Overpass

Overpass room logo
Image from TryHackMe.

Scanning the box and Initial recon

Result from nmap scan shows port 80 and port 22 as open. It also reveals that a HTTP server and a SSH server is running
Open ports as reported by nmap
Shows all the directories that have been discovered by gobuster
Directories discovered by gobuster
Login form for the /admin end-point
Login form at /admin

Finding and exploiting the vulnerability

Highlighted are the JS script used by /admin end-point.
The 3 JS scripts used by /admin
Setting the SessionToken cookie to 1, to test our hypothesis
Setting the SessionToken cookie

Gaining initial shell

The authenticated admin page with a interesting message
First we imported the key using ssh2john.py script and then cracked it using john and rockyou.txt wordlist
Importing the key as hash and brute-forcing with john
SSHing into the user and reading all the .txt files in home directory

Privilege escalation and gaining root

LinPEAS scan result (cropped)
  1. There’s a cron job that runs every minute and executes a bash script. This job is run with root user privileges and runs a script that is downloaded from a remote server overpass.thm
  2. The /etc/hosts file is global writable
Checking permissions on /etc/hosts file with ls -l and reading the /etc/hosts file with cat
  1. Replicate /downloads/src/ directory structure in our working directory
  2. Create buildscript.sh file that will be downloaded and run as root and will compromise the root account
  3. Open the port 80 in our attacking machine
  4. Edit the /etc/hosts file in the VM to make overpass.thm point to our attacking machine
Performing all the described steps for root compromise
Logs showing the VM has connected and downloaded our malicious script
The VM was able to download and run our malicious script
SSH-ing into root and getting the root flag

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store