[{"data":1,"prerenderedAt":447},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-overpass-writeup":3,"surround-\u002F2025\u002Ftryhackme-overpass-writeup":438},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"draft":6,"recommend":6,"readingTime":14,"body":19,"_type":431,"_id":432,"_source":433,"_file":434,"_stem":435,"_extension":436,"_original_dir":437},"\u002F2025\u002Ftryhackme-overpass-writeup","2025",false,"","TryHackMe - Overpass","This write-up details the process of compromising the \"Overpass\" machine, starting with bypassing a weak login function to steal an SSH key and escalating to root by exploiting a misconfigured scheduled task.","2025-08-21T12:23:20.000Z","https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002Fthumbnail.jpg",[13],"CTF",{"text":15,"minutes":16,"time":17,"words":18},"3 min read",2.385,143100,477,{"type":20,"children":21,"toc":424},"root",[22,28,44,59,66,70,74,88,92,97,101,122,126,130,142,148,153,157,195,199,203,223,227,238,242,255,259,265,279,283,304,309,313,317,345,372,376,388,392,396,408,412],{"type":23,"tag":24,"props":25,"children":27},"element","pic",{"src":26},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F1.jpg",[],{"type":23,"tag":29,"props":30,"children":31},"p",{},[32,35],{"type":33,"value":34},"text","Target IP: ",{"type":23,"tag":36,"props":37,"children":41},"a",{"href":38,"rel":39},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Foverpass",[40],"nofollow",[42],{"type":33,"value":43},"10.10.88.221",{"type":23,"tag":29,"props":45,"children":46},{},[47,49],{"type":33,"value":48},"Attacker IP: ",{"type":23,"tag":50,"props":51,"children":56},"span",{"className":52,"id":54,"style":55},[53],"example-info","just-like-this","color: #EA5B6F",[57],{"type":33,"value":58},"10.8.13.246",{"type":23,"tag":60,"props":61,"children":63},"h2",{"id":62},"reconnaissance",[64],{"type":33,"value":65},"Reconnaissance",{"type":23,"tag":24,"props":67,"children":69},{"src":68},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F2.jpg",[],{"type":23,"tag":24,"props":71,"children":73},{"src":72},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F3.jpg",[],{"type":23,"tag":29,"props":75,"children":76},{},[77,79,86],{"type":33,"value":78},"Let's take a look at our website at port number ",{"type":23,"tag":80,"props":81,"children":83},"code",{"className":82},[],[84],{"type":33,"value":85},"80",{"type":33,"value":87},".",{"type":23,"tag":24,"props":89,"children":91},{"src":90},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F4.jpg",[],{"type":23,"tag":29,"props":93,"children":94},{},[95],{"type":33,"value":96},"We didn't find much information while browsing the site. So let's do a directory scan.",{"type":23,"tag":24,"props":98,"children":100},{"src":99},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F5.jpg",[],{"type":23,"tag":29,"props":102,"children":103},{},[104,106,112,114,120],{"type":33,"value":105},"We obtained two important directories from the scan results. The first is the ",{"type":23,"tag":80,"props":107,"children":109},{"className":108},[],[110],{"type":33,"value":111},"\u002Fadmin",{"type":33,"value":113}," page, and the second is the JavaScript file ",{"type":23,"tag":80,"props":115,"children":117},{"className":116},[],[118],{"type":33,"value":119},"\u002Flogin.js",{"type":33,"value":121},", which performs the login function on the admin page.",{"type":23,"tag":24,"props":123,"children":125},{"src":124},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F6.jpg",[],{"type":23,"tag":24,"props":127,"children":129},{"src":128},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F7.jpg",[],{"type":23,"tag":29,"props":131,"children":132},{},[133,135,140],{"type":33,"value":134},"When we examine the source code of ",{"type":23,"tag":80,"props":136,"children":138},{"className":137},[],[139],{"type":33,"value":119},{"type":33,"value":141},", we see an incorrectly configured login function. The fundamental security flaw here is that the code does not verify a successful login; instead, it only checks for a single failure condition. The code only checks if the response from the server is “Incorrect credentials.” If the response is not this text, it accepts it as a valid session token (SessionToken) without verifying its content and redirects the user to the admin