Introduction

We demonstrated broken authentication vulnerability by changing cookie values. This was part of TryHackMe Overpass.

Broken authentication is listed as one of the top 10 web application vulnerabilities according to OWASP. If you are looking for a list of web application vulnerabilities notes, you can subscribe to my channel membership.

What happens when a group of broke Computer Science students try to make a password manager? Obviously a perfect commercial success!

Web Recon and Bypassing Login

First things first, I ran an Nmap scan and found an SSH port and an HTTP port open. The web server was hosting a password manager application. I used Gobuster to look for hidden directories and found an /admin page with a login form.

Here’s where it got interesting. I looked at the JavaScript code for the login page and found a major flaw. The code would accept any response from the server that wasn’t “incorrect credentials” and set it as a session cookie.

So, to bypass the login, I simply opened up my browser’s developer tools, created a new cookie named sessionToken with a blank value, and set its path to /. When I refreshed the page, I was in the admin area!

Cracking the SSH Key

Inside the admin panel, I found an encrypted SSH private key. I saved it to a file and then used a combination of ssh2john and John the Ripper to crack the password for the key. ssh2john converts the key into a hash that John the Ripper can understand, and then John went to work with a wordlist to find the password.

Once I had the password, I was able to SSH into the machine as the user james and grab the user flag.

Hijacking a Cron Job for Root

After getting a user shell, I found a note mentioning an “automated build script.” This was a huge clue. I immediately checked the system’s cron jobs and found one running as root every minute. This cron job was downloading and executing a script called buildscript.sh from a domain named overpass.thm.

My plan was simple: I needed to make overpass.thm point to my own machine. I checked the permissions of the /etc/hosts file on the target machine and, lucky for me, it was world-writable. I edited the file to redirect overpass.thm to my IP address.

On my machine, I set up a simple web server and created the same directory structure the cron job was looking for (/downloads/source/). Inside that directory, I placed my own malicious buildscript.sh, which contained a Netcat reverse shell payload.

I started a Netcat listener on my machine, and within a minute, the cron job on the target machine connected back to me, giving me a root shell! From there, it was a simple matter of reading the root.txt flag.

Technical Commands

Here are the key commands I used throughout this process:

  • Gobuster for directory enumeration:Bashsudo gobuster dir -u http://<IP_ADDRESS> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,php
  • Cracking the SSH key:Bashssh2john id_rsa > hash john --wordlist=/usr/share/wordlists/rockyou.txt hash
  • SSH login:Bashchmod 600 id_rsa ssh -i id_rsa james@<IP_ADDRESS>
  • Checking the cron jobs:Bashcat /etc/crontab
  • Modifying the hosts file:Bashls -la /etc/hosts nano /etc/hosts
  • Setting up the malicious web server:Bashmkdir -p downloads/source nano downloads/source/buildscript.sh sudo python3 -m http.server 80
  • Catching the reverse shell:Bashnc -lvnp 4444

TryHackMe Overpass Room Answers

Hack the machine and get the flag in user.txt

Escalate your privileges and get the flag in root.txt

Video WalkThrough

,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles