TryHackMe: Overpass 3 — Hosting Writeup
IP = 10.10.226.31*
Machine OS: Linux
Learning Platform: tryhackme.com
Finished on: Arch Linux
This is the 3rd part of the Overpass series which highlight the dangers of misconfigured web server, which in this case, a backup file that contains sensitive information lead to web server compromise also this room shows that NFS shares should be properly secured. To read the previous series, click here and here.
Scoping and Preparation
Connect to OpenVPN Server using:
sudo openvpn [.ovpn_file]
I used my tool CTFRecon-Go to automate directory creation, port scanning, web directory brute-forcing and adding entry to
1. git clone https://github.com/hambyhacks/CTFRecon-Go && cd CTFRecon-Go
2. go build .
3. sudo ./CTFRecon-Go -d [DIRECTORY_NAME] -p [PLATFORM] -i [IP] -w [WORDLIST_TO_USE_FOR_GOBUSTER]
You can also download the release binary by using
go install :
go install github.com/hambyhacks/CTFRecon-Go@latest
CTFRecon-Go if installed using
sudo CTFRecon-Go -d [DIRECTORY_NAME] -p [PLATFORM] -i [IP] -w [WORDLIST_TO_USE_FOR_GOBUSTER]
Preliminary Enumeration via nmap
Table 1.1: nmap Results Summary
Let's look at the
HTTP server on port 80.
We can see that in the webpage, Overpass is now offering web and email hosting solutions. Let's now look at the source code of the web page.
Looks like the developer is doubting about the reliability of their service.
We can see that the webpage is running Apache with CentOS as their operating system. The web server is likely running
Let's see the result of the
GoBuster scan result done by CTFRecon-Go.
It seems that there is a directory named
/backups, which seems interesting to us.
There is a
backup.zip file on
/backups directory. Let's download the file and see its contents.
backup.zip. Lets's try to decrypt the spreadsheet file using
First, we need to import the private key using the command:
gpg --import [KEYFILE]
To decrypt the file:
gpg --output [OUTPUT FILE] --decrypt [ENCRYPTED FILE]
Let's look inside the spreadsheet file!
Nice! We got some credentials for us to use. Let's look at the
FTP service if these credentials are useful to us.
Let's try some of the credentials in the
As shown in the image above, we tried to login as
muirlandoracle with the creds we got but it failed. Logging in as
paradox gives us login access to
Looks like the
FTP server is a mirror of web server. We can verify it by uploading a simple
.txt file and try to read its contents. I uploaded a file named
To upload a file via
Let's try a
.php file since the web server is running
Seems like our
.php file is uploaded successfully. Let's view the contents of the file. We should be greeted by
Knowing that we can upload
.php file and execute it, we can try to upload a reverse shell and get a foothold in the machine. Download the reverse shell here.
We need to edit the file to successfully catch the reverse shell using
netcat. Edit the
port variables to match your IP and desired port.
Open up a listener using
netcat. To do this:
Upload the updated reverse shell file via
FTP service and navigate to webpage where we uploaded the malicious
.php file. It should be on web root (e.g.,
Table 1.2: Credentials
Table 1.3: Checklist for Linux Internal Enumeration
Notes: For more information about the commands look here
Let's check the
/etc/passwd file to see which users has login shell.
cat /etc/passwd | grep "bash"
Let's stabilize the shell by using
To upgrade the shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Let's try to login as
paradox since we have his/her creds.
We also tried to enumerate binaries with
find / -type f -perm -u+s 2>/dev/null
Looking at the questions for this room, there is a hidden web flag needed to complete the room. Let's find it using the
find / -type f -name "*flag*" 2>/dev/null
Let's also look which ports are open on the machine. To do this:
We know about the HTTP,SSH, and FTP open but port
2049 is an NFS server and not enumerated by
nmap because it is only served at
Let's create a
SSH tunnel to view which shares are accessible through
After several minutes, I stopped manual enumeration and uploaded
LinPEAS to the machine.
LinPEAS shown a Privilege Escalation Vector in
/etc/exports showing that it is set to
To elevate our privileges:
- In the attacking machine, create a directory for mounting the
NFSshares. In this case, i created
tmp/PrivEscdirectory for mounting the vulnerable share.
sudo mount -v -t nfs 127.0.0.1:/ [MOUNT DIRECTORY]
2. Check the contents of mounted
3. We copied
james private key (
id_rsa) and logged in via SSH.
4. In the victim machine, we copied the
bash binary to
james home directory.
cp /bin/bash bash
5. In our attacking machine, we changed the ownership and permissions of the
sudo chown root:root bash
sudo chmod +s bash
6. In the victim machine, execute the
bash binary with
-p flag to gain root shell.
Now we are root!
The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.
Copied the /etc/shadow file for user identification and their passwords.
Added another root user for easy access.
Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.
Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated! :D
Not required but appreciated! :D
Originally published at https://hambyhacks.hashnode.dev.