 Hello everybody, my name is John Hammond. Welcome back to the YouTube video. We're still looking at some try hack me. So let's hop on over to my screen and get to it. I wanna showcase the overpass room because I just kind of found it and I thought it was really kind of interesting and neat idea. I also saw there is overpass two that is out right now and I wanna pour into that but first we gotta get through with the starting thing. So this theme or the kind of prompt for this box is what happens when some broke computer science student makes a password manager. I have already submitted flags for this so please forgive me and that those are visible there but we'll dive in as to how to get to those and find them as we always do. So it says obviously it's a perfect commercial success whenever computer science students try to make a password manager and there's also a little Easter egg. They say there is a try hack me subscription code hidden on this box. First person to find an activate will get one month subscription for free. If you're already a subscriber you can just give the code away and do some good stuff. But that has already been claimed. This room is about a month old. I realize my face is kind of in the way so you can't see that message there. But anyway, we have our machine IP address. It's up and it's running and I'm connected to the VPN. So let's get started and try and work with it. I will make directory for YouTube overpass. So we have a place to work and I'll get started with an Nmap scan. Well, we kind of put together our notes document. So Nmap tack SC for default scripts, tack SV to search for versions, tack ON so I Nmap output to a simple Nmap format. And of course I'll paste in the IP address. All right, while that's running let's make a simple read me file so we can kind of keep track of things. I tend to do that just because it's good practice. Sometimes while I'm doing this video I might just sort of forget, please forgive me. And it is currently August 18th, 2020 and I'll slap my name in there. Maybe if you just end up like throwing this in GitHub or something or you're just sharing your notes and your repository who knows what you're working on. We'll just go ahead and copy these prompts here. Slap them in, good enough. Easy peasy. I realize there is a like try hack me API that you could use. It's like a library in Python and I need to tinker with that because I wanna write a script that could do something like this. For larger rooms that have like more information in them because that way you'll just automatically have this read me and you won't have to really work with much. We've got some interesting stuff open. Our NmapScan is up in an accessible so let's check that out. Looks like we have port 22 open so classic SSH, looks like it's running on Ubuntu and port 80, HTTP and it's Golang. Interesting, you don't often see that. Very cool, okay. Looks like that's it. Looks like we only have those two ports. Just to be safe, let's turn off those safe scripts or whatever those are and let's run our all port scan with hack P-Tack. All those. There we go, let's get started to run that and let's explore that webpage while we know that that's a thing. All right, just opening up the IP address in our web browser. It says welcome to Overpass, a secure password manager with support for Windows, Linux, Mac OS and more. This is interesting because it's like an actual like relatively somewhat of a webpage here. People reuse the same password for multiple services. If you're one of them, you're risking your accounts being hacked by evil hackers. Overpass allows you to secure different passwords for every service protected using military grade cryptography to keep you safe. Oh yeah, okay. Passwords are ever transmitted over the internet in any form unlike password managers. Overpass does not store your passwords unlike other password managers. Download Overpass today. All right, let's check out the source. I just hit control U on my keyboard to do that. Looks like they are loading like local JavaScript and console log hello world. So if I were to go back to the page and check out the console tab, yep, you can see that guy right there. Nice, cool, great. I'm also just gonna take a look at the CSS file in case they hide anything in there. I think that's kind of good practice. Just something good to do. Images I'm not extremely concerned about if we kind of run out of things to do. We could do like cheesy stago on that or some other reconnaissance, but. Oh, there's an HTML comment here. Yeah, right. Just because the Romans used it doesn't make it military grade. Change this. Ah, okay. Romans using secure cryptography that hints towards like ROT 13 and Caesar ciphers, right? So, okay, that's clearly not incredibly strong cryptography. There's a downloads page, so let's go check that out. Hop on over here. Stay safe against hackers, use overpass. Oh, and they have pre-compiled binaries. And they have the source code. Nice, okay, anything else in this? Overpass, go, build scripts. These are all in like a specific directory. Build also, oh, it's not about us page. Sorry, before I forget, I just kind of want to keep looking around. Anything here in this source? Nope, nothing hiding. Inja, oh, I like that Symex is in there. Inja, cool. This is really cool, all the try hack me guys. I love it. Great, okay, let's take a look at this code that they're showcasing here. Source code and build script. Let's look at this thing. Oh, I already have these files downloaded. That's embarrassing. They're still in my downloads folder. Who cares? Illusion, art, artifice. Let me make a directory for like source and let's move downloads overpass.source. Yeah, it's not go, sorry, into here. Same thing with build. I