In this blog post, I'll share my experience tackling the "Overpass" challenge on TryHackMe. This Capture The Flag (CTF) exercise focuses on exploiting web application vulnerabilities and leveraging misconfigurations to gain root access.
The primary vulnerabilities exploited in this challenge include:
Weak Password Storage: Passwords were stored using reversible encryption, making them susceptible to decryption and unauthorized access.
Insecure File Inclusion: The application allowed inclusion of files from external sources without proper validation, leading to potential remote code execution.
Improper Cron Job Configuration: A cron job was configured to execute scripts from an external source without validation, allowing for privilege escalation.
These vulnerabilities highlight the importance of secure password storage, proper input validation, and cautious configuration of automated tasks to prevent unauthorized access and privilege escalation.
I began by deploying the target machine and identifying its IP address. Using Nmap, I scanned for open ports and services.
The scan revealed the following open ports:
Port 22 (SSH): OpenSSH 7.6p1
Port 80 (HTTP): Golang net/http server
With HTTP service running on port 80, I navigated to the web server in my browser and discovered a simple webpage for "Overpass."
Using Gobuster, I discovered several directories. The scan revealed directories such as /aboutus, /admin, and /downloads. Accessing /admin, I found an admin login page.
Inspecting the /downloads directory, I found a file named overpass.go, which appeared to be the source code of the application. Analyzing this file, I discovered that user passwords were stored using ROT47 encryption in a file located at ~/.overpass.
I retrieved the encrypted password from the .overpass file:
,LQ?2>6QiQ$JDE6>Q[QA2DDQiQD2J5C2H?=J:?8A:4EFC6QN.
Using an online ROT47 decoder, I decrypted the password to:
[{"name":"System","pass":"saydrawnlyingpicture"}]
This provided me with the password saydrawnlyingpicture for the user james. Upon logging in, I explored the system but found that james had limited privileges.
I discovered a cron job running every minute that executed a script from overpass.thm/downloads/src/buildscript.sh. By modifying the /etc/hosts file to point overpass.thm to my machine's IP address, I was able to serve a malicious buildscript.sh that granted SUID permissions to /bin/bash.
After the cron job executed my script, I gained the root access allowing me to retrieve the root flag.