This is the write-up for TryHackMe’s room named Overpass3 — Hosting. This is the third part of the series of rooms named Overpass.
This room can be found at this URL:- https://tryhackme.com/room/overpass3hosting
So lets begin.
# Identify the list of services running on the target machine
sudo nmap -sS -Pn -T4 -p- 10.10.163.156
# Perform further information gathering on the open ports identified above
sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.163.156
So we have total 3 ports open.
Port 21 FTP vsftpd 3.0.3 doesn’t have any know vulnerabilities and there is no anonymous access.
Port 22 SSH OpenSSH 8.0 is also quite recent. So lets keep it for later.
Port 80 have an Apache Web Server, so lets first try to brute force the directories on the Web Server.
Lets use gobuster:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.163.156 -t 40
Ah, we have a folder named “backups”. So lets browse to that folder using our favorite browser.
Download “backup.zip” file which we found above and unzip it.We found 2 files:
OK,So we have a file encrypted with a gpg key. Let use the following command to get the actual file:
gpg — import priv.key