still have the binary itself. Dota Sage, we'll put that in here as well. So let's take a look at those. Let's take a look at the source code overpass go and it's written go, kind of neat. I wish I were smarter in go. I wish I could just like write go like as well as I could write Python because that language is crazy cool and it's able to do stuff like everywhere other than the like scripts and binaries being like megs in size, but okay, it looks like a pass list entry is a structure. So it has a name and a password and a function for rot 47. Excellent. The secure encryption algorithm blatantly ripped and stolen from this URL. Okay, incredible. I will press the I believe button on that and say that that just does regular rot 47, at least for now. If it does do anything else and we just don't see it then whatever, we don't need to work with it. We can go ahead and reverse engineer it as needed. Save threads to file. Where does it save all these? Does it have a path? Like a default path. Load creds from file. JSON input. Oh, Python style input function. Needle, service search, password for service. I'm just kind of like slowly cursory looking through these to get an idea for kind of what these functions are and what they do. I don't think like there's no obvious glaring like okay bad eval or unsafe function that might be sticking out but it's good to kind of peruse through this delete password from service. How does it do that? Pass not found. Print all passwords. And it just loops through all of them. Okay. Oh, creds path is in the home directory dot overpass. Good to know. And that's probably stored in some like martialized or whatever JSON format as we saw up top. Okay. And we have this menu here and just a little command line interface to answer or select one option. That's pretty easy enough. They did have the binaries so we could just kind of tinker with it and play with it. Let's do that. Oh, what was that build script? Sorry, before I forget. Build script.sh. Go OS or Goose, which is always fun. That's in go setting an environment variable for how to install it and work with it overpass code. So just do it for like literally everything. That's awesome. And echo date tack our builds completed. Oh, it's just kind of like command inject command substitution in there to get the date. Maybe we could potentially abuse that at some point. Obviously we're just like, we've downloaded this locally but we are supposed to get into this box somehow. So we should mess with that. All right, whatever. Let's take a look at the binary. You can download it. I have already downloaded it. I'm just gonna grab the Linux one. It didn't download because I didn't click it hard enough apparently but I still have the binary doing it earlier. So let's move that in here and let's look at it. It is, now I realize typing at the bottom of my screen might annoy you. Sorry, mark that as executable overpass Linux and run it. There we go. Yeah, let's just hop over into another window up here. So I'm not at the very bottom of my screen because I heard some people say like, hey, I don't like to read it because the YouTube play stuff gets in the way. So here we go. Welcome to overpass. Retrieve a password for a service. One, John, that's it. It died. Okay, retrieve all passwords. John. Oh, again, this also still exists because of my home directory.overpass. Man, I'm really ruining the illusion here, right? So this is ROT 47. This is the weird notation that it's apparently encrypting and storing all this stuff in. Keep note, you can normally identify ROT 47 by the weird random sheer amount of punctuation marks. And I'll just do a simple, stupid online ROT 47 decoder. Slap that in. Decrypt. Okay, yeah, so now you might be able to see I have John, John. John has the name and John has the password. Super boring, but that's how it would simply work. Okay. So now that we've looked at this code and we've looked at this source, we've looked at this build script, we've looked at the executable. I don't see a whole lot else here. And since they give us like an actual website, sometimes you're like, oh wait, whoops, I've spent so much time exploring a website that I forgot to run my regular normal enumeration procedures. So don't forget, fire up that simple Necto. I'll tee that to Necto.log if I can type, right? I'll also do the same with little Go Buster. We'll do a Go Buster dir, tack you with that URL, and we'll use a W for my word list and then I store the directory list medium over in my op directory and we will fire that off. Okay. We'll see what that comes up with. Realistically, we probably should have been running that while we were looking through. Oh, did it fail? And that HTTP client, how am I right? Is that the right? That is the right IP address. Can I ping that thing? Oh, sorry. Yep. Is it just because Necto's working? That's funny, error running Goobster. I don't know if you can see that typo there. Nice. Let's do it again. Maybe it'll stop Necto. We'll let Go Buster have a little bit of precedence here. Still dies. All right, let me pause and figure this out. Well, you know what, it might be that annoying Nmap scan beating it up. Maybe I don't need to last lasting forward slash. Let's see if that will work. There we go. All right, turning off the Nmap scan just kind of let it do its thing. That's fine. About us downloads IMG, we saw all that already. Oh, a slash admin. That is something we had not seen or looked at before. So let's hop over there, slash admin. Minister access looks like we need credentials. Please log in to access this content. Okay, we could try the basic stupid admin admin. That doesn't work. Admin password, that doesn't work. We could try for basic stupid SQL injection or one equals one. Oh, using two hyphens to do a SQLite comment using a hashtag or an octothorpe to do it with the SQL syntax, mySQL syntax, switching it up to a single quote or a double quote for strings, none of those work. Okay, is there anything on this page that's interesting? Body on mode. Another CSS file. Okay, nothing there. Interesting anyway. Main.js as usual. Oh, but there's a login.js and a cookie.js. That's peculiar. What is that cookie? Oh, okay, that's just a regular minified library used in other places. JS cookie, MIT license. So that might not be too interesting for us. How about login.js? Okay, yeah, this looks custom. This looks like it's just written specifically for this. So we have a post data function with the URL data. Response of weight fetching a URL with the post method, credentials headers, URL form encoded, follow any redirect, get the body, and then return the response. Okay, sometimes it's not always JSON. That's peculiar. Encode form data, that looks like it just kind of puts it into like a, yeah, like, okay, post data format. Onload, which is just, we saw in the source code that would like run as soon as the page loaded. Okay, it would look for a login. On you clicking submit, it will run login function rather than submitting the form as HTML normally would. So this login function is where all the interesting stuff happens. Okay, we have username box, which is getting all the information out of that field. Same thing with passwords, same thing with login. Text content equals nothing. Creds is just going to be little dictionary, associative array, hash table with the values pulled from the fields. And we will post to that resource, API login with our creds, and it'll get a constant status or cookie with a response object from that post data function returning. Okay. And then we do a check on client side code in JavaScript. So if the status or cookie is equal, equal, equal to incorrect credentials, then we know that failed, gotcha. Or otherwise, huh, we set a cookie. Session token, session status or cookie, window location. Okay, so it brings us to the exact same page, it just has a cookie working. But that's interesting because what could that value be? Obviously, if it's just not incorrect credentials, it could just be like literally anything, right? Like what could that be if we were to set that? Would that work if we just set that to like anything? Literally, we could control that because a cookie is something we can tamper with just as easily. Let me try that in curl. So let's make go buster shut up and let's try to close out some of these because we don't need these to take up the entire terminal for us. Let's hop over to the original page, right? And let's try and curl that just to get it in the command line. I don't have like a cookie editor thing quickly installed like a cookie editor browser plugin or manager on my Firefox or my Chrome here. So I'm just gonna use a simple curl for a proof of concept. I'm gonna specify tag age to use a header. Will that work? I'd have to use like a set cookie thing. I think curl just has like a tack tack cookies. Yeah, no cookies is unknown. Is it cookie? Yeah, cookie requires a parameter. Okay, quick troubleshooting to see if that command line argument actually exists. So we'll specify what was the name of that session token. Yeah, we'll set it equal to literally anything. And we have a private key. Okay, so I guess that did work. Since it's all JavaScript, we could probably do the exact same thing. This code would run in the context of this window because it's pulling in that cookie.js. So if I were to open up the console again and just slap this syntax in status or cookies not to find that variable we could just set. Once again, like literally anything. Now if I were to refresh this page, that cookie is set and we can see it in our browser. So since you keep forgetting your password James the setup SSH keys for you. If you forget the password for this crack yourself I'm tired of fixing stuff for you. Also, we really need to talk about this military grade encryption. Nice. Okay, so here's a private key reading that prompt it sounds like we need to crack a password for this thing. So let's make a directory for SSH and slap this in here as an IDRSA. Don't forget to include a private key at the excuse me, include a new line at the very, very end of your private key. That can trip you up sometimes if it says like unknown format or something. Let's mark it as our own. So CHmod 600 and I'm assuming we'll have a username James because it references this individual James here. So let's grab that IP address and try to SSH tack I with that IDRSA James at this IP address, not a URL, please. Thank you. See if that will work for us. Yep, I'm totally cool with connecting to it. Let's do it. We need a passphrase. Okay, let's do that with John the Ripper. So I have opt rock you dot text. I have this regular word list for brute forcing. That's just in my opt directory. There's tons and tons of stuff. And I also have John the Ripper. So that's an opt John the Ripper run John. If you don't have that installed, go grab it off of their GitHub repository. It's like Magnum Ripper, John the Ripper is a community edition Jumbo John, I think it's called. And then just do it, go into the source directory do a dot slash configure and do it make and install and it'll build it all for you. So super easy, super cool. Let's run John on, actually we need to convert this specific format, right? Cause John will offer some scripts like SSH to John that will use a file format and kind of convert it into something that John the Ripper could work with. So I'll just make a for John dot text. That's good. Now with that done, we can run John on that for John dot text. But let me specify the word list here. I'll use opt rock you as that word list for him. And I'll run for John and let's see if he gets a hit and he does. Okay, so James 13 is apparently that password. Cool, cool. That's glove fun. What are you doing over there, John the Ripper? What are you doing? Let's just stop that actually cause I don't need this extra session when I still have that in my command history. This thing, connect to it please. And the password should be James 13. Good, good, good. Type that right. Let it connect. Okay, let me pause this video real quick. Okay, that took forever, but I have codex here and I'm on the box. I am SSH 10. So, okay, in our home directory as this James user, I can see a user dot text file, which we will clap out here, cat that out, crap that out, all the words. And that will give us our points for that user. Though we also have a little to do dot text, which is interesting. Update overpass encryption. Muralin has complaining that it's not strong enough. Yeah, write down my password somewhere on a sticky note so that I don't forget it. Wait, we make a password manager. Why don't I just use that? Test overpass for Mac OS. It builds fine, but I'm not sure it actually works. Ask Paradox how we got around. How we got the automated build strip working and where the builds go. They're not updating on the website. Automated build script. Is it still, is it like running here? Cause I know we had that thought we could maybe like get in the middle of that date command running or something. Okay, whatever, let's see if we have a password. He mentioned he has been using the password manager. Oh, and we have an overpass file. Okay, so that hidden directory again, right? So let's cat out that overpass and we see his information. It's simple rot 47. So I had that rot 47 decoder online. I could just once again, slap that in. Go, name the system, pass, see, drawnling picture. Okay, whatever. Is system referring to like this system? System? Like would I be able to like sudo tag L? Like is that his password? To paste that in? Okay, that is his password, but James can't run sudo boring. Okay, we could do a regular enumeration. What's in the, are there any other users we get into? There's a try hack me user. Nope, can't get into that. Anything in root, nothing particularly interesting. Okay, so let's throw like Lynn enum or Lynn P's in here and let's see if we can find a way to around this. I am going to use quake, which I use as part of my cheesy like poor man's pen test framework ideas because I would like to be able to upload or download a file, right? So I have these commands, like upload file with net cat or like WGAT or other methods to get a file on the box. Normally if you're using this with PONECAT, it's much better. And we could get like a PONECAT shell if we wanted to, but I'll just showcase this one because I think Lynn enum might highlight some things a little bit better for your learning and for us to walk through this together. So let me show you like what that is before I just totally say that this is what we're going to do and then you don't understand any of it. So let's fire that up in sublime text. I'm using my PMP or opt poor man's pen test functions and that will grab like my IP address, my local host IP address. So it knows or my ton zero IP address, excuse me. So it knows how to reach the VPN in that box back and forth. Like a random port, it'll specify a file name out of this little dollar, excuse me, out of this command line argument we pass in. Well, hi, Quake, which is how I'm using to invoke this and we'll get focused back to our actual window and we will run a net cat listener grabbing this file on our host and then we'll send the command with XTE or X automation to simulate typing in on the victim, this net cat command to download and pull this file in. So that's all that that's doing this silly poor man's pen test because I'm like automating keystrokes inside of my reverse shell. So I can quote unquote script inside of it. You don't have that real functionality but Ponecat will let you do that. So I would always recommend to use Ponecat but I guess I'm just not in this case stupid me. Let's upload Limpies. There we go, that's slapped in. I'm gonna give it a second. I'll check. Okay, yeah, Quake says it's got everything it's done. So let me like close out of that and it just threw it in devshm shared memory because I like to hide in there, file that it is a shell script. So let's run it and let's dot slash that. Okay, marked as a cueable. We're gonna ton of stuff. I'm using kind of the one of the later versions of Limpies I think or at least newer than I had ran previously because now it'll cache directories or like be able to figure out a lot of good stuff. So we'll let that go and then we'll start to look through it. I guess we can kind of look through it as it's going. So nothing wrong with that. Limpies, we have Ping, we have Netcat, incredible old pseudo version. Good to note, kind of exploring and see if there's anything that just jumps out. Limpies is great because it'll color code things that are potentially or very, very likely a privilege escalation utility, useful software, we have a lot. Python, we have base 64, all these things. We have compilers, goodness. Root is running some stuff. Cron, Cron's in there. Why are they running Cron? I wonder if that's that automatic build script. Cron jobs has some, yeah. Those are all defaults. I look like defaults. Oh, what is that line? So that's Cron syntax, so every minute of every day, every hour of every day of every month. As the user root, interesting, we will curl overpass.thm, looks like a little host name or domain name, download source build script.sh and pipe it to bash. Whoa, okay, funky. That is an obvious and