Site = THM
Creator = NinjaJc01
Difficulty = ๐ * 1.5
Basic Summary:
So this machine is made by James, A bit on the middle beginner side difficulty.So the machine has http and ssh.The Website is serving downloads for a password manager.Checking the source code of the admin login page theres a login.js, and reading it reveals that it gives us a cookie.We yet not knowing the password, manually add the cookie and get the page. On the page we have an id_rsa, crack the phrase and then log in to the machine.After that theres a crontab that fetches and compiles the password manager but it uses hostname to get it.So we edit /etc/hosts file.And serve it on our own machine then boom we have RooT
##Quick Link
##RECON
22/tcp open ssh syn-ack
| ssh-hostkey:
| 2048 37968598d1009c1463d9b03475b1f957 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLYC7Hj7oNzKiSsLVMdxw3VZFyoPeS/qKWID8x9IWY71z3FfPijiU7h9IPC+9C+kkHPiled/u3cVUVHHe7NS68fdN1+LipJxVRJ4o3IgiT8mZ7RPar6wpKVey6kubr8JAvZWLxIH6JNB16t66gjUt3AHVf2kmjn0y8cljJuWRCJRo9xpOjGtUtNJqSjJ8T0vGIxWTV/sWwAOZ0/TYQAqiBESX+GrLkXokkcBXlxj0NV+r5t+Oeu/QdKxh3x99T9VYnbgNPJdHX4YxCvaEwNQBwy46515eBYCE05TKA2rQP8VTZjrZAXh7aE0aICEnp6pow6KQUAZr/6vJtfsX+Amn3
| 256 5375fac065daddb1e8dd40b8f6823924 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMyyGnzRvzTYZnN1N4EflyLfWvtDU0MN/L+O4GvqKqkwShe5DFEWeIMuzxjhE0AW+LH4uJUVdoC0985Gy3z9zQU=
| 256 1c4ada1f36546da6c61700272e67759c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINwiYH+1GSirMK5KY0d3m7Zfgsr/ff1CP6p14fPa7JOR
80/tcp open http syn-ack
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Overpass
|_http-favicon: Unknown favicon MD5: 0D4315E5A0B066CEFD5B216C8362564B##WEB
The main page is the students site serving the OVERPASS password manager.Checking the code.
So the password manager uses rotation cipher.WHAT!.Movin on!
The /downloads page serves the downloads for the password manager for different operating systems.Lets continue with our directory busting.
/downloads [--> downloads/]
/img [--> img/]
/aboutus [--> aboutus/]
/admin [--> /admin/]
/css [--> css/]Lets check /admin
Hmmm, The Hint suggests that its not a bruteforce thingy, so lets check the code.
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Overpass</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" media="screen" href="/css/main.css">
<link rel="stylesheet" type="text/css" media="screen" href="/css/login.css">
<link rel="icon" type="image/png" href="/img/overpass.png" />
<script src="/main.js"></script>
<script src="/login.js"></script>
<script src="/cookie.js"></script>
</head>
<body onload="onLoad()">
<nav>
<img class="logo" src="/img/overpass.svg" alt="Overpass logo">
<h2 class="navTitle"><a href="/">Overpass</a></h2>
<a class="current" href="/aboutus">About Us</a>
<a href="/downloads">Downloads</a>
</nav>
<div class="content">
<h1>Administrator area</h1>
<p>Please log in to access this content</p>
<div>
<h3 class="formTitle">Overpass administrator login</h1>
</div>
<form id="loginForm">
<div class="formElem"><label for="username">Username:</label><input id="username" name="username" required></div>
<div class="formElem"><label for="password">Password:</label><input id="password" name="password"
type="password" required></div>
<button>Login</button>
</form>
<div id="loginStatus"></div>
</div>
</body>
</html>Ohhhhhhhhhh /login.js, lets check it out.
async function postData(url = '', data = {}) {
// Default options are marked with *
const response = await fetch(url, {
method: 'POST', // *GET, POST, PUT, DELETE, etc.
cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached
credentials: 'same-origin', // include, *same-origin, omit
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
redirect: 'follow', // manual, *follow, error
referrerPolicy: 'no-referrer', // no-referrer, *client
body: encodeFormData(data) // body data type must match "Content-Type" header
});
return response; // We don't always want JSON back
}
const encodeFormData = (data) => {
return Object.keys(data)
.map(key => encodeURIComponent(key) + '=' + encodeURIComponent(data[key]))
.join('&');
}
function onLoad() {
document.querySelector("#loginForm").addEventListener("submit", function (event) {
//on pressing enter
event.preventDefault()
login()
});
}
async function login() {
const usernameBox = document.querySelector("#username");
const passwordBox = document.querySelector("#password");
const loginStatus = document.querySelector("#loginStatus");
loginStatus.textContent = ""
const creds = { username: usernameBox.value, password: passwordBox.value }
const response = await postData("/api/login", creds)
const statusOrCookie = await response.text()
if (statusOrCookie === "Incorrect credentials") {
loginStatus.textContent = "Incorrect Credentials"
passwordBox.value=""
} else {
Cookies.set("SessionToken",statusOrCookie)
window.location = "/admin"
}
Checking the code of login.js we see that it grants SessionToken if authentication is successful. Well we dont know the password.So lets just add it manually.
Lets reload.
Weow we have ourselves an id_rsa file, lets copy it and try to crack the phrase for it.
##Initial Access
Boom! Lets ssh into the machine as james.
Checking the home of james we have our flag ofcourse and a TODO.TXT file.Lets check the .overpass file.
Lets check the /home
We dont have access to tryhackme, The machine is running a server probably check /etc/crontab .
##CRONTAB
So the root user builds the password manager. but if you pay a bit more attention that its not using the ip but a hostname and if we have access to /etc/hosts we can force it to get the buildscript from our own served server on the attacker machine.
Its writeable so lets add our ip for the overpass.thm address.
Lets prepare the server, and the listener
##R00T
And BOOM weโre R00T Yeeeeeeeah!!!!!!!!!!
Get the root flag yourself how lazy are ya? huh!
Happy Hacking ๐
Thanks for Reading ๐
Suggestions for improvement are welcomed!
