TryHackMe: Overpass 3 — Hosting Writeup

Photo by Denys Nevozhai on Unsplash
IP = 10.10.226.31* 
Difficulty: Medium
Machine OS: Linux
Learning Platform: tryhackme.com
Finished on: Arch Linux

Brief Description

This is the 3rd part of the Overpass series which highlight the dangers of misconfigured web server, which in this case, a backup file that contains sensitive information lead to web server compromise also this room shows that NFS shares should be properly secured. To read the previous series, click here and here.

Reconnaissance

Scoping and Preparation

Connect to OpenVPN Server using:

  • sudo openvpn [.ovpn_file]

I used my tool CTFRecon-Go to automate directory creation, port scanning, web directory brute-forcing and adding entry to /etc/hosts file.

1. git clone https://github.com/hambyhacks/CTFRecon-Go && cd CTFRecon-Go 
2. go build .
3. sudo ./CTFRecon-Go -d [DIRECTORY_NAME] -p [PLATFORM] -i [IP] -w [WORDLIST_TO_USE_FOR_GOBUSTER]

You can also download the release binary by using go install : go install github.com/hambyhacks/CTFRecon-Go@latest

To use CTFRecon-Go if installed using go install:

  • sudo CTFRecon-Go -d [DIRECTORY_NAME] -p [PLATFORM] -i [IP] -w [WORDLIST_TO_USE_FOR_GOBUSTER]

External Enumeration

Preliminary Enumeration via nmap

Table 1.1: nmap Results Summary

nmap results summary.
Nmap Scan result.

Let's look at the HTTP server on port 80.

Web Enumeration

Possible users on Overpass.

We can see that in the webpage, Overpass is now offering web and email hosting solutions. Let's now look at the source code of the web page.

Comment on source code.

Looks like the developer is doubting about the reliability of their service.

Webpage Technologies.

We can see that the webpage is running Apache with CentOS as their operating system. The web server is likely running .php files.

Let's see the result of the GoBuster scan result done by CTFRecon-Go.

GoBuster Scan

GoBuster scan result.

It seems that there is a directory named /backups, which seems interesting to us.

backup.zip file on /backups.

There is a backup.zip file on /backups directory. Let's download the file and see its contents.

Content Discovery

contents of backup.zip file.

We got CustomerDetails.xlsx.gpg and priv.key inside backup.zip. Lets's try to decrypt the spreadsheet file using gpg.

encrypted spreadsheet using gpg.
Forum thread about decrypting gpg files.

First, we need to import the private key using the command:

  • gpg --import [KEYFILE]
importing private key and decrypting the spreadsheet.

To decrypt the file:

  • gpg --output [OUTPUT FILE] --decrypt [ENCRYPTED FILE]

Let's look inside the spreadsheet file!

Credentials on spreadsheet.

Nice! We got some credentials for us to use. Let's look at the FTP service if these credentials are useful to us.

FTP Enumeration

Let's try some of the credentials in the FTP service.

Logging in via FTP.

As shown in the image above, we tried to login as muirlandoracle with the creds we got but it failed. Logging in as paradox gives us login access to FTP service.

FTP server is mirror image of web server.

Looks like the FTP server is a mirror of web server. We can verify it by uploading a simple .txt file and try to read its contents. I uploaded a file named test.txt via FTP.

To upload a file via FTP:

  • put [FILE]
Uploaded test.txt file using FTP and viewing in web server.

Let's try a .php file since the web server is running Apache.

uploading phpinfo() file.

Seems like our .php file is uploaded successfully. Let's view the contents of the file. We should be greeted by phpinfo() content.

Successful execution of phpinfo() file.

Exploitation

Knowing that we can upload .php file and execute it, we can try to upload a reverse shell and get a foothold in the machine. Download the reverse shell here.

Github Repository for php-reverse-shell.

We need to edit the file to successfully catch the reverse shell using netcat. Edit the IP and port variables to match your IP and desired port.

Editing php-reverse-shell.

Open up a listener using netcat. To do this:

Upload the updated reverse shell file via FTP service and navigate to webpage where we uploaded the malicious .php file. It should be on web root (e.g., overpass3.thm/[filename].php)

Successfully popped reverse shell.

Table 1.2: Credentials

Post-Exploitation

Internal Enumeration

Table 1.3: Checklist for Linux Internal Enumeration

Linux checklist for Privilege escalation vectors.

Notes: For more information about the commands look here

Tip: When nothing else makes sense, try to use LinPEAS (winPEAS for windows machines.).

Let's check the /etc/passwd file to see which users has login shell.

  • cat /etc/passwd | grep "bash"
users with login shell.

Let's stabilize the shell by using python3.

locating python binary for upgrading shell.

To upgrade the shell:

  • python3 -c 'import pty;pty.spawn("/bin/bash")'

Let's try to login as paradox since we have his/her creds.

We also tried to enumerate binaries with SUID permissions.

  • find / -type f -perm -u+s 2>/dev/null

Looking at the questions for this room, there is a hidden web flag needed to complete the room. Let's find it using the find command.

  • find / -type f -name "*flag*" 2>/dev/null
web flag.

Let's also look which ports are open on the machine. To do this:

  • ss -tulpn
Open ports.

We know about the HTTP,SSH, and FTP open but port 2049 is an NFS server and not enumerated by nmap because it is only served at localhost.

port 2049: NFS.

Let's create a SSH tunnel to view which shares are accessible through NFS.

SSH tunnel through 2049 to become accessible through localhost.

Privilege Escalation

After several minutes, I stopped manual enumeration and uploaded LinPEAS to the machine.

LinPEAS shown a Privilege Escalation Vector in /etc/exports showing that it is set to no_root_squash option.

no_root_squash.
no_root_squash PE vector.

To elevate our privileges:

  1. In the attacking machine, create a directory for mounting the NFS shares. In this case, i created tmp/PrivEsc directory for mounting the vulnerable share.
  • sudo mount -v -t nfs 127.0.0.1:/ [MOUNT DIRECTORY]

2. Check the contents of mounted NFS share.

Copied SSH private key of james.

3. We copied james private key ( id_rsa) and logged in via SSH.

4. In the victim machine, we copied the bash binary to james home directory.

  • cp /bin/bash bash
Copied /bin/bash to james’ home directory.

5. In our attacking machine, we changed the ownership and permissions of the bash binary.

  • sudo chown root:root bash
  • sudo chmod +s bash
Attacker given SUID permissions on bash binary.

6. In the victim machine, execute the bash binary with -p flag to gain root shell.

  • ./bash -p

Now we are root!

rooted.

STATUS: ROOTED

The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.

Persistence

Copied the /etc/shadow file for user identification and their passwords.

Added another root user for easy access.

Clearing Tracks

Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.

Status: Finished

Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated! :D

Donation Box

Not required but appreciated! :D

Socials

Originally published at https://hambyhacks.hashnode.dev.

--

--

--

Self-taught cybersecurity learner :D

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

All the steps of compilation

What Constitutes a Successful QMS?

Ingesting Musical Content At Scale Using DDEX: Part Two

Build a Kubernetes cluster using k3s on Proxmox via Ansible and Terraform

Cold-chain integrity for Vaccine handling

Uploading CV Algorithms based on Keras to CobbleVision

An honest letter to our customers; sorry about the lies

Monitoring GraphQL Uptime

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
hamby

hamby

Self-taught cybersecurity learner :D

More from Medium

Blue TryHackMe Write-Up

TryHackMe: Mr. Robot CTF Writeup

Hack The Box — Lame Writeup

TryHackMe: Jeff — Writeup