Overpass 3 — Hosting TryHackMe Walkthrough
Hello guys back again with another walkthrough this time we’ll be doing a walkthrough on Overpass 3 Hosting by TryHackMe. I’ve been working on delivery the new box released last weekend by HackThebox and it Amazing i recommend that you guy to check it out i will release it’s walkthrough once the box retires. Finished the box yesterday and trust me i learnt something thanks to Ippsec that’s why i released a writeup of this room later than a day since it was released. But enough of that Overpass 3 is also an amazing box but according to my opinion the box was rather easy. You get a website and after performing a directory brute force using gobuster you get a backup directory with a backup.zip file. Download the zip file to your box and extract it’s contents and get a XLSX file encrypted with GPG but you have the private key that was used to encrypt the file. Do some magic and decrypt the XLSX file we have used that technique before on tomghost another box from TryHackMe. On reading the XLSX file you get some credentials that give you access to FTP share. The FTP share is linked to the website so you upload a malicious PHP web shell and get a shell on the box. Next you find that a user paradox reused the FTP password as his account’s password and you use that password to escalate you privileges to the paradox user. Then you find that NSF service is running only on localhost and it’s configured incorrectly so we leverage that vulnerability to get box user and root on the box. Without much say let’s jump in
As always we’ll start off with a port scan of the box using Nmap
Looking at the results below we see that three ports are opened FTP,SSH and HTTP
But as you can see in the screenshot above FTP doesn’t seem to have anonymous login allowed but i still always try checking it out just in case nmap scripting engine timed out
But from the screenshot above you can see that we didn’t get lucky there. Next we have SSH but SSH always requires credentials so we can’t enumerate SSH for now. We could have tried a brute force attack but since we don’t have even a valid username we’ll not go down that path now.
Lastly we have HTTP and as i always say website always have the biggest attack surface. On opening the website we get a standard webpage
Before doing any manual enumeration i decided to leave gobuster a tool used to brute-force URIs including directories and files as well as DNS subdomains running in the background
Next i decided to look at the source of the webpage and see if I’ll find anything that stands out
I found a comment but it really wasn’t helpful in anyway
Next i decided to see if robots.txt existed because if it did we could get some more URL’s to enumerate
But i got nothing.
Going back to gobuster result we get a unique directory called backups
Let’s navigate to it using Mozilla and see what we find
We have a backup file. I downloaded the backup.zip file to my local box and extracted it’s contents
We get two file a XLSX file encrypted with GPG and a private key used to encrypt the file
Let’s import the private key and decrypt the file
Sweet let’s view the contents of the XLSX file
I used an online XLSX viewer to view the decrypted file since it did the job perfectly
We get a bunch of credentials sweet. I saved the credentials to my box and tried to use those credentials to perform a FTP brute force attack using hydra
Looking at the result below we got a valid login for the user paradox
Next i logged into the ftp share from my box
And looking at the screenshot above we have a successful login
Looking at the file in the FTP share we see a similarity between the files it has and the file on the website
I decided to create a simple PHP web shell and uploaded to the FTP server
Doing a directory listing on the server we see that the file was uploaded successfully
Next i tried to access that file from the website and voila looking at the screenshot below i was successful since we don’t have a 404 NOT FOUND error
On adding the parameter cmd i could execute system command on the system
I intercepted the request with burpsuite and sent it to the repeater tab. Our aim now is getting a shell on the server. I used a bash reverse shell shell which did the job perfectly
First i started a netcat listener on my box
Next i executed the reverse shell payload from burpsuite
Going back to my listener i had a shell on the box
First i decided to upgrade my shell and remember we found a bunch of credentials before doing any enumeration i decided to try those credentials for different users and paradox password worked
Sweet next i decided to run linpeas on the box and see what it’ll find
First i uploaded linpeas to the box using curl
Next i ran the script specifying -a argument for it to run all the checks
After linpeas finished doing all the necessary checks i decided to check the output and found one interesting fact there was a NSF service running
Before doing anything else i decided to see if i could access the port from my box since it isn’t in the top 1000 port so nmap wouldn’t have scanned the port.
And i wasn’t lucky the port seemed to only be exposed on localhost
To access the port from our box we need to do a bit of port forwarding which isn’t a problem. But looking at the configuration of NSF we see that it created a loop and we’ll use this misconfiguration to get box user and root on the box
How???? you might ask
First we see that the share has no_root_squash meaning any files that we upload from our box as the root user to the share those files will also be added to the box as a root user the file user’s permission in our case “root’s permission” will no be squashed to be the NFS user’s permission which in our case would have been the rpcuser. What if we upload a bash shell and add a setuid bit on the binary ??
But first let’s mount the NFS share on our box
First i uploaded chisel to the box. Chisel is an awesome port forwarder for both Linux and windows
Next i created a reverse tunnel using chisel
Next i tried accessing the port from my local box and voila looking at the screenshot below i got a successful connection
Now i used the showmount command on Linux to see what share we were going to mount
Looking at the screenshot above you see we could mount /home/james
First i created a mount directory on my box
Next i tried mounting the share using the command below
sudo mount -t nfs localhost:/home/james mount/But always got the error below
But when i tried mounting / using the command
sudo mount -t nfs localhost:/ mount/it just worked
I got no errors i still don’t know why but it just worked I’ll have to talk to the creators of the box to get the answer why
But navigating to the mounted directory we get the user flag
Navigating to .ssh directory we get a private SSH key
I saved the key to my box and and tried logging into the box using it and it worked looking at the screenshot below
Sweet. But remember we saw that root’s permission were not squashed in the output of linpeas so what if we upload a bash shell as the root user from our box using the mounted share?
As you can see we uploaded the bash shell successfully. Using the ssh shell we spawned using the SSH private keys we can see that the binary is owned by the root user
What if we add a SUID bit on the binary???
Looking at the binary again using the SSH shell we see it has a SUID bit
Sweet let’s execute the binary add pass it the argument -p so that it uses the permission that was set on the binary
And we are root on the box just like that. The NSF did not squash the root users permission and that’s what caused the vulnerability on the box
Let’s navigate to the root user’s directory and get the root flag
Now we can submit the flag and get the points. Next i uploaded a SSH public key to the box because i wanted to login to the box as the root user
Then i logged in as the root user
And it works. Some might ask why didn’t i brute force SSH using those credentials but i did just didn’t show that step since it didn’t work. SSH is configured to allow logins through private keys and not passwords
But that’s it for now guys till next time it’s goodbye from me. If you liked the walkthrough you can clap for me down below and don’t forget to follow me so that you don’t miss any upcoming articles