Difficulty: Easy
Well like always we are going to begin with nmap:
Okay so here we can see SSH and a Webserver so let’s go and check out the webserver first:
Okay we get this Overpass site come up, so let’s just check through the comments first:
Okay so we see an interesting comment here. Looking up about roman encryption we can see a few other encryption methods that use the cesar cipher, such as ROT13 and Vingenere Cipher.
Well I want to see what this password manager is all about so let’s take a look at the downloads page:
Well looking at this we have the source code here which is great! As this should tell us what this is doing to generate secure passwords, so let’s take a little look at the source code here in a new tab:
Okay so here we can actually see they have made a comment here and as we can see it points to a golang tutorial for ROT47.
Awesome! We now know what type of encryption/encoding method it is using to generate “secure” passwords. With that in mind let’s keep digging.
Next I’m going to run a gobuster to see if we can find anything additional:
Here we see something interesting that I most definitely want to check out so let’s head there:
Okay so we have a login page here, so first let’s check the page source for any additional comments:
Well it’s not quite a comment but this is useful for pentesting web applications as we can try a multitude of thing heres, however the one thing I am interested in is.
This site is using a cookie.js file which means it is using cookies, with that in mind I want to try one of OWASP top 10 here which is “Broken authentication”
You can read more about OWASP top 10 here: https://owasp.org/www-project-top-ten/
With that said I’m going to try using a Session Token which stores session data from individual users, what we are going to do is try to manipulate or create a SessionToken cookie in our browser to allow us to try and take control of that users session. Usually every user has a individual and unique string that identifies that user and their session contents.
NOTE: I did spend a fair bit of time on this trying many different OWASP Vulnerabilities to no avail, but I did this as a group with others so 4 heads was better than 1.
That being said don’t feel bad if you spent a lot of time here.
Anywho enough rambling and onto creating the cookie for this site as we have none:
So I am using the “Cookie Quick Manager” extension here for Firefox to create a cookie for this URL:
Over to the right side of the page we can see here is where we will create our cookie, so now let’s click the “pencil” icon (edit) to allow us to craft our cookie!
Now that is done we can save this and it should show in our Firefox browsers dev tools under storage:
As we can see we now have the Cookie so let’s just try and refresh the page and see what happens:
We now get a username and an encrypted SSH key!
So let’s copy and paste the contents into a file and use ssh2john to get the password for the SSH key so we can use it to login to the machine:
Now we have the file ready, so let’s head to ssh2john:
And now we have our rsa-hash file, so let’s use john to decrypt this!
And we get a possible password! Now to set the correct permissions and try to login as the user:
And we are in! Awesome!
Well I do love privilege escalation on linux so let’s just begin with our standard enumerating:
Okay well we have 3 interesting files in the users home directory and one is the user flag so let’s get that now:
Okay now to check out the todo.txt:
Okay so the last part of this is interesting to me, it seems the user is unsure where Paradox got the automated “buildscript.sh” (found on the website) to work and where they go as they are not going to the website it seems and so it is not updating.
With that in mind let’s continue.
Now to check the .overpass file:
This seem’s a little odd, it look’s like some type of encoding and being they used ROT47 for encrypting their passwords in the manager, so let’s just see if that’s the correct encoding method using CyberChef for ROT47:
For ROT47 we get some interesting things including a password, maybe this user’s password? maybe root? Let’s try both!
User:
Aha! So we now get the current users password, however they cannot run sudo so let’s continue on.
Now to check for other users:
Only 1 other user and we don’t have any access to their directories.
Check the system-wide crontab:
Okay so this is interesting, we have a scheduled task to curl a hostname/alias to the following directories and piping that to bash.
With this hostname/alias here I want to check if we can write to this systems /etc/hosts file so we can define our machine as the overpass.thm, so it downloads a fake buildscript.sh from us and it will have a bash reverse shell in so once it get’s the file from us and runs it we get a root shell back!
With that in mind let’s move on and check the /etc/hosts file on the target system:
It’s our lucky day! We can edit this! So let’s use nano (if available) to edit this file and add our IP as the alias:
Now we have changed the hostname/alias to our attacking box IP let’s create the same directory structure as found in the crontab, in this case it will be downloads/src/:
Now we have made the directory structure, we are going to make the file and once it is done it should look like this:
Awesome, so now we have our evil file we can change back to the parental directory and run a local python webserver for this to get our file from our machine. Then have our nc listener running to catch the new root shell.
So firstly setup the nc listener:
And now to run the python web server:
NOTE: If you are like me and must use sudo for root commands you will also need to use sudo with the python command as it will be trying to bind a otherwise privileged port. In our case this port will be port 80.
Now we wait for the scheduled task to activate, check our python server sent the file without any problems and then check our nc shell:
As we can see it retrieved the file from us successfully, we can now check on our nc listener:
And as you can see we are now root!
Now to get the final flag and take a well deserved break!
And with that, we are done! Congratulations and thank you for reading!
Please feel free to follow me on twitter if you like the write up: https://twitter.com/amec0e
