Overpass 3 Write-up

Description

This is a room on TryHackMe. The difficulty of this room is medium. You have to capture 3 flags. Initial access was done through credentials we found inside a publicly accessible backup archive. The final privilege escalation to root was done through a misconfigured Network File Share.

Enumeration

With a Nmap scan we can determine which services are running. I have used the command nmap -p- -oA all_ports -sV -sC -O -vv 10.10.83.72 for scanning. Nmap shows us that a FTP server is running on port 21. A SSH server is running on port 22. And finally a web server is running on port 80. We can also see that the target is a CentOS machine.

Nmap scan results

Navigating to the web page shows us a simple site. It contains possible usernames. But no links or user input is possible on that site. Also there is no “robots.txt” file.

Overpass Website

To further enumerate which pages are on the machine I will be using ffuf and the “directory-list-2.3-medium.txt” from SecList. The command ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://10.10.83.72/FUZZ will start fuzzing.

Ffuf Output

With ffuf we could enumerate a directory called “backups”. This directory contains a ZIP archive called “backup.zip”.

Index of backups directory

We can download this zip file with wget and extract it with unzip. This will give us a xlsx file which is encrypted with GPG. Furthermore we have gotten a GPG private key.

Downloading backup.zip

We can now import the GPG key with the command gpg --import priv.key. Finally we can decrypt the file with the GPG command gpg --decrypt CustomerDetails.xlsx.gpg > CustomerDetails.xlsx. This document contains usernames and passwords. We can try our luck and test these against the FTP server.

Spreadsheet with usernames and passwords

I was able to connect to the FTP server with the username and password of paradox. On the FTP server we see the same folder structure like on the web server. This may mean that both services use the same folder. We also have write permissions inside this folder.

FTP service

Initial Access

We can now upload a reverse shell. I will use the PHP reverse shell from Pentestmonkey. You have to change the IP address to your box’s IP address. Finally upload the reverse shell to the FTP server. I have called it “s.php”.

Uploading a reverse shell

Now start a netcat listener. If you have not changed the port inside the PHP reverse shell, then you start netcat with the following command:

nc -lvnp 1234

Finally navigate to “http://10.10.83.72/s.php" and you should get a reverse shell. You should be logged in as the “apache” user. The first web flag is located inside the /usr/share/httpd folder. We can now read the web flag.

Web flag

Next we enumerate users by looking into the “/etc/passwd” file. We can see that paradox also has a user account on the machine.

/etc/passwd file on the server

We can try our luck again and check if paradox has used the same password again. Type in su paradox and submit the same password, you got from the spreadsheet. Luckily for us this works. Next we have to find a way to escalate our privileges further. We can use a script called "Linpeas" to further enumerate the machine. You can copy Linpeas to the victim machine via FTP or by running a HTTP server and downloading it to the victim via "curl". Running Linpeas, gives us a hint that the NFS may be misconfigured.

Linpeas output

Unfortunately we cannot directly mount the NFS share to our attacker machine with the command sudo mount -t nfs 10.10.83.72:/ /tmp/pe. This request will time out. But we may connect to the share if we utilize SSH tunneling. To make this possible, we have to create a private and public SSH key first. Run the next command on the attacker machine. We can create a SSH key pair with the following command: ssh-keygen -f paradox. This will output the private key as "paradox" and the public key as “paradox.pub”. We can now insert the public key into "authorized_keys" of paradox. Run the following command on the target.

echo "<content of public key>" >> /home/paradox/.ssh/authorized_keys

Finally we can ssh into the machine with ssh -i paradox paradox@10.10.83.72.

SSH into the machine as paradox

Next we will need the port on which NFS is listening. To check on which port NFS is listening, we can run rpcinfo -p on the victim machine. We can see that NFS is listening on port 2049.

Output of rpcinfo

Next we can establish the port forwarding with the following command.

ssh paradox@10.10.83.72 -i paradox -L 2049:localhost:2049

Inside a new root bash, we should now be able to mount the NFS share with the command mount -t nfs localhost:/ /tmp/pe. Finally we can retrieve the user flag.

Privilege Escalation

Now we can prepare our privilege escalation to root. First of all copy the bash executable to the NFS share: cp /bin/bash .. Next set the SUID bit on the binary: chmod +s bash. Finally copy James’ SSH key to your machine cp .ssh/id_rsa /home/kali/CTF/TryHackMe/Overpass3/james_private_key.

Root privilege escalation preparation

Now SSH into the victim as James with the private key. After that you should be able to elevate your privileges with the bash we placed into James’ home folder. Just run the command ./bash -p. After that you should be able to read the root flag.

Reading the root flag

Mitigation

Through fuzzing we could determine that a backups directory is present on the website. Sensitive backups should never be publicly accessible. Furthermore it is recommended to encrypt your backups. In the next step we could log into the FTP server via the credentials inside the spreadsheet. Privilege escalation to the user “paradox” was done with this password, too. Paradox should not use the same passwords for multiple accounts. The final privilege escalation to root was done through a misconfigured NFS. The Network File Share should not have the “no_root_squash” option.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rabbit

Rabbit

161 Followers

Passionate about Cyber Security. I am publishing CTF Writeups and Cybersecurity Content!