TryHackMe | Overpass CTF Write-Up

Hi, We are going to solve the Overpass CTF on TryHackMe.

Overpass CTF: https://tryhackme.com/room/overpass by NinjaJc01

Let’s begin!

Let’s see if the machine is up and running by pinging it.

When we look at that Time to Live value, we can deduct that our target is a linux machine based on TTL value.

Let’s execute a simple nmap script to discover open ports on our target.

Just found 2 open ports on target.
Port 22 — ssh and Port 80 — http

Let’s see if OpenSSH 7.6p1 has an vulnerability for us to exploit

We could use the Username Enumeration script but we do not need that right now as the /aboutus page is giving us the usernames for this target.

Let’s see what’s on that Port 80 — website:

There are downloadables on /downloads site. I tried them on my local but they do not help us out about exploiting our target.

Let’s use gobuster tool to discover directories on the website.

/login.js and /admin pages look interesting.
Admin page has a basic login form. We can try brute-force attack using hydra.

Edit: Should’ve look to the hint. It literally says do NOT brute-force :)

I’ve tried some basic SQLi (‘ OR 1=1) but it didn’t work neither.

Let’s take a look at the interesting javascript file that we have found.

If I got that right, if we set the cookie, we can get to the admin page. It simply checks if the credentials are incorrect, it prints out
“Incorrect Credentials”, but if the credentials are correct, it sets the cookie named SessionToken and it redirects you to admin page.

We can set the cookie by simply opening the web developer tool and create a new cookie named “SessionToken”.

And now we can see the actual admin page.

It’s time to ssh into the target.

There is a private ssh key belonging to the user James. Let’s copy that rsa private key and store it in our local machine to connect to the target via ssh.

ssh -i id_rsa james@10.10.10.21

When I tried to connect using above command, I get an error “Permission 0644 for ‘id_rsa’ are too open.”
Solution for this problem is changing the permission of that private key.

chmod 600 id_rsa

Means that only root or owner has permission to read and write on the file.

Now, when we try to connect, it asks for the passphrase. Since we don’t know it yet, we need to crack it.

Famous John the Ripper comes into play.

First, we need to convert this key to which john can understand.

ssh2john id_rsa > crackme

Let’s crack it using rockyou wordlist.

Finally, We are able to ssh into the target.

user.txt is located on /home/james directory
root.txt is probably in /root folder.

From now on, I’ll use my linux privilege escalation cheat sheet.

Since we don’t know james’s password, we cannot use sudo -l

Let’s look at the SUID bits:

Nothing looks suspicious here.

Let’s try crontab.

We can see that there is a script that uses curl to get that buildscript.sh and runs it. How can we leverage that to our advantage.
Script goes to overpass.thm, downloads the file and executes it. How about it connects to our local machine and downloads our buildscript.sh file.
First, we need to change the ip address of overpass.thm by editing /etc/hosts file. Then, we’ll open a http server on our local machine and create our very own buildscript.sh

And weee aaree groooot.

I hope this writeup helps to those who are interested in cyber security.