Hi HTB Community,
I’m currently trying the Sherlock “Carson” where you have to do digital forensics on a web server which has been breached via webshell. So far I was able to answer most questions by looking at the access.log file. However i’m clueless about question number 6 “Attacker changed the password for the web application, what did they change the password to?” . The last entry in the log file states that the attacker has changed the config of the webserver and by printing it I was able to retrieve a hash value. I was wondering if I missed another log file or if using hashcat is the only way to find out said password. Thankful for any advice!