Open in app

Sign in

Write

Sign in

Overpass 3 — TryHackMe [Creators — NinjaJc01]

jaeng
5 min readMar 2, 2021

Link room: [ https://tryhackme.com/room/overpass3hosting ]

Before starting, all of the challenges posted here are included in my learning journey. I didn’t solve them all, if I searched or learned from other senpais, I will reference them all.

Ideas:

  • Recon with Nmap.
  • Found backups file & decrypt it, its content contains credentials.
  • Logged in FTP with found credentials.
  • Initial foothold: FTP + Web server = RCE.
  • Found NFS services running on server & abused port forwarding to access file share & get shell as james. ( I might dive deeper into this part & explain couple of things about NFS ).
  • From james, escalate to root with NFS sharing.

# Recon w/ nmap

  • sudo nmap -sV -sC -A -oA [output_file] -v [target_ip]

According to the result, there are 3 opened ports:

  • Web service [port 80]: possible usernames found.
  • FTP service [port 21]: Anonymous login failed.
  • SSH service [port 22]

Hidden web directories fuzzing with ffuf:

  • ffuf -u [target_ip]/FUZZ -w [dictionary] | tee basic_ffuf.out

We found a “backups” directory & download backup.zip & extract it:

  • CustomerDetails.xlsx.gpg
  • priv.key

Decrypt gpg file:

  • gpg — import [key]
  • gpg — decrypt [gpg_file] > [output]

Reference: [ https://bit.ly/37Znyil ]

The original file type is “excel”, we will have a nice list of credentials from it.

# Initial Access

From the obtained credentials above, we could successfully login FTP as paradox user. From here, we could try to upload a random file i.e. [test.txt] & access it from web server.

Upload file to FTP:

Access it from web server:

Now that we know we could potentially upload reverse shell & execute it & catch the shell as apache.

Shell as apache:

Web flag can be found in “/usr/share/httpd/ directory.

# Shell as james

Now that we have gain access to the server, we can either escalate to paradox shell with a valid credentials that we’ve found before.

( For an easy life, I really recommend to add your “ssh pubkey” into “/home/paradox/.ssh/authorized_keys” & login to the server via ssh service.

Here is how: [ https://do.co/3dXWVye ] ).

Enumeration:

After having shell as paradox, we could upload “Linpeas” & automate enumeration stage.

Here, it showed up right in front of us the correct path, but I really messed up & it took me a decent amount of time to exploit this part.

Overview NFS:

“Network File System (NFS) allows a user on a client computer to access files over a computer network much like local storage is accessed”.

Reference: [ https://en.wikipedia.org/wiki/Network_File_System ].

We can think of it as FTP service.

Understand “/home/james *(rw, …)”

Everyone can mount directory /home/james & write into it.

Understand “no_root_squash”:

“no_root_squash: This option basically gives authority to the root user on the client to access files on the NFS server as root “.

Reference: [ https://bit.ly/37ZSDCv ].

Understand “insecure”:

“secure

This option requires that requests originate on an Internet port less than IPPORT_RESERVED (1024). This option is on by default. To turn it off, specify insecure.”

In short, this option gives us permission to communicate with NFS in the higher port ( > 1024 ).

Reference: [ https://linux.die.net/man/5/exports ].

Some of the commands to list & mount NFS:

  • show -e [ip]: to list all file shares.
  • mount -v -t nfs [-o {options}] [ip]:[directory_to_mount] [local_directory_to_mount]: to mount pointed directory to our attacker machine.

Remote exploit NFS:

Enumeration

  • ss -anlt: to list all listening tcp services.

Here, we can see there are couple signature ports that showed up that RPC (port 111) & NFS (port 2049) are listening on all interfaces. However, as we recon with nmap, those ports didn’t stand out. Now, we are trying to scan them again.

  • sudo nmap -sV -p43169,2049,111,20048,51857 overpass.thm -vvv

There are 3 ports appeared belonged to NFS service, but in a filtered STATE, this might be because there is either a type of firewall or blocking service trying to hinder us from communicating with those ports. For that reason, when we are trying to run commands:

  • showmount -e overpass.thm

Similarly, this blocks us from mounting NFS remotely.

Local exploit NFS:

We failed to mount NFS remotely, but how about making NFS service thought that our attacker machine is its local host? Well, we can efficient bypass filtering using this way.

This can be done using SSH tunnel to forward all of the NFS services to our localhost.

On the attacker machine, run:

  • ssh -i paradox.rsa -L 8888:[target_ip]:2049 paradox@overpass.thm
  • ssh -i paradox.rsa -L 8888:[target_ip]:20048 paradox@overpass.th
  • sudo mount -v -t nfs -o port=8888,mountport=9999,tcp localhost:/home/james /dev/shm/nfs_james/

As mentioned before, we will need all of essential services (RPC portmapper on port 111, NFS port 2049 & NFS mount port 20048) for NFS service to execute correctly.

Reference: [ http://biowiki.org/wiki/index.php/Mounting_NFSThrough_SSHTunnel ].

To access the file share, we either utilize root user or create user james with useradd. After we successfully mounted the file, read “.ssh/id_rsa” & ssh into target server as james.

Now that we got james’s shell, privilege escalation will be done in 3 steps.

# Shell as root

Since we had a file mounted file share, we can easily:

  • cp /bin/bash /dev/shm/nfs_james && chmod +s /dev/shm/nfs_james/bash
  • SSH as james.

& ./bash -p to get a root shell.

--

--

jaeng

Written by jaeng

2 Followers

learning … & better …

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams