12-27-2022, 04:26 PM
How I Hacked a PW Manager (TryHackMe Overpass 1)
<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1000564","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tryhackme-overpass-1-compsci-students-creating-a-pw-manager-gone-bad/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=%2F%2Fi.ytimg.com%2Fvi%2FWqslUEU7p94%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<h2>PREMISE</h2>
<p>The premise of the box is that a group of computer science students has created a password encryption/decryption tool. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="425" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-320.png" alt="" class="wp-image-1000659" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-320.png 425w, https://blog.finxter.com/wp-content/uplo...00x300.png 200w" sizes="(max-width: 425px) 100vw, 425px" /><figcaption class="wp-element-caption"><strong>Target</strong>: <em>One of the CS students posing on a party</em> <img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f609.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /></figcaption></figure>
</div>
<pre class="wp-block-preformatted"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f449.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <em>"What happens when a group of broke Computer Science students try to make a password manager? Obviously a perfect commercial success!"</em> </pre>
<p>We are tasked with hacking our way into their server as the root user. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="956" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-323.png" alt="" class="wp-image-1000671" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-323.png 956w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x512.png 768w" sizes="(max-width: 956px) 100vw, 956px" /><figcaption class="wp-element-caption"><strong>Attacker</strong>: <em>A sophisticated hacker – not who you may expect.</em></figcaption></figure>
</div>
<p>This capture-the-flag challenge on TryHackMe involves cookie creation and file spoofing in order to escalate privileges to the root user. It is rated as an easy box. If you don’t like spoilers, I’d recommend trying this <a href="https://tryhackme.com/room/overpass" target="_blank" rel="noreferrer noopener">free hacking challenge </a>first before reading any further.</p>
<p>This box is the first in a three-part series. In part two, we will be doing some basic forensics after a cyber attack hits the overpass server. </p>
<p>And in part three we will prove to the Overpass developers that they need to make some security upgrades to their server hosting.</p>
<p>First, let’s record our IPs and get them ready to export as Linux variables.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">export targetIP=10.10.179.249
export myIP=10.6.2.23</pre>
<h2>ENUMERATION</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="850" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-322.png" alt="" class="wp-image-1000667" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-322.png 850w, https://blog.finxter.com/wp-content/uplo...00x225.png 300w, https://blog.finxter.com/wp-content/uplo...68x576.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></figure>
</div>
<p>A simple <code>nmap</code> scan shows the following results:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">┌─[kalisurfer@parrot]─[~/THM/overpass-walkthrough]
└──╼ $sudo nmap $targetIP
[sudo] password for kalisurfer:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-21 06:01 EST
Nmap scan report for 10.10.179.249
Host is up (0.087s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 8.44 seconds
---
</pre>
<p>Nothing is surprising here. These are the standard ports for HTTP web applications and <code>ssh</code> services. </p>
<p>Next, we’ll run a <code>dirb</code> scan to do some directory sniffing. Our <code>dirb</code> scan results reveal a few interesting HTML directories. We’ll take a closer look into each of these leads.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">/admin
/aboutus
/css
/downloads</pre>
<p>We find the plaintext sourcecode in the <code>/downloads</code> folder! </p>
<p>This will almost certainly be worth looking at closely for more information about the encryption mechanism. Posting the sourcecode is the first of several horrible decisions the Overpass dev team has made with their password storage program. </p>
<p>Some of the takeaways from examining the source code are:</p>
<ol>
<li>The encryption method used is a <a href="https://blog.finxter.com/caesar-cipher-in-python/" data-type="post" data-id="356186" target="_blank" rel="noreferrer noopener">caesar cypher</a> with a rotation of 47. There is a link in the sourcecode pointing to: <a href="https://socketloop.com/tutorials/golang-rotate-47-caesar-cipher-by-47-characters-example" target="_blank" rel="noreferrer noopener">https://socketloop.com/tutorials/golang-rotate-47-caesar-cipher-by-47-characters-example</a></li>
<li>Encrypted passwords are saved locally in a hidden file <code>.passlist</code> in the root directory. This will probably be are method for retrieving the root password after we gain an initial foothold into the system.</li>
<li>This encryption (ROT47) is invertible, which means to decrypt a password all we have to do is run the ROT47 cipher code a second time.</li>
</ol>
<p>There is also an executable file for each operating system of the password storage tool. Download and running the program <code>overpassLinux</code> shows that we can retrieve passwords as long as there is a <code>.overpass</code> hidden file in the <code>/root</code> directory.</p>
<h2>INITIAL FOOTHOLD VIA COOKIE CREATION</h2>
<p>We find a login portal at <code>$targetIP/admin</code>. </p>
<p>First, we inspect the login with <code>burpsuite</code> and carefully examine the response to an unsuccessful <code>username:password</code>, noticing that the user is rerouted to <code>/admin</code> after an unsuccessful login attempt. </p>
<p>Instead of wasting time attempting to <code>bruteforce</code> our way in with a wordlist, we use firefox in developer mode and discover that there are no stored cookies. If we create a new cookie with the name SessionToken, and a reroute path of “<code>/</code>” we find a hidden encrypted <code>ssh</code> key. Voila!</p>
<pre class="wp-block-preformatted"><code>Since you keep forgetting your password, James, I've set up SSH keys for you. If you forget the password for this, crack it yourself. I'm tired of fixing stuff for you.
Also, we really need to talk about this "Military Grade" encryption. - Paradox -----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,9F85D92F34F42626F13A7493AB48F337 LNu5wQBBz7pKZ3cc4TWlxIUuD/opJi1DVpPa06pwiHHhe8Zjw3/v+xnmtS3O+qiN
JHnLS8oUVR6Smosw4pqLGcP3AwKvrzDWtw2ycO7mNdNszwLp3uto7ENdTIbzvJal
73/eUN9kYF0ua9rZC6mwoI2iG6sdlNL4ZqsYY7rrvDxeCZJkgzQGzkB9wKgw1ljT
WDyy8qncljugOIf8QrHoo30Gv+dAMfipTSR43FGBZ/Hha4jDykUXP0PvuFyTbVdv
BMXmr3xuKkB6I6k/jLjqWcLrhPWS0qRJ718G/u8cqYX3oJmM0Oo3jgoXYXxewGSZ
AL5bLQFhZJNGoZ+N5nHOll1OBl1tmsUIRwYK7wT/9kvUiL3rhkBURhVIbj2qiHxR
3KwmS4Dm4AOtoPTIAmVyaKmCWopf6le1+wzZ/UprNCAgeGTlZKX/joruW7ZJuAUf
ABbRLLwFVPMgahrBp6vRfNECSxztbFmXPoVwvWRQ98Z+p8MiOoReb7Jfusy6GvZk
VfW2gpmkAr8yDQynUukoWexPeDHWiSlg1kRJKrQP7GCupvW/r/Yc1RmNTfzT5eeR
OkUOTMqmd3Lj07yELyavlBHrz5FJvzPM3rimRwEsl8GH111D4L5rAKVcusdFcg8P
9BQukWbzVZHbaQtAGVGy0FKJv1WhA+pjTLqwU+c15WF7ENb3Dm5qdUoSSlPzRjze
eaPG5O4U9Fq0ZaYPkMlyJCzRVp43De4KKkyO5FQ+xSxce3FW0b63+8REgYirOGcZ
4TBApY+uz34JXe8jElhrKV9xw/7zG2LokKMnljG2YFIApr99nZFVZs1XOFCCkcM8
GFheoT4yFwrXhU1fjQjW/cR0kbhOv7RfV5x7L36x3ZuCfBdlWkt/h2M5nowjcbYn
exxOuOdqdazTjrXOyRNyOtYF9WPLhLRHapBAkXzvNSOERB3TJca8ydbKsyasdCGy
AIPX52bioBlDhg8DmPApR1C1zRYwT1LEFKt7KKAaogbw3G5raSzB54MQpX6WL+wk
6p7/wOX6WMo1MlkF95M3C7dxPFEspLHfpBxf2qys9MqBsd0rLkXoYR6gpbGbAW58
dPm51MekHD+WeP8oTYGI4PVCS/WF+U90Gty0UmgyI9qfxMVIu1BcmJhzh8gdtT0i
n0Lz5pKY+rLxdUaAA9KVwFsdiXnXjHEE1UwnDqqrvgBuvX6Nux+hfgXi9Bsy68qT
8HiUKTEsukcv/IYHK1s+Uw/H5AWtJsFmWQs3bw+Y4iw+YLZomXA4E7yxPXyfWm4K
4FMg3ng0e4/7HRYJSaXLQOKeNwcf/LW5dipO7DmBjVLsC8eyJ8ujeutP/GcA5l6z
ylqilOgj4+yiS813kNTjCJOwKRsXg2jKbnRa8b7dSRz7aDZVLpJnEy9bhn6a7WtS
49TxToi53ZB14+ougkL4svJyYYIRuQjrUmierXAdmbYF9wimhmLfelrMcofOHRW2
+hL1kHlTtJZU8Zj2Y2Y3hd6yRNJcIgCDrmLbn9C5M0d7g0h2BlFaJIZOYDS6J6Yk
2cWk/Mln7+OhAApAvDBKVM7/LGR9/sVPceEos6HTfBXbmsiV+eoFzUtujtymv8U7
-----END RSA PRIVATE KEY-----
</code></pre>
<p>It looks like our initial foothold will be as the user <code>james</code>. Let’s pause for a moment to collect our thoughts and plan out the next steps in our attack.</p>
<h2>RETRIEVING THE PASSCODE FOR THE ENCRYPTED SSH FILE</h2>
<p>This is our plan going forward to retrieve the passcode for the encrypted ssh file:</p>
<ol>
<li>Save the <code>ssh</code> key string as a new file (without the header and footer).</li>
<li>Use <code>ssh2john</code> to prep the hash for john the ripper.</li>
<li>Use john to crack that hash and find key our <code>ssh</code> keyfile passcode</li>
</ol>
<h2>SSHing INTO USER JAMES</h2>
<p>With the following command, we can now log in as <code>james</code> with our trusty ssh passcode and ssh keyfile. The <code>user.txt</code> flag is right there in James’ home folder.</p>
