# Overpass 3 ## Brief Description This is the 3rd part of the Overpass series which highlight the dangers of misconfigured web server, which in this case, a backup file that contains sensitive information lead to web server compromise also this room shows that NFS shares should be properly secured. To read the previous series, click [here](https://hambyhaxx.medium.com/tryhackme-overpass-by-ninjajc01-41d3440d6ea0) and [here](https://hambyhaxx.medium.com/tryhackme-overpass-2-hacked-writeup-86b870182edd). ## Reconnaissance ### Scoping and Preparation Connect to OpenVPN Server using: * `sudo openvpn [.ovpn_file]` I used my tool [CTFRecon-Go](https://www.github.com/hambyhacks/CTFRecon-Go) to automate directory creation, port scanning, web directory brute-forcing and adding entry to `/etc/hosts` file. ``` 1. git clone https://github.com/hambyhacks/CTFRecon-Go && cd CTFRecon-Go 2. go build . 3. sudo ./CTFRecon-Go -d [DIRECTORY_NAME] -p [PLATFORM] -i [IP] -w [WORDLIST_TO_USE_FOR_GOBUSTER] ``` You can also download the release binary by using `go install` : `go install github.com/hambyhacks/CTFRecon-Go@latest` To use `CTFRecon-Go` if installed using `go install`: * `sudo CTFRecon-Go -d [DIRECTORY_NAME] -p [PLATFORM] -i [IP] -w [WORDLIST_TO_USE_FOR_GOBUSTER]` ## External Enumeration ### Preliminary Enumeration via nmap ### Table 1.1: nmap Results Summary

Let's look at the `HTTP` server on port 80. ## Web Enumeration

We can see that in the webpage, Overpass is now offering web and email hosting solutions. Let's now look at the source code of the web page.

Looks like the developer is doubting about the reliability of their service.

We can see that the webpage is running Apache with CentOS as their operating system. The web server is likely running `.php` files. Let's see the result of the `GoBuster` scan result done by CTFRecon-Go. ### GoBuster Scan

It seems that there is a directory named `/backups`, which seems interesting to us.

There is a `backup.zip` file on `/backups` directory. Let's download the file and see its contents. ### Content Discovery

We got `CustomerDetails.xlsx.gpg` and `priv.key` inside `backup.zip`. Lets's try to decrypt the spreadsheet file using `gpg`.

Forum thread about decrypting gpg files.

First, we need to import the private key using the command: * `gpg --import [KEYFILE]`

importing private key and decrypting the spreadsheet.

To decrypt the file: * `gpg --output [OUTPUT FILE] --decrypt [ENCRYPTED FILE]` Let's look inside the spreadsheet file!

Nice! We got some credentials for us to use. Let's look at the `FTP` service if these credentials are useful to us. ## FTP Enumeration Let's try some of the credentials in the `FTP` service.

As shown in the image above, we tried to login as `muirlandoracle` with the creds we got but it failed. Logging in as `paradox` gives us login access to `FTP` service.

FTP server is mirror image of web server.

Looks like the `FTP` server is a mirror of web server. We can verify it by uploading a simple `.txt` file and try to read its contents. I uploaded a file named `test.txt` via `FTP`. To upload a file via `FTP`: * `put [FILE]`

Uploaded test.txt file using FTP and viewing in web server.

Let's try a `.php` file since the web server is running `Apache`.

Seems like our `.php` file is uploaded successfully. Let's view the contents of the file. We should be greeted by `phpinfo()` content.

## Exploitation Knowing that we can upload `.php` file and execute it, we can try to upload a reverse shell and get a foothold in the machine. Download the reverse shell [here](https://github.com/pentestmonkey/php-reverse-shell).

Github Repository for php-reverse-shell.

We need to edit the file to successfully catch the reverse shell using `netcat`. Edit the `IP` and `port` variables to **match** your IP and desired port.

Open up a listener using `netcat`. To do this: Upload the updated reverse shell file via `FTP` service and navigate to webpage where we uploaded the malicious `.php` file. It should be on web root (e.g., `overpass3.thm/[filename].php`)

## Table 1.2: Credentials

## Post-Exploitation ### Internal Enumeration ### Table 1.3: Checklist for Linux Internal Enumeration

Linux checklist for Privilege escalation vectors.

*Notes: For more information about the commands look* [*here*](https://explainshell.com/) *Tip: When nothing else makes sense, try to use* [*LinPEAS*](https://github.com/carlospolop/PEASS-ng) *(*[*winPEAS*](https://github.com/carlospolop/PEASS-ng) *for windows machines.).* Let's check the `/etc/passwd` file to see which users has login shell. * `cat /etc/passwd | grep "bash"`

Let's stabilize the shell by using `python3`.

locating python binary for upgrading shell.

To upgrade the shell: * `python3 -c 'import pty;pty.spawn("/bin/bash")'` Let's try to login as `paradox` since we have his/her creds.

We also tried to enumerate binaries with `SUID` permissions. * `find / -type f -perm -u+s 2>/dev/null`

Looking at the questions for this room, there is a hidden web flag needed to complete the room. Let's find it using the `find` command. * `find / -type f -name "*flag*" 2>/dev/null`

Let's also look which ports are open on the machine. To do this: * `ss -tulpn`

We know about the HTTP,SSH, and FTP open but port `2049` is an NFS server and not enumerated by `nmap` because it is only served at `localhost`.

Let's create a `SSH` tunnel to view which shares are accessible through `NFS`.

SSH tunnel through 2049 to become accessible through localhost.

## Privilege Escalation After several minutes, I stopped manual enumeration and uploaded `LinPEAS` to the machine. `LinPEAS` shown a Privilege Escalation Vector in `/etc/exports` showing that it is set to `no_root_squash` option.

To elevate our privileges: 1. In the attacking machine, create a directory for mounting the `NFS` shares. In this case, i created `tmp/PrivEsc` directory for mounting the vulnerable share. * `sudo mount -v -t nfs 127.0.0.1:/ [MOUNT DIRECTORY]` 2\. Check the contents of mounted `NFS` share.

3\. We copied `james` private key ( `id_rsa`) and logged in via SSH. 4\. In the victim machine, we copied the `bash` binary to `james` home directory. * `cp /bin/bash bash`

Copied /bin/bash to james’ home directory.

5\. In our attacking machine, we changed the ownership and permissions of the `bash` binary. * `sudo chown root:root bash` * `sudo chmod +s bash`

Attacker given SUID permissions on bash binary.

6\. In the victim machine, execute the `bash` binary with `-p` flag to gain root shell. * `./bash -p` Now we are root!

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://foothold.gitbook.io/blog/overpass-3.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.