TryHackMe - OverPass 3

Information Card

Brief

This is a really good machine which relies on proper enumeration and paying attention to detail. The machine starts with a web server that has a zip archive. Which when extracted and gives an encrypted Excel Document which when decrypted gives us credentials. The credentials work for the FTP server and we upload a PHP reverse shell. From their we gain persistence followed by exploiting NFS to gain access to user followed by escalating to root.

Reconnaissance

I use a tool called nmapAutomator and it is something I can recommend, alternatively you can also use AutoRecon.

NMap Basic Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-11 05:59 IST
Nmap scan report for overpass3 (10.10.204.62)
Host is up (0.17s latency).

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 de:5b:0e:b5:40:aa:43:4d:2a:83:31:14:20:77:9c:a1 (RSA)
| 256 f4:b5:a6:60:f4:d1:bf:e2:85:2e:2e:7e:5f:4c:ce:38 (ECDSA)
|_ 256 29:e6:61:09:ed:8a:88:2b:55:74:f2:b7:33:ae:df:c8 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
|_http-title: Overpass Hosting
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.03 seconds


OS Detection modified to: Unix

We have three services open : -
- FTP (21)
- SSH (22)
- HTTP (80)

Enumeration

I first added the following lines to my /etc/hosts : 10.10.204.62 overpass3 overpass3.thm. This help us in resolution incase there are virtual hosts.

HTTP Enumeration

Visiting the Overpass at http://10.10.204.62 gave me the below page :

HTTP First Visit

For good measure I create a file called usernames with usernames specified on the landing page of the website just in case I have to brute force any protocol.

FFuF

I put ffuf to task to brute force the website for additional files and directories. I did it with the help of this command : ffuf -w $WORDLIST_MEDIUM -u http://10.10.204.62/FUZZ -e .pdf,.txt,.html,.php -c -replay-proxy 127.0.0.1 8080. For any positive result I told ffuf to send it to my burpproxy running on localhost:8080.

Very soon it returned that a directory called backups was found. Visiting the URL http://10.14.5.67/backups gave us a ZIP file with the name backup.zip which when extracted gave us a key file and encrypted Excel document.

I imported the key with the help of this command : gpg --import priv.key

GPG key import

After importing the key I extracted the GPG file with : gpg --decrypt CustomerDetails.xslx.gpg > CustomerDetails.xslx

GPG Decrypt

This gave us an Excel document which when opened had credentials in them.

Excel Document

When tried for FTP credentials it worked and we had access to the root of the web server.

Exploitation

We have access to the FTP Server so I downloaded this PHP exploit and then modified it for my IP Address as well as port. I then uploaded the payload via the FTP server and triggered it with the help of a browser.

Uploading payload via FTP

Getting a reverse shell

After upgrading the shell to a proper TTY shell with the help of SHELL=/bin/bash script -q /dev/null I switched to the user paradox with the help of su paradox.

I then created a fake ssh key using ssh-keygen -t ed25519 -C "fakesshkey" -f fakesshkey and then added the public key to authorized_keys and SSH’d into the machine.

Privilege Escalation

Upon enumeration I noticed that NFS was running on the server however it was filtered for us and we could not connect to the NFS on the machine.

Further enumeration revealed that user james home directory was an NFS share as can be seen below

exports

showmount

Hence I decided to open a port forward using ssh -L 2049:127.0.0.1:2049 -i www/fakesshkey paradox@overpass3. This then gave us the ability to mount james’s home directory locally for which I used the following command : sudo mount -t nfs4 -o proto=tcp,port=2049 127.0.0.1:/ /tmp/pe. This the gave us our user flag

user flag

I then came across this article. I copied bash as root from my local machine to this share on the remote machine and then gave SGID permissions to the binary as root.

james ssh permissions

Then added the fake ssh key to the authorized_keys on james and then logged in. Then post logging in as james I executed copied bash with sticky bit on ./bash -p.

We are now root.

root say hi

Proof

Proof


Resources

Some useful links :