Open in app

Sign in

Write

Sign in

Tryhackme: Overpass

Cybertrinchera
CodeX
Published in
3 min readDec 17, 2022

Overpass is an easy TryHackMe machine in which we will exploit a broken authentication bug to gain access to an ssh key in the application. Later, we will escalate privileges by impersonating a script running in a scheduled job.

As usual in TryHackMe, we must connect to the VPN or use the AttackBox. I will choose the VPN. We press the Start Machine button, and a minute after, they show us the IP address. Now, we proceed to do the initial recognition with Nmap:

nmap -p- -sV -Pn $IP

The -p parameter with the hyphen indicates to scan all ports, the -sV parameter to fingerprint the versions used, and -Pn to scan the machine even if it does not respond to ping.

We can see that the machine has only a web server and a SSH server exposed. Lets dig into web server.

First of all, by fuzzing we could find some juicy endpoints.

On the admin endpoint we can see a javascript file called login.js that set the session cookie on suscesfull auth:

async function login() {
    const usernameBox = document.querySelector("#username");
    const passwordBox = document.querySelector("#password");
    const loginStatus = document.querySelector("#loginStatus");
    loginStatus.textContent = ""
    const creds = { username: usernameBox.value, password: passwordBox.value }
    const response = await postData("/api/login", creds)
    const statusOrCookie = await response.text()
    if (statusOrCookie === "Incorrect credentials") {
        loginStatus.textContent = "Incorrect Credentials"
        passwordBox.value=""
    } else {
        Cookies.set("SessionToken",statusOrCookie)
        window.location = "/admin"
    }
}

We can generate the cookie and bypass the auth from the browser console.

Cookies.set("SessionToken", 1)

Now we can see an encrypted SSH key for james on the page:

Now we can crack the key of this ssh key to be able to log in as James in the SSH service.

Now we can access the system and see a to-do list, one of the to does is talking about an automated script. It would be nice to keep an eye on it.

Consulting the crontab, we see that it downloads a file and executes it.

If we look at its content, we will see that it calls date without specifying the complete path.

Since we can manipulate /etc/hosts, we can make the domain points to our machine and exploit this to serve any script we want.

Once manipulated, we can create a script with a reverse shell and serve it.

After a short time, as soon as the cronjob is executed we will get a shell as root

PWNed!

I hope you enjoyed my article and found my content useful. See you in the next article.

Cybersecurity
Writeup
Tryhackme

--

--

Cybertrinchera
CodeX

Written by Cybertrinchera

35 Followers
Writer for

Also knows as srbleu in many platforms. Im here for share some knowledge.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams