Overpass (THM)
owasp top 10, cron
TryHackMe – Overpass Write-Up
topics: Web application security, jsonp endpoints, OWASP top 10, Broken authentication, javascript, Linux privilege escalation, cronjobs
Enumeration
Local Privilege Escalation
Root Privilege Escalation
new tools:
tools: nmapAutomator, dirsearch, ssh2john
Enumeration
initial nmap scan ./autonmap.sh $ip Full
This box only has HTTP (Golang server, Go-IPFS json-rpc or InfluxDB API) and SSH open, lets visit the homepage run a vulnerability script.
There is some interesting infomation here. We are told this site was created out of frustration that people's passwords were found in the infamous rockyou.txt, the site claims "create a password manager to help you use unique passwords for every service. Your passwords never leave your PC, and are stored securely in an encrypted file" meaning there has to be passwords stored somewhere on the site or a database connected to the site.
The vulnerability script revealed the following:
The downloads tab contains binaries of Overpass for Windows, Mac, Linux, and BSD as well as source code for the platform and a build script. There is a login page on the admin subdirectory but it does not accept default creds admin:admin.
The http-jsonp-detection is interesting, it returns a webpage named main.js, possibly indicating that the source code of the website is publicly exposed. I researched "owasp jsonp" and came across this website stating that jsonp "lacks any mechanism to restrict and verify requests origins" a type of XSS attack.This means it could be a potential attack vector for initial access as this website was made for storing passwords.
Lets use dirsearch
to parse for javascript files that return a 200 status code
python3 dirsearch.py -u $ip -e js -i 200
We can see the admin login page, main.js as well as a login.js file, this seems to hint at the source code for handling login requests.
Navigating to the page reveals this login function
The if statement contains a sensitive line of code Cookies.set("SessionToken",statusOrCookie)
We know that a JSONP endpoint was detected and it does not verify the origin of requests, with the developer tools we have the ability to edit this source code and change the cookie to whatever value we want. The cookie is triggered when invalid credentials are entered into the /admin login page. The OWASP vulnerability here could be Broken Authentication.
Navigate to the /admin login page and open the developer tools. Open the storage tab that houses cookies, enter a new one titled "SessionToken" and login with invalid credentials.
It worked, from the information in the login page source code we were able to change the value of the cookie on the admin page and it returned SSH keys for the user james.
Local Privilege Escalation
Save the key to a file and attempt to login via ssh
The key is password protected, we'll be able to bypass this with ssh2john.py
python3 /usr/share/john/ssh2john.py id_rsa >> hash && john --wordlist=/root/payloads/rockyou.txt --format=SSH hash
We now have the credentials james:james13 to login via SSH
Root Privilege Escalation
We can inspect /etc/shadow and crack the password hash or change it to view sudo permissions, but I noticed a todo.txt file in the home directory
This todo.txt file suggests there is a weak password in the password manager and, a build script is not updating on the website while the user doesn't know where the builds go. Running LinEnum.sh
I noticed a cronjob running the build script as well.
This cronjob downloads the build script from overpass.thm (another server) and pipes it to bash. The overpass.thm server is not an IP address so this must be pointing to a server in /etc/hosts. This seems to be the location that the builds go, lets check our permissions.
We have write permissions for the hosts file. This means we can
edit the hosts file and spoof the overpass.thm IP as the attacking IP
make a downloads/src directory
add an
nc
shell one-liner in a shell script file named buildscript.sh
Last updated