<pre class="wp-block-preformatted"><code>!!!
Thm{65c 6bf7}
!!!</code>
</pre>
<h2>USING OVERPASSLINUX TO RETRIEVE THE USER PASSWORD</h2>
<p>Now that we are in as user James, we can run the overpass program again on the encoded string (<code>,LQ?2> 8A:4EFC6QN</code>.)</p>
<p>We hit a small snag, seeing that user James doesn’t have proper permissions to run <code>overpassLinux</code> on target machine. Using SCP we can copy James’ <code>.overpass</code> file to our attack machine. Running overpassLinux on our machine, we can now recover James’ account password. </p>
<p>I decided to use <code>python3</code> to create a rot47 encryption/decryption script. A quick google search brought up the following script:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="python" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">def rot47(s): x = [] for i in range(len(s)): j = ord(s[i]) if j >= 33 and j <= 126: x.append(chr(33 + ((j + 14) % 94))) else: x.append(s[i]) return ''.join(x) s=",LQ?2> 8A:4EFC6QN."
print(rot47(s))
</pre>
<p>Using nano to edit the script, I added a few tweaks to make it run smoothly on my machine and decrypt James’ password. </p>
<pre class="wp-block-preformatted"><code>[{"name":"System","pass":" "}]
!!! (james password)</code>
</pre>
<h2>FURTHER ENUMERATION FOR POTENTIAL ATTACK VECTORS</h2>
<p>First, I explored whether or not there are <code>setuid</code> bins that user james can run on the system with the following command:</p>
<pre class="wp-block-preformatted"><code>james@overpass-prod:~$ find /bin -perm -4000 —
/bin/fusermount
/bin/umount
/bin/su
/bin/mount
/bin/ping
—
</code></pre>
<p>Looking each of these bins up on <code>gtfobins</code> showed that there aren’t any clear paths forward yet…</p>
<p>Checking the kernel on <a href="https://www.exploit-db.com/" target="_blank" rel="noreferrer noopener">https://www.exploit-db.com/</a> showed a potential lead – a kernel exploit found on target machine! (<a href="https://www.exploit-db.com/exploits/47163" target="_blank" rel="noreferrer noopener">https://www.exploit-db.com/exploits/47163</a> (CVE-2019-13272)). </p>
<p>However, after compiling the exploit and running it on the target machine, the exploit failed saying that this machine is not vulnerable. </p>
<pre class="wp-block-preformatted"><code>Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
[.] Checking environment ...
[!] Warning: Could not find active PolKit agent
[.] Searching for known helpers ...
[.] Searching for useful helpers ...
[.] Ignoring blacklisted helper: /usr/lib/update-notifier/package-system-locked
</code></pre>
<p>Running the attack with Metasploit using the <code>PTRACE_TRACEME</code> module also failed, confirming my hunch that this isn’t a viable attack vector. </p>
<h2>FINDING A VIABLE ATTACK VECTOR FOR PRIVILEGE ESCALATION</h2>
<p>Next, we check the crontab on the target machine for any automated programs set to run regularly:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cat /etc/crontab</pre>
<p>And bingo! We found a viable escalation path -!!! </p>
<p>The following output shows that <code>buildscript.sh</code> is set to run<em> as root</em> every minute as a <code>curl</code> command from <code>overpass.thm/downloads/src/</code>.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group=""> * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
</pre>
<p>Here is our plan going forward to exploit this system misconfiguration:</p>
<ol>
<li>First, change the <code>/etc/hosts</code> file on our target machine to hijack the <code>overpass.thm</code> domain by rerouting it to our attack machine’s IP</li>
<li>Use <em><strong>revshells.com</strong></em> to create a reverse shell payload to our netcat listener</li>
<li>Create a spoof of <code>buildscript.sh</code> with the malicious payload and locate it at <code>$myIP:/downloads/src/buildscript.sh</code></li>
<li>Spin up a simple HTTP server on port 80 from our attack machine, serving up the spoofed file in the correct directory (<code>/downloads/src/</code>)</li>
<li>Boot up a Netcat listener on the port we specified in the <code><a href="https://blog.finxter.com/tryhackme-alfred-how-i-solved-the-challenge/" data-type="post" data-id="1000191" target="_blank" rel="noreferrer noopener">revshell</a></code> payload.</li>
<li>Wait for a maximum of 60 seconds to catch the reverse shell as root!</li>
</ol>
<pre class="wp-block-preformatted"><code> Thm{7f33 53bb}</code></pre>
</div>
https://www.sickgaming.net/blog/2022/12/...verpass-1/
<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1000564","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tryhackme-overpass-1-compsci-students-creating-a-pw-manager-gone-bad/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=%2F%2Fi.ytimg.com%2Fvi%2FWqslUEU7p94%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<h2>PREMISE</h2>
<p>The premise of the box is that a group of computer science students has created a password encryption/decryption tool. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="425" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-320.png" alt="" class="wp-image-1000659" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-320.png 425w, https://blog.finxter.com/wp-content/uplo...00x300.png 200w" sizes="(max-width: 425px) 100vw, 425px" /><figcaption class="wp-element-caption"><strong>Target</strong>: <em>One of the CS students posing on a party</em> <img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f609.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /></figcaption></figure>
</div>
<pre class="wp-block-preformatted"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f449.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <em>"What happens when a group of broke Computer Science students try to make a password manager? Obviously a perfect commercial success!"</em> </pre>
<p>We are tasked with hacking our way into their server as the root user. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="956" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-323.png" alt="" class="wp-image-1000671" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-323.png 956w, https://blog.finxter.com/wp-content/uplo...00x200.png 300w, https://blog.finxter.com/wp-content/uplo...68x512.png 768w" sizes="(max-width: 956px) 100vw, 956px" /><figcaption class="wp-element-caption"><strong>Attacker</strong>: <em>A sophisticated hacker – not who you may expect.</em></figcaption></figure>
</div>
<p>This capture-the-flag challenge on TryHackMe involves cookie creation and file spoofing in order to escalate privileges to the root user. It is rated as an easy box. If you don’t like spoilers, I’d recommend trying this <a href="https://tryhackme.com/room/overpass" target="_blank" rel="noreferrer noopener">free hacking challenge </a>first before reading any further.</p>
