The summary for this box on TryHackMe mentions a password manager being used, implying we will be exploiting some vulnerability in this to gain access. It also mentions a subscription to THM is hidden on the box but has long been redeemed. Still, it would be cool if we can find that just to say we did!
Lets start with a port scan to see what services this machine is running. While we are waiting for that, lets open the URL in the browser just to peek if a site is being hosted…
There is a welcome page that comes up for Overpass. It looks like the password manager mentioned in the summary. Lets take a look at our scan results and start a directory search on the site to find any hidden directories.
We can see the only services found in our initial scan is our http server and ssh. There may be more open ports we can find with a wider scan but let’s explore this page for now, since we see there is an admin page found in our directory search.
This admin page brings us to a login. We don’t have any credentials and after fuzzing the post request with Burpsuite, I decided to see if we could see how the user is authenticated and take a look at this!
The selected area is what we are interested in. This login.js is called when a login attempt is made and checks the server response to allow us in or deny access. The server response is represented as a cookie. However, it only checks for a deny response, otherwise allowing access to the page. This falls under the OWASP Broken Authentication vulnerability and can absolutely be exploited. This will be as simple as sending a login request with the required cooking being anything other than statusOrCookie retuned by /api/login. In the console I ran:
Cookies.set("SessionToken","anything") as this will instantiate a cookie with the required key and any value other than the deny returned from the api. Submit a username and password pair of anything (in this case I used test:test) and refresh the page, and we are in!
So we now have an encrypted RSA key and a strongly worded message to James from Paradox. He also implies their password manager is not as secure as they make it out to be, I will want to look into this later…
I need to find a way to decrypt this RSA key. I was able to find a python script from Cracking the Private RSA Key (asecuritysite.com) which will work! OpenSSL is normally used to generate keys and can be used to decrypt an encrypted private key with a given password. This script uses OpenSSL with a provided wordlist to brute force a key until it is able to export the decrypted private key.
Running the script gives me James password to decrypt the key, “james13”. Here I have the code on the left and the exported private key on the right.
Now I can SSH into the machine as James and his user flag is right there in his home directory.
I’m not able to check Sudo privileges as James and cannot get /etc/shadow. I am however able to check the cron jobs on the system and see there is one running as root. It reaches out to overpass.thm and runs a buildscript.sh. When exploring the initial website, we see this buildscript then runs the Go scripts to build Overpass on the machine. We can change this to instead give us elevated privileges.
It looks like we DO have access to /etc/hosts. There is also an entry for overpass.thm! So we can simply change the IP associated with overpass.thm to our own and create our own script.
We will create our own script in the same file structure as referenced in the cronjob. In this case I am using a reverse shell and will capture it with netcat on port 7777.
So, our order of operations are as follows.
- Change host IP to our own in victim’s /etc/hosts for overpass.thm
- Write a buildscript.sh that instead is a revshell that will be executed as root and give access to the root directory to everyone as persistence.
- Host a python webserver for the victim’s cron service to reach out to.
- Catch the shell with netcat and execute commands as root.
And as you can see we are now running as root and have root flag!
We can see from the original source code on the Overpass website that the encrypted Overpass credentials are stored in ~/.overpass. By searching James home directory, we can grab these. ALSO, there is another user that was not needed to get either of the flags, tryhackme. We can grab the credentials from here as well.
Reviewing the source code, it looks like it builds and array of the user and password and runs it through ROT47 encryption. I am familiar with ROT13, so I did some reading on ROT47. This is the exact same thing with a larger character set. The thing with ROT 13 and ROT47 is they are completely reversible. In this case, each character is shifted 47 characters away from the original character. By reversing this process, we are able to get the original credentials. No wonder Paradox told James this isn’t secure…
By using Cyberchef I can decode these and we have the original credentials, including the long expired TryHackMe subscription!
I had a ton of fun with this box. It was not what I expected as I originally thought the password manager would play more into how I gain access, but I was pleasantly surprised to see the broken authentication come into play as I have been doing a lot of work recently with manually authenticating POST requests, this is definitely a “What NOT to do” when working.