Overpass 3 - Hosting
After Overpass’s rocky start in infosec, and the commercial failure of their password manager and subsequent hack, they’ve decided to try a new business venture.
Goal
Hack the machine and get three flags:
- Web Flag
- User Flag
- Root Flag
Initial Recon
Nmap shows us an HTTP server on Apache running on port 80, There is also an FTP server on port 21, and SSH on port 22
A Gobuster reveals a “/backups” directory.
I also looked for a robots.txt but there was nothing to be found there.
Backups folder has a private key (priv.key) in a zip file, as well as as a encrypted spreadsheet file (CustomerDetails.xlsx.gpg)
Can I use this private key to decrypt the customer details?
I imported the private key into my GPG keychain, and was able to use it to decrypt the CustomerDetails.xlsx.gpg file. Opening it in LibreOffice, I was provided with some credentials of three users, with passwords in plaintext. As well as some credit card numbers.
I was unable to SSH in using any of these credentials, as they were secured using key based authentication, and the GPG isn’t any use for that.
I was however able to log into the FTP server as the paradox user.
Nothing interesting here, but I’m able to upload to the webserver, so I uploaded a PHP reverse shell from pentestmonkey.
Setting up a web-listener…
1
nc -lnvp 9999
I got a shell!
Took quite a bit of searching, but eventually I find the web flag with this command.
1
find / -name *flag* 2>/dev/null
Now that I had the web flag, I tried switching laterally to another user. The only user in this box that I had a credential for (from the spreadsheet) was paradox. The shell I was using currently was pretty unstable, so I appended my public key to paradox’s authorized_keys file, and logged in via SSH directly. I couldn’t see anything obvious, and no user flag yet, so I uploaded linpeas.sh using curl.
This next part took me a good long while, but I’ve not experienced NFS services before. This is the key part of the linpeas output that indicates a PE vector.
1
2
3
╔══════════╣ Analyzing NFS Exports Files (limit 70)
-rw-r--r--. 1 root root 54 Nov 18 2020 /etc/exports
/home/james *(rw,fsid=0,sync,no_root_squash,insecure)
This section on hacktricks was useful reading: NFS no_root_squash/no_all_squash misconfiguration PE
Running
1
rpcinfo -p | grep nfs
revealed there was indeed a NFS server running on port 2049. However it was only accessable to localhost, I couldn’t see it from my attacker box. I can’t make use of it on the remote box because I don’t have a root user.
Again a lot of floundering here! I eventually discovered I was able tunnel the internal 2049 port via SSH.
1
ssh paradox@10.10.64.218 -L 2049:127.0.0.1:2049
I was now able to see the remote share from my attacker box. From here I could see the james users flag, and was able to add my public key to james’ authorized_keys file and log in via SSH.
I mounted the share onto a local directory and tried copying the bash binary across from my attacker box, with a suid bit set (chmod +s bash), but was getting some errors thrown when trying to execute this as James, which I put down to the builds being incompatible, I then just (as james) copied the local version of bash into james home folder, then on my attacker box, chown’d it as root and set the suid bit.
This worked, and I was able to execute this version of bash using -p to (to run in priviledged mode, and not drop the file owners permissions). I now had a root shell and was able to retrieve the final flag :)