TryHackMe: Overpass 3 — Hosting Writeup

7 min readJan 22, 2022

IP = 10.10.226.31* 
Difficulty: Medium 
Machine OS: Linux 
Learning Platform: tryhackme.com 
Finished on: Arch Linux

Brief Description

This is the 3rd part of the Overpass series which highlight the dangers of misconfigured web server, which in this case, a backup file that contains sensitive information lead to web server compromise also this room shows that NFS shares should be properly secured. To read the previous series, click here and here.

Reconnaissance

Scoping and Preparation

Connect to OpenVPN Server using:

sudo openvpn [.ovpn_file]

I used my tool CTFRecon-Go to automate directory creation, port scanning, web directory brute-forcing and adding entry to /etc/hosts file.

1. git clone https://github.com/hambyhacks/CTFRecon-Go && cd CTFRecon-Go 
2. go build . 
3. sudo ./CTFRecon-Go -d [DIRECTORY_NAME] -p [PLATFORM] -i [IP] -w [WORDLIST_TO_USE_FOR_GOBUSTER]

You can also download the release binary by using go install : go install github.com/hambyhacks/CTFRecon-Go@latest

To use CTFRecon-Go if installed using go install:

sudo CTFRecon-Go -d [DIRECTORY_NAME] -p [PLATFORM] -i [IP] -w [WORDLIST_TO_USE_FOR_GOBUSTER]

External Enumeration

Preliminary Enumeration via nmap

Table 1.1: nmap Results Summary

Let's look at the HTTP server on port 80.

Web Enumeration

We can see that in the webpage, Overpass is now offering web and email hosting solutions. Let's now look at the source code of the web page.

Looks like the developer is doubting about the reliability of their service.

We can see that the webpage is running Apache with CentOS as their operating system. The web server is likely running .php files.

Let's see the result of the GoBuster scan result done by CTFRecon-Go.

GoBuster Scan

It seems that there is a directory named /backups, which seems interesting to us.

There is a backup.zip file on /backups directory. Let's download the file and see its contents.

Content Discovery

We got CustomerDetails.xlsx.gpg and priv.key inside backup.zip. Lets's try to decrypt the spreadsheet file using gpg.

Forum thread about decrypting gpg files.

First, we need to import the private key using the command:

gpg --import [KEYFILE]

importing private key and decrypting the spreadsheet.

To decrypt the file:

gpg --output [OUTPUT FILE] --decrypt [ENCRYPTED FILE]

Let's look inside the spreadsheet file!

Nice! We got some credentials for us to use. Let's look at the FTP service if these credentials are useful to us.

FTP Enumeration

Let's try some of the credentials in the FTP service.

As shown in the image above, we tried to login as muirlandoracle with the creds we got but it failed. Logging in as paradox gives us login access to FTP service.

FTP server is mirror image of web server.

Looks like the FTP server is a mirror of web server. We can verify it by uploading a simple .txt file and try to read its contents. I uploaded a file named test.txt via FTP.

To upload a file via FTP:

put [FILE]

Uploaded test.txt file using FTP and viewing in web server.

Let's try a .php file since the web server is running Apache.

Seems like our .php file is uploaded successfully. Let's view the contents of the file. We should be greeted by phpinfo() content.

Exploitation

Knowing that we can upload .php file and execute it, we can try to upload a reverse shell and get a foothold in the machine. Download the reverse shell here.

Github Repository for php-reverse-shell.

We need to edit the file to successfully catch the reverse shell using netcat. Edit the IP and port variables to match your IP and desired port.

Open up a listener using netcat. To do this:

Upload the updated reverse shell file via FTP service and navigate to webpage where we uploaded the malicious .php file. It should be on web root (e.g., overpass3.thm/[filename].php)

Table 1.2: Credentials

Post-Exploitation

Internal Enumeration

Table 1.3: Checklist for Linux Internal Enumeration

Linux checklist for Privilege escalation vectors.

Notes: For more information about the commands look here

Tip: When nothing else makes sense, try to use LinPEAS (winPEAS for windows machines.).

Let's check the /etc/passwd file to see which users has login shell.

cat /etc/passwd | grep "bash"

Let's stabilize the shell by using python3.

locating python binary for upgrading shell.

To upgrade the shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Let's try to login as paradox since we have his/her creds.

We also tried to enumerate binaries with SUID permissions.

find / -type f -perm -u+s 2>/dev/null

Looking at the questions for this room, there is a hidden web flag needed to complete the room. Let's find it using the find command.

find / -type f -name "*flag*" 2>/dev/null

Let's also look which ports are open on the machine. To do this:

ss -tulpn

We know about the HTTP,SSH, and FTP open but port 2049 is an NFS server and not enumerated by nmap because it is only served at localhost.

Let's create a SSH tunnel to view which shares are accessible through NFS.

SSH tunnel through 2049 to become accessible through localhost.

Privilege Escalation

After several minutes, I stopped manual enumeration and uploaded LinPEAS to the machine.

LinPEAS shown a Privilege Escalation Vector in /etc/exports showing that it is set to no_root_squash option.

To elevate our privileges:

In the attacking machine, create a directory for mounting the NFS shares. In this case, i created tmp/PrivEsc directory for mounting the vulnerable share.