Overpass (THM)

owasp top 10, cron

TryHackMeOverpass Write-Up

topics: Web application security, jsonp endpoints, OWASP top 10, Broken authentication, javascript, Linux privilege escalation, cronjobs

  1. Enumeration

  2. Local Privilege Escalation

  3. Root Privilege Escalation

new tools:

tools: nmapAutomator, dirsearch, ssh2john

Enumeration

initial nmap scan ./autonmap.sh $ip Full

This box only has HTTP (Golang server, Go-IPFS json-rpc or InfluxDB API) and SSH open, lets visit the homepage run a vulnerability script.

There is some interesting infomation here. We are told this site was created out of frustration that people's passwords were found in the infamous rockyou.txt, the site claims "create a password manager to help you use unique passwords for every service. Your passwords never leave your PC, and are stored securely in an encrypted file" meaning there has to be passwords stored somewhere on the site or a database connected to the site.

The vulnerability script revealed the following:

The downloads tab contains binaries of Overpass for Windows, Mac, Linux, and BSD as well as source code for the platform and a build script. There is a login page on the admin subdirectory but it does not accept default creds admin:admin.

The http-jsonp-detection is interesting, it returns a webpage named main.js, possibly indicating that the source code of the website is publicly exposed. I researched "owasp jsonp" and came across this website stating that jsonp "lacks any mechanism to restrict and verify requests origins" a type of XSS attack.This means it could be a potential attack vector for initial access as this website was made for storing passwords.

Lets use dirsearch to parse for javascript files that return a 200 status code

python3 dirsearch.py -u $ip -e js -i 200

We can see the admin login page, main.js as well as a login.js file, this seems to hint at the source code for handling login requests.

Navigating to the page reveals this login function

The if statement contains a sensitive line of code Cookies.set("SessionToken",statusOrCookie)

We know that a JSONP endpoint was detected and it does not verify the origin of requests, with the developer tools we have the ability to edit this source code and change the cookie to whatever value we want. The cookie is triggered when invalid credentials are entered into the /admin login page. The OWASP vulnerability here could be Broken Authentication.

Navigate to the /admin login page and open the developer tools. Open the storage tab that houses cookies, enter a new one titled "SessionToken" and login with invalid credentials.

It worked, from the information in the login page source code we were able to change the value of the cookie on the admin page and it returned SSH keys for the user james.

Local Privilege Escalation

Save the key to a file and attempt to login via ssh

The key is password protected, we'll be able to bypass this with ssh2john.py

python3 /usr/share/john/ssh2john.py id_rsa >> hash && john --wordlist=/root/payloads/rockyou.txt --format=SSH hash

We now have the credentials james:james13 to login via SSH

Root Privilege Escalation

We can inspect /etc/shadow and crack the password hash or change it to view sudo permissions, but I noticed a todo.txt file in the home directory

This todo.txt file suggests there is a weak password in the password manager and, a build script is not updating on the website while the user doesn't know where the builds go. Running LinEnum.sh I noticed a cronjob running the build script as well.

This cronjob downloads the build script from overpass.thm (another server) and pipes it to bash. The overpass.thm server is not an IP address so this must be pointing to a server in /etc/hosts. This seems to be the location that the builds go, lets check our permissions.

We have write permissions for the hosts file. This means we can

  • edit the hosts file and spoof the overpass.thm IP as the attacking IP

  • make a downloads/src directory

  • add an nc shell one-liner in a shell script file named buildscript.sh

Last updated