Nmap Output:

 

 

gobuster

 

 

homepage

 

 

/admin login page

 

 

The creator told us not to use bruteforce and use the owasp10 method.

 

When we look at the source code, we can see the login.js file.

 

 

This is the important part for us.

 

From Incpect → Storage tab;

 

 

It will be sufficient to add any value to the SessionToken value. If we refresh the page, we will bypass the login.

 

 

After the bypass, we are greeted by James user's RSA key.

 

ssh2john

 

 

john

 

 

sshlogin

 

 

user.txt

 

 

crontab

 

 

A script is run from overpass.thm. We can easily become root with this script run with root privilege.

 

There are a few settings we need to make first.

 

We need to change the overpass.thm IP address from the hosts file.

 

 

Then, we need to create a file path on our machine and write a reverse shell script. Then we can open an http server on port 80. also dont forget nc

 

 

done