Overpass is a tryHackme machine which helps to improve our knowledge and skills in web application pen testing. The machine consist of two flags User flag and Root flag. To access the root flag we need to do some research on crontabs and cronjobs . Do not forget to download the configuration file to get a VPN connectivity.
Lets Begin the Hunt.!!!
We begin with port scaning.
After the port scan we find that ssh and http port are up. So we are going to run hidden directory scanning using the tool Gobuster.
After checking the results we see a admin login page. So we need to find some credentials so as to get inside.
When we go through the login.js page we found something intresting.
It shows that when we use incorrect credentials to login the database responds with "Incorrect Credentials" so if we can bypass the response we can get inside. For that we are going to use brupsuit. Turn on the proxy on Mozilla firfox and intercept mode on burpsuit.
By right clicking on the above data pop-up box will appear from there Do intercept>response>forward .
Remove the last line and forward the response. Turn off the browser proxy and login using default credentials as username:admin and password:admin. Once we get inside we can see a ssh private key.
So first we need to change this key into a hash format for that copy the key and save it in a file named ssh.key and using the and convert the key into hash format using the following command Before that you need to change your path from /home directory to /usr/share/john.
./ssh2john ssh.key>hash
Once the file is changed into a hash file we need to run john command to extract the password.
Know we have got the password so since port 22 is open we can take a direct ssh connection.Through which we can successfully get a reverse shell connection.
So first flag named User.txt is found
Since we logged in as user James we need to get root user privileges to access root flag. So for doing privilege escalation we are using crontabs and cronjobs.
When we run crontabs we found a cronjob running.!!
Since overpass.thm can be modified by any user we are going to change the overpass.thm ip into our local kali machine ip.
Using nano we changing the ip.
Cronjob is executing a script named buildscript.sh in the downloads/src, we are going to create a similar path and placing our reverse shell connection in buildscript.sh in our kali machine and also a python http server.By using a netcat listener we will get the reverse shell connection.
Finally we got root privileges and the final flag root.txt.!!!
Comments