Overpass 3 — Hosting TryHackMe Walkthrough

Musyoka Ian
10 min readJan 17, 2021

Hello guys back again with another walkthrough this time we’ll be doing a walkthrough on Overpass 3 Hosting by TryHackMe. I’ve been working on delivery the new box released last weekend by HackThebox and it Amazing i recommend that you guy to check it out i will release it’s walkthrough once the box retires. Finished the box yesterday and trust me i learnt something thanks to Ippsec that’s why i released a writeup of this room later than a day since it was released. But enough of that Overpass 3 is also an amazing box but according to my opinion the box was rather easy. You get a website and after performing a directory brute force using gobuster you get a backup directory with a backup.zip file. Download the zip file to your box and extract it’s contents and get a XLSX file encrypted with GPG but you have the private key that was used to encrypt the file. Do some magic and decrypt the XLSX file we have used that technique before on tomghost another box from TryHackMe. On reading the XLSX file you get some credentials that give you access to FTP share. The FTP share is linked to the website so you upload a malicious PHP web shell and get a shell on the box. Next you find that a user paradox reused the FTP password as his account’s password and you use that password to escalate you privileges to the paradox user. Then you find that NSF service is running only on localhost and it’s configured incorrectly so we leverage that vulnerability to get box user and root on the box. Without much say let’s jump in

As always we’ll start off with a port scan of the box using Nmap

Looking at the results below we see that three ports are opened FTP,SSH and HTTP

But as you can see in the screenshot above FTP doesn’t seem to have anonymous login allowed but i still always try checking it out just in case nmap scripting engine timed out

But from the screenshot above you can see that we didn’t get lucky there. Next we have SSH but SSH always requires credentials so we can’t enumerate SSH for now. We could have tried a brute force attack but since we don’t have even a valid username we’ll not go down that path now.

Lastly we have HTTP and as i always say website always have the biggest attack surface. On opening the website we get a standard webpage

Before doing any manual enumeration i decided to leave gobuster a tool used to brute-force URIs including directories and files as well as DNS subdomains running in the background

Next i decided to look at the source of the webpage and see if I’ll find anything that stands out

I found a comment but it really wasn’t helpful in anyway

Next i decided to see if robots.txt existed because if it did we could get some more URL’s to enumerate

But i got nothing.

Going back to gobuster result we get a unique directory called backups

Let’s navigate to it using Mozilla and see what we find

We have a backup file. I downloaded the backup.zip file to my local box and extracted it’s contents

We get two file a XLSX file encrypted with GPG and a private key used to encrypt the file

Let’s import the private key and decrypt the file

Sweet let’s view the contents of the XLSX file

I used an online XLSX viewer to view the decrypted file since it did the job perfectly

We get a bunch of credentials sweet. I saved the credentials to my box and tried to use those credentials to perform a FTP brute force attack using hydra

Looking at the result below we got a valid login for the user paradox

Next i logged into the ftp share from my box

And looking at the screenshot above we have a successful login

Looking at the file in the FTP share we see a similarity between the files it has and the file on the website

I decided to create a simple PHP web shell and uploaded to the FTP server

Doing a directory listing on the server we see that the file was uploaded successfully

Next i tried to access that file from the website and voila looking at the screenshot below i was successful since we don’t have a 404 NOT FOUND error

On adding the parameter cmd i could execute system command on the system

I intercepted the request with burpsuite and sent it to the repeater tab. Our aim now is getting a shell on the server. I used a bash reverse shell shell which did the job perfectly

First i started a netcat listener on my box

Next i executed the reverse shell payload from burpsuite

Going back to my listener i had a shell on the box

First i decided to upgrade my shell and remember we found a bunch of credentials before doing any enumeration i decided to try those credentials for different users and paradox password worked

Sweet next i decided to run linpeas on the box and see what it’ll find

First i uploaded linpeas to the box using curl

Next i ran the script specifying -a argument for it to run all the checks

After linpeas finished doing all the necessary checks i decided to check the output and found one interesting fact there was a NSF service running

Before doing anything else i decided to see if i could access the port from my box since it isn’t in the top 1000 port so nmap wouldn’t have scanned the port.

And i wasn’t lucky the port seemed to only be exposed on localhost

To access the port from our box we need to do a bit of port forwarding which isn’t a problem. But looking at the configuration of NSF we see that it created a loop and we’ll use this misconfiguration to get box user and root on the box

How???? you might ask

First we see that the share has no_root_squash meaning any files that we upload from our box as the root user to the share those files will also be added to the box as a root user the file user’s permission in our case “root’s permission” will no be squashed to be the NFS user’s permission which in our case would have been the rpcuser. What if we upload a bash shell and add a setuid bit on the binary ??

But first let’s mount the NFS share on our box

First i uploaded chisel to the box. Chisel is an awesome port forwarder for both Linux and windows

Next i created a reverse tunnel using chisel

Next i tried accessing the port from my local box and voila looking at the screenshot below i got a successful connection

Now i used the showmount command on Linux to see what share we were going to mount

Looking at the screenshot above you see we could mount /home/james

First i created a mount directory on my box

Next i tried mounting the share using the command below

sudo mount -t nfs localhost:/home/james mount/

But always got the error below

But when i tried mounting / using the command

sudo mount -t nfs localhost:/ mount/

it just worked

I got no errors i still don’t know why but it just worked I’ll have to talk to the creators of the box to get the answer why

But navigating to the mounted directory we get the user flag

Navigating to .ssh directory we get a private SSH key

I saved the key to my box and and tried logging into the box using it and it worked looking at the screenshot below

Sweet. But remember we saw that root’s permission were not squashed in the output of linpeas so what if we upload a bash shell as the root user from our box using the mounted share?

As you can see we uploaded the bash shell successfully. Using the ssh shell we spawned using the SSH private keys we can see that the binary is owned by the root user

What if we add a SUID bit on the binary???

Looking at the binary again using the SSH shell we see it has a SUID bit

Sweet let’s execute the binary add pass it the argument -p so that it uses the permission that was set on the binary

And we are root on the box just like that. The NSF did not squash the root users permission and that’s what caused the vulnerability on the box

Let’s navigate to the root user’s directory and get the root flag

Now we can submit the flag and get the points. Next i uploaded a SSH public key to the box because i wanted to login to the box as the root user

Then i logged in as the root user

And it works. Some might ask why didn’t i brute force SSH using those credentials but i did just didn’t show that step since it didn’t work. SSH is configured to allow logins through private keys and not passwords

But that’s it for now guys till next time it’s goodbye from me. If you liked the walkthrough you can clap for me down below and don’t forget to follow me so that you don’t miss any upcoming articles