Overpass’ production server?
This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised.
Connect to the machine using RDP. The credentials the machine are as follows:
We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (in case you get hungry), but that is not why you are here. To be truthful, we aren’t sure if our developers know what they are doing and our security concerns are rising. We ask that you perform a thorough penetration test and try to own root. Good luck!
Information Room: ForensicsDifficulty: MediumFiles : victim.zip 448.9 MB– victim.raw 1.58 GB My Recommendations Create a Working Directory (WD) This is my personal preference, I like
Find out what happened by analysing a .pcap file and hack your way back into the machine. It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened? Download the .pcap file and use Wireshark to view it.
Perform memory forensics to find the flags. If you are having trouble, maybe check out the volatility room first.
Enjoy!