egregious method that we could abuse to privilege escalate because if root's running that, then we'll get code execution as root if that's just getting piped into bash. Can we control that, though? That overpass.thm, where are they setting that domain name that's normally in its set of hosts? Do we have write access to its set of hosts? That's normally a weird thing. Host name, okay, yeah, we can see that. Host name, host and DNS. That's definitely the output of our set of hosts file, but can I write to that? That's an odd listening port. Super users are root, yep. Okay, try hack me, looks like, try hack me has a lot of privileges. He's in pseudo, blah, blah, blah, blah, blah. R sync stuff, possible private keys, yep, we found those, we have those. Cloud-on-it files, suid files, nothing stands out to me, capabilities. Weird to see a CD-ROM file, okay. Modified interesting, oh, GPG stuff, that's peculiar. Writeable log files, backup files, all hidden files. There's a lot in here. Whoa, okay, I don't need to see all that. Interesting writeable files owned by me or writeable by everyone that are not in my home directory. It's set, rehosts is in the list. Okay, okay, cool. So, if we can modify it set, rehosts, then what we could do is we could act as that curl command, right? That was in, oh boy, I gotta find it again now. It was the curling overpass.thm slash downloads slash source build script.sh pipe to bash and that would run like every minute, right? So, if I were to try and do that now, looks like it's getting, okay, the one off of this website, but let's modify that. So, right now, let me change the profile. This will be the victim that we're in and this will be my server, my machine, because I want to know my IP address if I could type ton zero IP address, address show my IP address there and let's modify that it's at rehosts file because we do have write access in there supposedly and let's change the overpass thm location and make it my address, yeah? So, that way, if I were to ping overpass.thm, you can see now I'm actually reaching my attacker machine. Great, so let's make a little directory for ourselves and we'll like fake and simulate, like sudo create the same file structure as what that command is expecting in cron as it's running every minute. So, let me make, let's see, it's a downloads source and then we have the script itself. So, let's make attack P to make all of those directories while top in there and let's create a simple bash script, build script.sh that will bin bash, there we go and we can have this do literally whatever we want because that will be executed through bash. I think the easiest way to give us accessible root privileges is make the bash binary set UID so that way we'll be able to like, I don't know, invoke it and keep our root privileges. So, right now, if you check out the permissions on bin bash, sure it is an owned by root executable but it doesn't have a sticky bit set or it's not set UID. Using that, we could just invoke it with attack P and that way we could maintain root readily and easily. You could do other things like callback or reverse shell or whatever you want but I wanna kind of keep me in this for simplicity sake. All right, let's hurry it up because we're getting into a really long video and this really doesn't need to be. So, let's get back to the root of this directory, right? Let's actually watch this LS attack LA and see what it's gonna hit. Looks like I still have like half a minute to go and this will, we know from the chrono but this will happen on the clock every minute on the minute. So, let's fire up my HTTP server and that's going to listen on port 8,000 by default. So, if I wanna specify port 80, I could specify that as a last argument but we need root privileges to do that on my Ubuntu system. So, let me sudo python attack m that, type in my password as fast as I can. Great, now we are very, very close to the end of the minute so we should see a get request come through on our attacker machine, done and we should see this switch to an S or a sticky bit. Set UID. All right, so let's stop watching that and let's bin bash tag P and now we're root. Very, very cool. We were just abusing that little curl command that's in cron that is running commands as root and it's pulled from an external resource or at least we can control where that resource is because it's in et cetera host file that we have right access to. So, we can hop on over to root and we could simply cat out that root.text and be done with it. Nice, nice, nice. The easter egg, if you wanted to, you could go find that, whoa, careful there John. If you wanted to do, you could go check out trihack me, that user account that we saw, he does have an overpass account so we could cat out that file and see what other information that might have. As usual, it's just rot 47 so we could go hop over to this little decoder, decrypt that and kind of cheesy, there's a little trihack me subscription code but someone has already found that, right? No sense trying to submit it but very, very neat, very, very cool, very, very fun. I really liked the idea of this box and that was kind of fun and it was cool to kind of work through some of those and I liked that simple et cetera host trick. So, I hope you guys thought that was also very neat, very enjoyable. Take good notes, if that's something that you wanna do. As usual, I started the read me file and then did nothing with it whatsoever but hey, thank you guys so much for watching, I really hope you enjoyed this video. If you did, please do press that like button, do the YouTube algorithm things, leave me a comment, hopefully subscribe. Thank you, you guys are the best. Thanks so much for watching, I'll see you in the next video. Take care.