Hacking Overpass CTF: Guide
Resource: TryHackMe
Welcome to the Overpass CTF on TryHackMe! If you’re new to THM, make sure to complete this tutorial first to familiarise yourself with the platform.
The Overpass CTF consists of three rooms, each with its own set of challenges to complete. In this blog, I’ll be focusing on the first room of the series. Not every step is covered in this blog, so I encourage you to get the idea and work on it yourself.
To start the machine for Overpass, you’ll need to connect to the network through a VPN by downloading the .ovpn for your profile.
I started by scanning the system using nmap. It revealed that ports 80 and 22 were OPEN on the system.
One of the first tasks I tackled was trying to access the website on port 80. It is a common port for web servers, so it is generally a good place to start. Once I had the website open, I started looking for clues and vulnerabilities that I could exploit to progress through the challenges.
There are two flags to find in this room: user.txt and root.txt. The user.txt flag is typically easier to find and will often lead you to the root.txt flag, which is the ultimate goal of the CTF.
Finding Flag #1: user.txt
As I browsed the site, I used a tool called dirbuster to try and find hidden web files and directories. Through this process, I came across several juicy files such as admin.html and login.js that contained the code logic for the login functionality.
Upon examining these files, I realised that the login process was vulnerable to an OWASP Top 10 vulnerability: Broken Authentication.
if (statusOrCookie =-= "Incorrect credentials") {
LoginStatus.textContent = "Incorrect Credentials"
passwordBox.value=""
else {
Cookies.set("SessionToken",statusOrCookie)
window.location = "/admin"
}I discovered that by setting a manual cookie and refreshing the page, the login process could be bypassed.
This brings me to the /admin page, where I found a private SSH key belonging to a user.
With this key, I was able to use john and ssh2john to crack the passphrase for the key. Once I had the passphrase, I was able to use it to log in to the machine via SSH at port 22. This granted me access to the user’s account, and from there I was able to simply list the files in the directory to find the first flag: user.txt.
Finding Flag #2: root.txt
Next, I turned my attention to the root.txt flag. To get this flag, I needed to escalate my privileges and become the root user. I started by running linpeas or linenum shell scripts to look for services and files that had higher privileges. As I examined the system, I noticed that a cron job was periodically running a shell script every minute using overpass.thm domain.
By inspecting the DNS host file, I saw that overpass.thm was redirecting to localhost. I knew where this was going. I was able to hijack the DNS configurations by changing my IP address and redirecting the traffic to a fake web server that I had set up.
I created a shell script with the same file buildscript.sh using the following command.
cp /root/root.txt /dev/shm/root.txtWhen cron ran its job, it simply copied the root.txt file from the /root directory to the /dev/shm folder, and voila! I had both flags and had successfully completed the Overpass CTF.
Note: /dev/shm is a virtual memory filesystem used to store temporary files shared between processes in Unix-like operating systems. Sometimes it’s good to place our files in /dev/shm or /tmp as they will be deleted when the system reboots.
Happy hacking :)
Find me on: Twitter | Github | LinkedIn | Instagram | TryHackMe