panel.",{"type":23,"tag":60,"props":143,"children":145},{"id":144},"initial-access",[146],{"type":33,"value":147},"Initial Access",{"type":23,"tag":29,"props":149,"children":150},{},[151],{"type":33,"value":152},"Let's set a random valuable cookie ourselves. And let's send it.",{"type":23,"tag":24,"props":154,"children":156},{"src":155},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F8.gif",[],{"type":23,"tag":29,"props":158,"children":159},{},[160,162,169,171,177,179,185,187,193],{"type":33,"value":161},"And from the page that appears, we find the user ",{"type":23,"tag":80,"props":163,"children":166},{"className":164,"id":54,"style":165},[53],"color: #4DFFBE",[167],{"type":33,"value":168},"james",{"type":33,"value":170}," and the ",{"type":23,"tag":80,"props":172,"children":174},{"className":173},[],[175],{"type":33,"value":176},"ssh key",{"type":33,"value":178}," belonging to this person. We copy this and write it to the ",{"type":23,"tag":80,"props":180,"children":182},{"className":181},[],[183],{"type":33,"value":184},"id_rsa",{"type":33,"value":186}," file. Then we try to log in with the ssh key using the command ",{"type":23,"tag":80,"props":188,"children":190},{"className":189},[],[191],{"type":33,"value":192},"ssh james@10.10.88.221 -i id_rsa",{"type":33,"value":194},", but we see that the key is encrypted.",{"type":23,"tag":24,"props":196,"children":198},{"src":197},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F9.jpg",[],{"type":23,"tag":24,"props":200,"children":202},{"src":201},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F10.jpg",[],{"type":23,"tag":29,"props":204,"children":205},{},[206,208,214,216,222],{"type":33,"value":207},"We can break this using ",{"type":23,"tag":80,"props":209,"children":211},{"className":210},[],[212],{"type":33,"value":213},"john",{"type":33,"value":215},". First, let's convert our key into a format that john can understand using ",{"type":23,"tag":80,"props":217,"children":219},{"className":218},[],[220],{"type":33,"value":221},"ssh2john id_rsa > id_rsa.hash",{"type":33,"value":87},{"type":23,"tag":24,"props":224,"children":226},{"src":225},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F11.jpg",[],{"type":23,"tag":29,"props":228,"children":229},{},[230,232,237],{"type":33,"value":231},"Now let's use ",{"type":23,"tag":80,"props":233,"children":235},{"className":234},[],[236],{"type":33,"value":213},{"type":33,"value":87},{"type":23,"tag":24,"props":239,"children":241},{"src":240},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F12.jpg",[],{"type":23,"tag":29,"props":243,"children":244},{},[245,247,253],{"type":33,"value":246},"Let's log in using ",{"type":23,"tag":80,"props":248,"children":250},{"className":249},[],[251],{"type":33,"value":252},"ssh",{"type":33,"value":254}," with this information.",{"type":23,"tag":24,"props":256,"children":258},{"src":257},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F13.jpg",[],{"type":23,"tag":60,"props":260,"children":262},{"id":261},"privilege-escalation",[263],{"type":33,"value":264},"Privilege Escalation",{"type":23,"tag":29,"props":266,"children":267},{},[268,270,277],{"type":33,"value":269},"Now we need to elevate our privileges, so we will use automatic privilege escalation discovery tools. I will use ",{"type":23,"tag":36,"props":271,"children":274},{"href":272,"rel":273},"https:\u002F\u002Fgithub.com\u002Frebootuser\u002FLinEnum\u002Fblob\u002Fmaster\u002FLinEnum.sh",[40],[275],{"type":33,"value":276},"LinEnum.sh",{"type":33,"value":278},".\nLet's open a server on our own device, place our script here, and connect to our own device from the target to download our script.",{"type":23,"tag":24,"props":280,"children":282},{"src":281},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F14.jpg",[],{"type":23,"tag":29,"props":284,"children":285},{},[286,288,294,296,302],{"type":33,"value":287},"Let's grant the necessary permissions with ",{"type":23,"tag":80,"props":289,"children":291},{"className":290},[],[292],{"type":33,"value":293},"chmod +x LinEnum.sh",{"type":33,"value":295}," and then run the script. When I run it normally in the terminal, the above outputs are lost, so I saved them to the ",{"type":23,"tag":80,"props":297,"children":299},{"className":298},[],[300],{"type":33,"value":301},"result.txt",{"type":33,"value":303}," file by removing the color tags.",{"type":23,"tag":305,"props":306,"children":308},"copy",{"code":307},".