<p>This box is the first in a three-part series. In part two, we will be doing some basic forensics after a cyber attack hits the overpass server. </p>
<p>And in part three we will prove to the Overpass developers that they need to make some security upgrades to their server hosting.</p>
<p>First, let’s record our IPs and get them ready to export as Linux variables.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">export targetIP=10.10.179.249
export myIP=10.6.2.23</pre>
<h2>ENUMERATION</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="850" height="637" src="https://blog.finxter.com/wp-content/uploads/2022/12/image-322.png" alt="" class="wp-image-1000667" srcset="https://blog.finxter.com/wp-content/uploads/2022/12/image-322.png 850w, https://blog.finxter.com/wp-content/uplo...00x225.png 300w, https://blog.finxter.com/wp-content/uplo...68x576.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></figure>
</div>
<p>A simple <code>nmap</code> scan shows the following results:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">┌─[kalisurfer@parrot]─[~/THM/overpass-walkthrough]
└──╼ $sudo nmap $targetIP
[sudo] password for kalisurfer:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-21 06:01 EST
Nmap scan report for 10.10.179.249
Host is up (0.087s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 8.44 seconds
---
</pre>
<p>Nothing is surprising here. These are the standard ports for HTTP web applications and <code>ssh</code> services. </p>
<p>Next, we’ll run a <code>dirb</code> scan to do some directory sniffing. Our <code>dirb</code> scan results reveal a few interesting HTML directories. We’ll take a closer look into each of these leads.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">/admin
/aboutus
/css
/downloads</pre>
<p>We find the plaintext sourcecode in the <code>/downloads</code> folder! </p>
<p>This will almost certainly be worth looking at closely for more information about the encryption mechanism. Posting the sourcecode is the first of several horrible decisions the Overpass dev team has made with their password storage program. </p>
<p>Some of the takeaways from examining the source code are:</p>
<ol>
<li>The encryption method used is a <a href="https://blog.finxter.com/caesar-cipher-in-python/" data-type="post" data-id="356186" target="_blank" rel="noreferrer noopener">caesar cypher</a> with a rotation of 47. There is a link in the sourcecode pointing to: <a href="https://socketloop.com/tutorials/golang-rotate-47-caesar-cipher-by-47-characters-example" target="_blank" rel="noreferrer noopener">https://socketloop.com/tutorials/golang-rotate-47-caesar-cipher-by-47-characters-example</a></li>
<li>Encrypted passwords are saved locally in a hidden file <code>.passlist</code> in the root directory. This will probably be are method for retrieving the root password after we gain an initial foothold into the system.</li>
<li>This encryption (ROT47) is invertible, which means to decrypt a password all we have to do is run the ROT47 cipher code a second time.</li>
</ol>
<p>There is also an executable file for each operating system of the password storage tool. Download and running the program <code>overpassLinux</code> shows that we can retrieve passwords as long as there is a <code>.overpass</code> hidden file in the <code>/root</code> directory.</p>
<h2>INITIAL FOOTHOLD VIA COOKIE CREATION</h2>
<p>We find a login portal at <code>$targetIP/admin</code>. </p>
<p>First, we inspect the login with <code>burpsuite</code> and carefully examine the response to an unsuccessful <code>username:password</code>, noticing that the user is rerouted to <code>/admin</code> after an unsuccessful login attempt. </p>
<p>Instead of wasting time attempting to <code>bruteforce</code> our way in with a wordlist, we use firefox in developer mode and discover that there are no stored cookies. If we create a new cookie with the name SessionToken, and a reroute path of “<code>/</code>” we find a hidden encrypted <code>ssh</code> key. Voila!</p>
<pre class="wp-block-preformatted"><code>Since you keep forgetting your password, James, I've set up SSH keys for you. If you forget the password for this, crack it yourself. I'm tired of fixing stuff for you.
Also, we really need to talk about this "Military Grade" encryption. - Paradox -----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,9F85D92F34F42626F13A7493AB48F337 LNu5wQBBz7pKZ3cc4TWlxIUuD/opJi1DVpPa06pwiHHhe8Zjw3/v+xnmtS3O+qiN
JHnLS8oUVR6Smosw4pqLGcP3AwKvrzDWtw2ycO7mNdNszwLp3uto7ENdTIbzvJal
73/eUN9kYF0ua9rZC6mwoI2iG6sdlNL4ZqsYY7rrvDxeCZJkgzQGzkB9wKgw1ljT
WDyy8qncljugOIf8QrHoo30Gv+dAMfipTSR43FGBZ/Hha4jDykUXP0PvuFyTbVdv
BMXmr3xuKkB6I6k/jLjqWcLrhPWS0qRJ718G/u8cqYX3oJmM0Oo3jgoXYXxewGSZ
AL5bLQFhZJNGoZ+N5nHOll1OBl1tmsUIRwYK7wT/9kvUiL3rhkBURhVIbj2qiHxR
3KwmS4Dm4AOtoPTIAmVyaKmCWopf6le1+wzZ/UprNCAgeGTlZKX/joruW7ZJuAUf
ABbRLLwFVPMgahrBp6vRfNECSxztbFmXPoVwvWRQ98Z+p8MiOoReb7Jfusy6GvZk
VfW2gpmkAr8yDQynUukoWexPeDHWiSlg1kRJKrQP7GCupvW/r/Yc1RmNTfzT5eeR
OkUOTMqmd3Lj07yELyavlBHrz5FJvzPM3rimRwEsl8GH111D4L5rAKVcusdFcg8P
9BQukWbzVZHbaQtAGVGy0FKJv1WhA+pjTLqwU+c15WF7ENb3Dm5qdUoSSlPzRjze
eaPG5O4U9Fq0ZaYPkMlyJCzRVp43De4KKkyO5FQ+xSxce3FW0b63+8REgYirOGcZ
4TBApY+uz34JXe8jElhrKV9xw/7zG2LokKMnljG2YFIApr99nZFVZs1XOFCCkcM8
GFheoT4yFwrXhU1fjQjW/cR0kbhOv7RfV5x7L36x3ZuCfBdlWkt/h2M5nowjcbYn
exxOuOdqdazTjrXOyRNyOtYF9WPLhLRHapBAkXzvNSOERB3TJca8ydbKsyasdCGy
AIPX52bioBlDhg8DmPApR1C1zRYwT1LEFKt7KKAaogbw3G5raSzB54MQpX6WL+wk
6p7/wOX6WMo1MlkF95M3C7dxPFEspLHfpBxf2qys9MqBsd0rLkXoYR6gpbGbAW58
dPm51MekHD+WeP8oTYGI4PVCS/WF+U90Gty0UmgyI9qfxMVIu1BcmJhzh8gdtT0i
n0Lz5pKY+rLxdUaAA9KVwFsdiXnXjHEE1UwnDqqrvgBuvX6Nux+hfgXi9Bsy68qT
8HiUKTEsukcv/IYHK1s+Uw/H5AWtJsFmWQs3bw+Y4iw+YLZomXA4E7yxPXyfWm4K
4FMg3ng0e4/7HRYJSaXLQOKeNwcf/LW5dipO7DmBjVLsC8eyJ8ujeutP/GcA5l6z
ylqilOgj4+yiS813kNTjCJOwKRsXg2jKbnRa8b7dSRz7aDZVLpJnEy9bhn6a7WtS
49TxToi53ZB14+ougkL4svJyYYIRuQjrUmierXAdmbYF9wimhmLfelrMcofOHRW2
+hL1kHlTtJZU8Zj2Y2Y3hd6yRNJcIgCDrmLbn9C5M0d7g0h2BlFaJIZOYDS6J6Yk
2cWk/Mln7+OhAApAvDBKVM7/LGR9/sVPceEos6HTfBXbmsiV+eoFzUtujtymv8U7
-----END RSA PRIVATE KEY-----
</code></pre>
<p>It looks like our initial foothold will be as the user <code>james</code>. Let’s pause for a moment to collect our thoughts and plan out the next steps in our attack.</p>
<h2>RETRIEVING THE PASSCODE FOR THE ENCRYPTED SSH FILE</h2>
<p>This is our plan going forward to retrieve the passcode for the encrypted ssh file:</p>
<ol>
<li>Save the <code>ssh</code> key string as a new file (without the header and footer).</li>
<li>Use <code>ssh2john</code> to prep the hash for john the ripper.</li>
<li>Use john to crack that hash and find key our <code>ssh</code> keyfile passcode</li>
</ol>
<h2>SSHing INTO USER JAMES</h2>
<p>With the following command, we can now log in as <code>james</code> with our trusty ssh passcode and ssh keyfile. The <code>user.txt</code> flag is right there in James’ home folder.</p>
<pre class="wp-block-preformatted"><code>!!!
