CTF Walkthroughs, TryHackMe

TryHackMe – Overpass 3 – Hosting Walkthrough

May 23, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an intermediate Linux machine and the last in the Overpass TryHackMe series, it involved discovering a backup archive stored on the webserver, which contained encrypted user credentials that are then used to connect to the FTP server and uploading a PHP reverse shell to gain initial access. Root access was then obtained by exploiting an open NFS share with the no_root_squash option enabled.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has revealed three open ports: port 21, 22 and 80, so the next steps will to start enumerating HTTP and FTP.

Enumerating HTTP

When accessing the web server on port 80 through a browser, the following page is displayed:

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

The Gobuster scan has identified a /backups directory, accessing it through a browser:

It appears to contain a backup.zip archive, downloading it using Wget and unzipping it to reveal its contents:

The archive contains an encrypted spreadsheet and a GPG key, using the GPG tool to import the key and decrypt the spreadsheet:

It appears the spreadsheet was used to store usernames, passwords and credit card number:

Since the site mentioned Paradox as the developer, trying its username and password to log into FTP:

It looks like the root folder used in FTP is also the root folder for the Apache web server, which means a PHP reverse shell can be uploaded onto it and subsequently executed by navigating to it in a browser.

Exploitation

Copying the Laudanum PHP reverse shell to the current working directory and changing the IP address and port:

Uploading it onto the FTP server using the put command:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Navigating to the shell using a browser:

A callback was received on the Netcat listener, granting a reverse shell as the “apache” user:

The following steps can be done to obtain an interactive shell:

  • Running “script -qc /bin/bash” on the victim host
  • Hitting CTRL+Z to background the process and go back to the local host
  • Running “stty raw -echo” on the local host
  • Hitting “fg + ENTER” to go back to the reverse shell

The first flag can then be identified by searching for web or flag through the find command:

find / -name web* 2>/dev/null

Privilege Escalation

The su command can be used to change user to Paradox, with the FTP password found earlier:

Transferring the LinPEAS enumeration script with the Python Simple HTTP Server and Curl:

Giving the script execute permissions and executing it:

It appears that there is a NFS share connected to /home/james and the “no_root_squash” NFS setting is enabled:

The no_root_squash option can be quite dangerous. as when in use, remote root users that have mounted the share in their local system are able to change any file on the shared file system and leave malicious applications for other users to inadvertently execute.

Adding the Kali public key to the authorized_keys file so SSH tunneling can be used, as NFS cannot be reached externally:

Using the following command to start an SSH tunnel that will redirect data sent to localhost on port 3049 to the victim host on port 2049:

ssh -fN -L 3049:localhost:2049 paradox@10.10.195.53

Creating a new /tmp/share folder and mounting the share on it with the following flags:

  • -t to specify the filesystem type
  • -o to specify options, in this case the port which will be 3049
  • the host/share to connect to
  • the directory to use when connecting to the share

Once the share has been setup locally, navigating to the .ssh folder and using the james user’s private SSH key to login:

Since having created the share locally with the no_root_squash option enabled, this gives root access to files within the share. While logged in as James, creating a copy of the /bin/bash binary, then giving it root ownership and SUID permission. It can then be executed as james with the -p flag, which allows to execute binaries as the owner of it, this grants root access to the host:

This has provided a root shell in the victim machine.

Conclusion

This was a pretty cool machine although I have to say it’s the one I enjoyed the least out of the three machines in the Overpass series. The initial exploitation vector was quite simple and the NFS privilege escalation was nothing new if you have already been doing penetration testing for a while, still good practice nonetheless.