TryHackMe write-up: Overpass

Introduction

This is my write-up for TryHackMe's Overpass Room. 

Enumeration

Using nmap, I saw that this box is running SSH and HTTP.

Looking at the webpage, I find this:

The About Us page may contain useful usernames:

Running nikto, it turns out that there's an admin panel there:

Below is what the admin panel looks like:

Exploitation

Looking at the source code, it turns out there's an interesting script being called.

Looking at login.js I see that there's a way to bypass logging in:

What this means is that as long as "Incorrect credentials" is not the response to the POST request, then it would redirect us to another window.  Using BurpSuite, I can simply intercept the response.

In BurpSuite, under Proxy->Options, adding a "Match and Replace" rule would change the response. 

Successfully intercepting the response looks something like this:

 Reading the page, I see a username and the ssh key.  I then try to SSH as follows:

So as it turns out, this key is also password-protected.  I needed a little help from my good friend John.

And again running ssh using the cracked password, I get shell.

Privilege Escalation

Checking the cron jobs, I find it is downloading a script and executing it as root.

The question here is how to redirect the download.

Seeing that I can modify the hosts file, I can simply redirect downloads to my machine.

First I needed to make my own script to be downloaded.

And then I modified the hosts file.

After a few seconds, the script is downloaded.

And shortly right after that, I get a reverse-shell with root privileges.