\u002FLinEnum | sed 's\u002F\\x1b\\[[0-9;]*[a-zA-Z]\u002F\u002Fg' > result.txt",[],{"type":23,"tag":24,"props":310,"children":312},{"src":311},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F15.jpg",[],{"type":23,"tag":24,"props":314,"children":316},{"src":315},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F16.jpg",[],{"type":23,"tag":29,"props":318,"children":319},{},[320,322,328,330,336,338,343],{"type":33,"value":321},"When we examined the outputs, the above crontab process caught our eye. This downloads a file named ",{"type":23,"tag":80,"props":323,"children":325},{"className":324,"id":54,"style":165},[53],[326],{"type":33,"value":327},"buildscript.sh",{"type":33,"value":329}," from the ",{"type":23,"tag":80,"props":331,"children":333},{"className":332,"id":54,"style":165},[53],[334],{"type":33,"value":335},"overpass.thm",{"type":33,"value":337}," address every minute with ",{"type":23,"tag":80,"props":339,"children":341},{"className":340,"id":54,"style":165},[53],[342],{"type":33,"value":20},{"type":33,"value":344}," privileges and executes it by sending the contents of the downloaded file directly to the bash command.",{"type":23,"tag":29,"props":346,"children":347},{},[348,350,356,358,363,365,370],{"type":33,"value":349},"When we look at writable files, we see that we have write permission for ",{"type":23,"tag":80,"props":351,"children":353},{"className":352},[],[354],{"type":33,"value":355},"\u002Fetc\u002Fhosts",{"type":33,"value":357},". And it occurs to us that ",{"type":23,"tag":80,"props":359,"children":361},{"className":360},[],[362],{"type":33,"value":335},{"type":33,"value":364}," could be assigned to an IP address. Indeed, when we check, it is assigned to an IP address. In this case, we can give our own IP address to ",{"type":23,"tag":80,"props":366,"children":368},{"className":367},[],[369],{"type":33,"value":335},{"type":33,"value":371},", so that crontab pulls the file from our server.",{"type":23,"tag":24,"props":373,"children":375},{"src":374},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F17.jpg",[],{"type":23,"tag":29,"props":377,"children":378},{},[379,381,386],{"type":33,"value":380},"Now let's create the same crontab path on our own device and open a server. We will place a bash reverse shell inside ",{"type":23,"tag":80,"props":382,"children":384},{"className":383},[],[385],{"type":33,"value":327},{"type":33,"value":387}," so that we can access a shell.",{"type":23,"tag":24,"props":389,"children":391},{"src":390},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F18.jpg",[],{"type":23,"tag":24,"props":393,"children":395},{"src":394},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F19.jpg",[],{"type":23,"tag":29,"props":397,"children":398},{},[399,401,406],{"type":33,"value":400},"And when we look at the port we are listening to, we see that our ",{"type":23,"tag":80,"props":402,"children":404},{"className":403},[],[405],{"type":33,"value":20},{"type":33,"value":407}," shell has been compromised.",{"type":23,"tag":24,"props":409,"children":411},{"src":410},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-overpass-writeup\u002F20.jpg",[],{"type":23,"tag":29,"props":413,"children":414},{},[415,417,422],{"type":33,"value":416},"The crontab process connected to the server we opened and downloaded the ",{"type":23,"tag":80,"props":418,"children":420},{"className":419},[],[421],{"type":33,"value":327},{"type":33,"value":423}," file containing the reverse shell on our server and ran it with root privileges, giving us a shell.",{"title":7,"searchDepth":425,"depth":425,"links":426},4,[427,429,430],{"id":62,"depth":428,"text":65},2,{"id":144,"depth":428,"text":147},{"id":261,"depth":428,"text":264},"markdown","content:posts:2025:tryhackme-overpass-writeup.md","content","posts\u002F2025\u002Ftryhackme-overpass-writeup.md","posts\u002F2025\u002Ftryhackme-overpass-writeup","md","\u002Fposts",[439,443],{"_path":440,"title":441,"date":442},"\u002F2025\u002Ftryhackme-lazyadmin-writeup","TryHackMe - LazyAdmin","2025-08-20T08:34:58.000Z",{"_path":444,"title":445,"date":446},"\u002F2025\u002Ftryhackme-cyborg-writeup","TryHackMe - Cyborg","2025-08-23T05:49:06.000Z",1776934252160]