Overpass TryHackMe Walkthrough

Musyoka Ian
9 min readJul 20, 2020

--

Hello guys back again with another walkthrough this time am going to be tacking Overpass from TryHackMe. It was rated as an easy box and beginner friendly but according to my opinion the initial foothold might be a bit of a stretch for someone who hasn’t used burpsuite before but the box itself is really cool thanks to the creator of the box NinjaJc01. The box starts off by finding a web server that has an admin panel but to use the admin panel you are required to provide valid credentials. Doing some static code analysis on JavaScript files you realize you can bypass authentication an gain access to the administrator’s panel ,get some SSH private keys crack some hashes with john the ripper and finally login to the box as the user James. The privilege escalation is pretty simple but really amazing given the fact that i have never seen this before in any other box. You find that the hosts file is world writable and you find that there’s a cronjob that running every minute that executes using a bash script using a hostname. Exploit it and get root on the box. Without much say let’s jump in

As always we’ll start off with a nmap scan of the box. This as i always say we’ll give us really useful information on the services that are running on the box and we might might get lucky and find an outdated service that has a 1 day exploit and be able to compromise the box that way

Looking at the nmap results we see two ports are open SSH and HTTP

SSH doesn’t have that much vulnerability hence i will start with enumerating HTTP. We can leave a SSH bruteforce running in the background but without a valid username it is going to be really hard even to perform a bruteforce attack so I’ll start to enumerate HTTP.

Opening the webpage using Mozilla we get a standard webpage probably used to advertise a password manager application called overpass

Before poking at the websites manually i decided to do some automated enumeration using gobuster. What gobuster normally does is perform directory bruteforce using a wordlist and we might be lucky and get some interesting directories

While gobuster is running in the background lets enumerate the website manually. First let’s see if robots.txt exists (It just a file that tell web spiders where or what not to crawl)

But as seen above we didn’t get lucky. I decided to view page source sometimes developers leave comments that makes it easy to exploit a server.

And as seen below we get some comments but they don’t seem too meaningful

Since i hit a dead end i decided to go and see if gobuster had found anything useful that could give us an idea on what to exploit

And as seen above we found some interesting directories like /admin

I decided to take a look at it first. On opening /admin

The first things i try when i see a login page is dumb credentials example of which include

admin:admin
admin:password
guest:guest
admin:12345

But in this case i got incorrect credentials.

Next i tried SQL Injection beacuse if we find that the webpage is injectable we might be lucky and be able to dump user credentials

But since i don’t want to waste time testing it I’ll assure you the web application is not SQL Injectable

So i decided to see what files the web application calls every time we try to login using Mozilla developers tool(network tab) and found an interesting file login.js

I decided to take a look at the JavaScript file and see if I’ll find anything useful like credentials. The function that i want us to concentrate on is the login function as seen below

The code that I’ve highlighted is the vulnerable code that will let us bypass the login page

What the code says is that if the server responds with “Incorrect credentials” don’t allow that person to get access to the administrator’s panel but if the server doesn’t responds with “Incorrect credentials” give that particular person a session token and give him access to the administrative panel. That code looks neat……… what could go wrong since we can trust the information from the server??????

What the developers of the webpage didn’t consider is that by using burpsuite we could also control the response that comes from the web server. And we will trick login.js file to think that “Hey we are authenticated by the web server ” and this will give us access to the administrator’s panel.

Let’s see this magic happen below

First we’ll intercept the login request with burpsuite

Then right click and click on do intercept then click on response from this request

And as seen below the server responds to the request with “Incorrect credentials”

Let’s modify the response to look as the one down below

HTTP/1.1 302 FOUND
Date: Mon, 20 Jul 2020 14:33:13 GMT
Content-Length: 21
Content-Type: text/plain; charset=utf-8
Connection: close
location: /admin

And then forward the response

Then let’s go back to the webpage and refresh the tab

And like magic we get logged in with no valid credentials

Just like that fun right???????

The second method of bypassing the login page was suggested by one of the readers all thanks to Ahmed Koraiem and its way easy and I’ve actually come to love it since it’s really easy to use. The web application also doesn’t check the cookie to determine whether they are valid or not so we can just create our own cookie and make ourselves admin as you’ll see below

Opening Mozilla developers tools console tab which basically runs JavaScript command “document.cookie” we can add our own cookie using the following command

document.cookie in java script can create,read and delete cookie. In our case we want to use this functionality to create a cookie

document.cookie="SessionToken=pleaselogmein"

As seen below

Then running the command

Now refreshing the web page

We get logged in

And that’s the second method we could bypass the login page

And after logging into the box we get really useful information

1. We get that there are two users on the box namely 
a) James
B) Paradox
2. We find some ssh keys and after reading the paradox's post we get that it's James' SSH private keys

So i copied the SSH private keys to my localbox and taking a closer look at it we see that it’s encrypted. Meaning we’ll need a passphrase to be able to use the SSH key but unlucky for us we don’t know the passphrase

Lucky for us we can us john the ripper (a well known hash cracker)and a binary called ssh2john which converts the SSH private key to a hash format that john the ripper can understand and crack the passphrase using a wordlist

Let’s see this in action

First we’ll need to generate the hash using ssh2john

And as seen above we were able to generate a hash now we should save it to a file and get cracking. And after sometime john the ripper was able to crack the passphrase as seen below

Sweet now we can login to the box via ssh using that passphrase.

And voila as seen above we are in. We successful gotten a shell on the box. Sweet now it’s time for privilege escalation but before that

We can submit the user flag and get the points

Next thing i did was to run linpeas which automatically finds privilege escalation vectors. It’s really an awesome script and I’ve really grown fond of it while am doing any pentest since it also uses really awesome colors in the output

Looking at the output of linpeas

We find that there’s a cronjob running every minute

Which executes curl

* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash

What makes the cronjob even more interesting is that it’s running as root meaning if we exploit it we’ll be root. But how?????

I decided to continue looking at the linpeas output

And i found a really odd file which in normal occasions it is only writable by root but in this case we had write access to it. The file is

/etc/hosts

Now the cronjob starts making sense right?????

The curl command from the cronjob was using a hostname(overpass.thm) and we have control to the hosts file. Meaning we can spoof the hostname to make the cronjob think that the hostname is from our IP Address meaning when the cronjob will run it will be connecting to our IP Address

But let’s take a closer look at the command being ran

curl overpass.thm/downloads/src/buildscript.sh | bash

First we need to create a web server on our box which the curl will be connecting to

Second we must replicate all the directories [/downloads/src/] in our web server as in the command(cronjob) or else every time the curl command will be running it will be getting a 404 NOT FOUND and in the last directory we create that buildcript.sh bash script

Let’s see this in practise

1. Create all those directories in our local web server
2. in buildscript.sh  create a bash reverse shell that will be connecting back to our box as seen below
3. Start a web server on our local machine as seen below
4. Create a netcat listener on our local box which will allow root connect back to us when the cronjob is executed
5. Next add our IP Address to overpass-procd machine in the hosts file and link that IP Address with overpass.thm hostname
6. Now we play the waiting game

And after a few seconds we get a rootshell

Now we can submit the root flag and increase our points

And the box is pretty much done!!!!!

Am really expecting feedback and if any concept has not been explained fully you guys can tell me in the response so i can see how to explain it further but that’s it for now guys till next time take care

And if you liked the walthrough you can clap for me down below. Thanks guys

--

--

Musyoka Ian
Musyoka Ian

Written by Musyoka Ian

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

Responses (3)