You can find this room at https://tryhackme.com/room/overpass
Just because the romans built it doesn’t mean it’s military grade.
This room focuses on data exposure and privilege escalation. So starting after the port scan we see two ports running
The phrase "Just because the Romans used it doesn’t mean it’s military grade.” is found once we inspect the code on the web page via the developer tools. After running dirb, the /admin subdomain was found which contains a login screen. When checking the login.js file within this subdomain there is an else statement that can be exploited by setting the SessionToken cookie value to anything since doing this will result in the js file to run the aforementioned else statement and thus giving access to the admin panel.
Once inside you’ll be greeted with a rsa key that can be used to ssh into the machine after decryption with ssh2john and regular john. Now the user James is accessible for SSH by using the RSA key and the passphrase that was just extracted. After login, you will find the user.txt file which contains the user flag for this room. Now on to the root flag! For this, you’ll need to look at the todo.txt file where you will find that you must switch to the user TryHackMe to get to the flag. However, simply switching to this user is not the way to the flag, and a lot o time was spent trying this method to which I failed. But by leveraging the buildscript.sh, file in the /downloads/src directory we can save the contents of the root.txt file over to our machine. To have the overpass box reach back to the attacker machine you just have to modify the victims /etc/hosts file to point over to the attacker's IP and have a simple python server running on port 80 to receive the request from the victim. and there you have it! you should be able to get the root flag for this room.
The Overpass room on TryHackMe involves finding vulnerabilities in a password manager made by CompSci students. The process involves finding a login page through enumeration, exploiting a cookie vulnerability to gain access, and using an RSA private key to SSH into the machine. Once in, the user…