Thm{65c 6bf7}
!!!</code>
</pre>
<h2>USING OVERPASSLINUX TO RETRIEVE THE USER PASSWORD</h2>
<p>Now that we are in as user James, we can run the overpass program again on the encoded string (<code>,LQ?2> 8A:4EFC6QN</code>.)</p>
<p>We hit a small snag, seeing that user James doesn’t have proper permissions to run <code>overpassLinux</code> on target machine. Using SCP we can copy James’ <code>.overpass</code> file to our attack machine. Running overpassLinux on our machine, we can now recover James’ account password. </p>
<p>I decided to use <code>python3</code> to create a rot47 encryption/decryption script. A quick google search brought up the following script:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="python" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">def rot47(s): x = [] for i in range(len(s)): j = ord(s[i]) if j >= 33 and j <= 126: x.append(chr(33 + ((j + 14) % 94))) else: x.append(s[i]) return ''.join(x) s=",LQ?2> 8A:4EFC6QN."
print(rot47(s))
</pre>
<p>Using nano to edit the script, I added a few tweaks to make it run smoothly on my machine and decrypt James’ password. </p>
<pre class="wp-block-preformatted"><code>[{"name":"System","pass":" "}]
!!! (james password)</code>
</pre>
<h2>FURTHER ENUMERATION FOR POTENTIAL ATTACK VECTORS</h2>
<p>First, I explored whether or not there are <code>setuid</code> bins that user james can run on the system with the following command:</p>
<pre class="wp-block-preformatted"><code>james@overpass-prod:~$ find /bin -perm -4000 —
/bin/fusermount
/bin/umount
/bin/su
/bin/mount
/bin/ping
—
</code></pre>
<p>Looking each of these bins up on <code>gtfobins</code> showed that there aren’t any clear paths forward yet…</p>
<p>Checking the kernel on <a href="https://www.exploit-db.com/" target="_blank" rel="noreferrer noopener">https://www.exploit-db.com/</a> showed a potential lead – a kernel exploit found on target machine! (<a href="https://www.exploit-db.com/exploits/47163" target="_blank" rel="noreferrer noopener">https://www.exploit-db.com/exploits/47163</a> (CVE-2019-13272)). </p>
<p>However, after compiling the exploit and running it on the target machine, the exploit failed saying that this machine is not vulnerable. </p>
<pre class="wp-block-preformatted"><code>Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
[.] Checking environment ...
[!] Warning: Could not find active PolKit agent
[.] Searching for known helpers ...
[.] Searching for useful helpers ...
[.] Ignoring blacklisted helper: /usr/lib/update-notifier/package-system-locked
</code></pre>
<p>Running the attack with Metasploit using the <code>PTRACE_TRACEME</code> module also failed, confirming my hunch that this isn’t a viable attack vector. </p>
<h2>FINDING A VIABLE ATTACK VECTOR FOR PRIVILEGE ESCALATION</h2>
<p>Next, we check the crontab on the target machine for any automated programs set to run regularly:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cat /etc/crontab</pre>
<p>And bingo! We found a viable escalation path -!!! </p>
<p>The following output shows that <code>buildscript.sh</code> is set to run<em> as root</em> every minute as a <code>curl</code> command from <code>overpass.thm/downloads/src/</code>.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group=""> * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
</pre>
<p>Here is our plan going forward to exploit this system misconfiguration:</p>
<ol>
<li>First, change the <code>/etc/hosts</code> file on our target machine to hijack the <code>overpass.thm</code> domain by rerouting it to our attack machine’s IP</li>
<li>Use <em><strong>revshells.com</strong></em> to create a reverse shell payload to our netcat listener</li>
<li>Create a spoof of <code>buildscript.sh</code> with the malicious payload and locate it at <code>$myIP:/downloads/src/buildscript.sh</code></li>
<li>Spin up a simple HTTP server on port 80 from our attack machine, serving up the spoofed file in the correct directory (<code>/downloads/src/</code>)</li>
<li>Boot up a Netcat listener on the port we specified in the <code><a href="https://blog.finxter.com/tryhackme-alfred-how-i-solved-the-challenge/" data-type="post" data-id="1000191" target="_blank" rel="noreferrer noopener">revshell</a></code> payload.</li>
<li>Wait for a maximum of 60 seconds to catch the reverse shell as root!</li>
</ol>
<pre class="wp-block-preformatted"><code> Thm{7f33 53bb}</code></pre>
</div>
https://www.sickgaming.net/blog/2022/12/...verpass-1/