You know them, you love them, your favourite group of broke computer science students have another business venture! Show them that they probably should hire someone for security…
This is Overpass 3 - Hosting from THM. It’s medium rated. I add overpass3 to /etc/hosts.
Ports
We’ve got FTP, SSH and HTTP on the standard ports.
FTP
No anonymous access, we’ll move on for now.
HTTP
I started trying dirsearch and I must say it’s pretty comfy:
From there, we get a file called backup.zip, which is not password protected and which contains two files:
12K -rw-r–r– 1 root root 11K Nov 8 16:18 CustomerDetails.xlsx.gpg
4.0K -rw——- 1 root root 3.5K Nov 8 16:16 priv.key
This is PGP stuff:
This gets us an Excel file containing 3 usernames and passwords.
Hydra
Which service to use this on? We can try them both:
Right, so we can log in to FTP, but SSH is key based only. Goodo.
FTP, again
We log in to FTP and we get the root of the webserver. A little testing shows we can upload to this directory, so I upload something simple in a file called cmd.php:
The host is running CentOS and we are the Apache user. We don’t seem to have which; no matter.
From bash, we can su to paradox using the same password as for the FTP account. He has a .ssh directory in his home, and we can add our key to his authorized_keys file to get SSH access:
Now we can just do:
James
As paradox I run linpeas, which finds this in /etc/exports:
root@kali:/opt/tryhackme/overpass3# mount -t nfs -o port=3049,vers=4 127.0.0.1:/ ./mnt
Where ./mnt was a local folder I’d created. Note this syntax caused me quite a few headaches; particularly the path part - NFS4 is different to NFS3 and the shared path is considered / when you mount it.
From there, we could get the user flag:
Note there was also a web flag belonging to Apache; it was in the home directory for the apache user. We can find that by looking in /etc/passwd; it’s /usr/share/httpd. Anyway, onwards …
Root
Privesc was now a fairly classic NFS technique - make a copy of bash in our mounted drive and give it the SUID bit:
Doesn’t look like much, does it? While I’m at it, I add my SSH public key to the authorized_keys file for james just like I did for paradox.
Separately:
And that was that.
Footnote
I haven’t written anything for a bit; I’ve been trying (and failing) on EnterPrize, a new hard box on THM. I’ve enumerated the box, found the hidden subdomain (maintest.enterprize.thm) and poked around. It’s typo3, and I am fairly sure the exploit is a PHP deserialization as described here using a leaked encryptionKey, which can be found on the box and which I have. However I have tried the exploit as described and so far I can’t get it to work. Ah well, it’s kept me entertained anyway.