Overpass
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80
(-oN nmap): Saving it into a files called nmap
Enumeration
Lets visit the website
There is nothing of interest as of now, so lets run gobuster
to find hidden directories.
We find an admin
page, lets visit it.
Its a login page, after looking through the different files in the source code of the page, I found a interesting file called login.js
, and the interesting part is the function called login
Looking at the if statement, so if we login with incorrect credentials, the response we get is Incorrect credentials
, but on the other hand if we get the right credentials, it sets the SessionToken
cookie to the value statusOrCookie
and points us to the /admin
page.
So lets go to the Console (Ctrl + Shift + i)
of the web page and type this in the console.
Once you click enter and reload the page, you are logged in.
You are given a RSA Private key, so we can copy this, crack the password using john the ripper and then login with ssh. I copied the RSA private key and stored it in a file called id_rsa
Now we need a password to login with ssh, so lets crack it with ssh2john
.
Now lets crack the hash with johntheripper
We found the password which is james13
.
Now to login with this information we need to first give permissions to the id_rsa
file.
And now we can use this command to login through ssh, I think the username is going to be james as the password has the word james in it.
We can now read the user.txt
Privilege Escalation
We cannot run the command sudo -l
to see what we can run as root as we don't have the password for james.
In the directory we are in, we see a file called todo.txt
so lets read the file
From this we can say that
There is a password somewhere in the password manager they made
The encryption for the password is weak
There is a automated build script running.
There is also another interesting file in this directory, which is called .overpass
Lets read the file
Its looks like some type of code that has been modified, so lets go to CyberChef and see what it says. I went though different recipes and found the correct one which is ROT47
.
I looked for way to use this information to privilege escalate to root, but it did not help in any way, so we need to find another way.
Looking back at the todo.txt
file, we saw that there was an automated build script running, lets check that.
Looking at the last line, we can see that the cronjob fetches the buildscript
file from the website and pipes it to bash. To exploit this we need to redirect the domain to our IP address. We can do that by adding our Try Hack Me IP to the /etc/hosts
on this machine. We need to replace the IP of overpass.thm
with our IP.
Now we need to create a similar directory structure as the one in the victim machine so that the exploit can work properly, so lets create the directory download/src
Now we should create a file called buildscript.sh
and add a reverse shell to it as then we can get a reverse shell while is runs every few minutes because it is a cronjob.
We can find the reverse shell here.
And now we have to start a http server using python (make sure you are two directories behind which means that you can cd into /downloads/src
) so that the victim machine can connect to our machine and also start a netcat listener to listen on the reverse shell.
After a while, the file should be downloaded
And you should also get a reverse shell, and as root
Now you can read the root.txt
file and answer the last question of this room
Last updated