CTF Walkthroughs, TryHackMe

TryHackMe – Overpass Walkthrough

May 15, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was a very easy Linux machine and the first in the Overpass TryHackMe series. It involved adding a custom cookie to bypass web authentication in order to gain initial access and exploiting a cron job to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The Nmap scan has identified port 22 and port 80 as open, so the next step will be to start enumerating HTTP..

Enumerating HTTP

When visiting the web server through a browser, the following page is displayed:

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

The Gobuster scan has revealed an “admin” entry. When visiting this page, a login form appears:

Gaining a Foothold

After trying a few common username and password combinations to no avail, decided to use the Firefox debugger to inspect the JavaScriptcoode in use by the application, it appears that the login.js file contains a “login” function, which says that if the response of the authentication request is not “Incorrect Credentials” i.e. if the authentication was successful, it then sets the SessionToken to “statusOrCookie”:

Manually creating a SessionToken cookie with a value of “statusOrCookie” in the browser:

After refreshing the page, the admin page grants access to a private SSH key:

Copying the key to a text file so that it can be used to authenticate via SSH:

Assigning the proper permissions to the key and authenticating as James, which is the user mentioned in the admin page:

It appears the SSH key is password protected. Using the SSH2John tool to extract the hash from the key and using John the Ripper with the following flags to crack it:

  • –wordlist to specify the wordlist to be used, in this case, rockyou
  • the text file containing the hashes, one per line

The hash was cracked and this time the SSH authentication as James was successful

Privilege Escalation

The home directory of the James user contains a note mentioning James might have used Overpass’ password manager to encrypt his credentials. Also, the .overpass file contains James’ encrypted password:

The Overpass site contains a downloads section that allow to download the source code used for the application:

Judging by the source code written in Golang, it appears that the password manager is simply using ROT47 to encrypt the password:

//Secure encryption algorithm from https://socketloop.com/tutorials/golangrotate-
47-caesar-cipher-by-47-characters-example
func rot47(input string) string {
var result []string
for i := range input[:len(input)] {
j := int(input[i])
if (j >= 33) && (j <= 126) {
result = append(result, string(rune(33+((j+14)%94))))
} else {
result = append(result, string(input[i]))
}
}
return strings.Join(result, "")
}
//Encrypt the credentials and write them to a file.
func saveCredsToFile(filepath string, passlist []passListEntry) string {
file, err := os.OpenFile(filepath, os.O_TRUNC|os.O_CREATE|
os.O_WRONLY, 0644)
if err != nil {
fmt.Println(err.Error())
return err.Error()
}
defer file.Close()
stringToWrite := rot47(credsToJSON(passlist))
if _, err := file.WriteString(stringToWrite); err != nil {
fmt.Println(err.Error())
return err.Error()
}
return "Success"
}

Using an online ROT47 decipher tool to decrypt James’ password:

It appears the password did belong to the James user although it is not allowed to run sudo:

Transferring LinPEAS using the Python Simple HTTP Server and Wget:

Running LinPEAS to further enumerate the machine:

It appears there is a cron job running as root which executes Curl against overpass.thm/dwnloads/src/buildscript.sh and pipes its contents over to bash:

It appears that currently overpass.thm points at localhost, although the /etc/hosts file can be modified by all users:

This means the /etc/hosts entries could be modified to point overpass.htm at the local Kali machine and make the cron job execute arbitrary Bash scripts as root.

Creating a Bash script with a simple reverse shell that will connect back to the Kali host:

Replacing the overpass.thm entry in /etc/hosts with the local Kali machine’s IP address:d

Since the cron job executes a script called buildscript.sh in the download/src/ location, re-creating those folders and placing the Bash reverse shell there. Also setting up a Python Simple HTTP Server to host the file:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

After about a minute, the cron job ran and executed the buildscript Bash script containing a reverse shell:

This has granted a reverse shell as the root user..

Conclusion

This was definitely the easiest machine of the Overpass TryHackMe series, and although the exploitation part was quite trivial, I found the privilege escalation process quite interesting and it was the first time manipulating /etc/hosts to gain root-level privileges for me.