Overpass 3-Hosting-TryHackMe

0xsanz
7 min readJan 27, 2021

This is the write-up for TryHackMe’s room named Overpass3 — Hosting. This is the third part of the series of rooms named Overpass.

This room can be found at this URL:- https://tryhackme.com/room/overpass3hosting

So lets begin.

Enumeration

# Identify the list of services running on the target machine

sudo nmap -sS -Pn -T4 -p- 10.10.163.156

# Perform further information gathering on the open ports identified above

sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.163.156

So we have total 3 ports open.

Port 21 FTP vsftpd 3.0.3 doesn’t have any know vulnerabilities and there is no anonymous access.

Port 22 SSH OpenSSH 8.0 is also quite recent. So lets keep it for later.

Port 80 have an Apache Web Server, so lets first try to brute force the directories on the Web Server.

Directory Busting

Lets use gobuster:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.163.156 -t 40

Ah, we have a folder named “backups”. So lets browse to that folder using our favorite browser.

Download “backup.zip” file which we found above and unzip it.We found 2 files:

  1. CustomerDetails.xlsx.gpg
  2. priv.key

OK,So we have a file encrypted with a gpg key. Let use the following command to get the actual file:

gpg — import priv.key

gpg CustomerDetails.xlsx.gpg

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204