TryHackMe - OverPass 3
Brief
This is a really good machine which relies on proper enumeration and paying attention to detail. The machine starts with a web server that has a zip archive. Which when extracted and gives an encrypted Excel Document which when decrypted gives us credentials. The credentials work for the FTP server and we upload a PHP reverse shell. From their we gain persistence followed by exploiting NFS to gain access to user followed by escalating to root.
Reconnaissance
I use a tool called nmapAutomator and it is something I can recommend, alternatively you can also use AutoRecon.
NMap Basic Scan
1 |
|
We have three services open : -
- FTP (21)
- SSH (22)
- HTTP (80)
Enumeration
I first added the following lines to my /etc/hosts
: 10.10.204.62 overpass3 overpass3.thm
. This help us in resolution incase there are virtual hosts.
HTTP Enumeration
Visiting the Overpass at http://10.10.204.62 gave me the below page :
For good measure I create a file called usernames
with usernames specified on the landing page of the website just in case I have to brute force any protocol.
FFuF
I put ffuf
to task to brute force the website for additional files and directories. I did it with the help of this command : ffuf -w $WORDLIST_MEDIUM -u http://10.10.204.62/FUZZ -e .pdf,.txt,.html,.php -c -replay-proxy 127.0.0.1 8080
. For any positive result I told ffuf
to send it to my burpproxy running on localhost:8080
.
Very soon it returned that a directory called backups
was found. Visiting the URL http://10.14.5.67/backups gave us a ZIP file with the name backup.zip
which when extracted gave us a key file and encrypted Excel document.
I imported the key with the help of this command : gpg --import priv.key
After importing the key I extracted the GPG file with : gpg --decrypt CustomerDetails.xslx.gpg > CustomerDetails.xslx
This gave us an Excel document which when opened had credentials in them.
When tried for FTP credentials it worked and we had access to the root of the web server.
Exploitation
We have access to the FTP Server so I downloaded this PHP exploit and then modified it for my IP Address as well as port. I then uploaded the payload via the FTP server and triggered it with the help of a browser.
After upgrading the shell to a proper TTY shell with the help of SHELL=/bin/bash script -q /dev/null
I switched to the user paradox
with the help of su paradox
.
I then created a fake ssh key using ssh-keygen -t ed25519 -C "fakesshkey" -f fakesshkey
and then added the public key to authorized_keys
and SSH’d into the machine.
Privilege Escalation
Upon enumeration I noticed that NFS was running on the server however it was filtered for us and we could not connect to the NFS on the machine.
Further enumeration revealed that user james
home directory was an NFS share as can be seen below
Hence I decided to open a port forward using ssh -L 2049:127.0.0.1:2049 -i www/fakesshkey paradox@overpass3
. This then gave us the ability to mount james’s home directory locally for which I used the following command : sudo mount -t nfs4 -o proto=tcp,port=2049 127.0.0.1:/ /tmp/pe
. This the gave us our user flag
I then came across this article. I copied bash
as root from my local machine to this share on the remote machine and then gave SGID permissions to the binary as root.
Then added the fake ssh key to the authorized_keys
on james
and then logged in. Then post logging in as james
I executed copied bash with sticky bit on ./bash -p
.
We are now root.
Proof
Resources
Some useful links :