Overpass 3 - Hosting
This is my write-up for the TryHackMe machine at: https://tryhackme.com/room/overpass3hosting
Nmap Scan command:
Nmap output:
I noticed that they have 3 ports open. I went to the web (port 80) first to check it out:
There was no /robots.txt
file. I then ran gobuster on the IP address:
About 4% of the gobuster search, I got the following output:
Going to the backups website, I saw this:
I then downloaded the file. There were two files in the zip file:
Using this write-up, I realized that I can decrupt the file with the private key I have:
Since I am on Linux (Kali), I wanted to convert the file to a version that I would be able to view in. I ran the following command to convert the Excel file into a csv file, which I was able to read:
I was then able to see the contents of the file:
It seems to be the customers of the website, based on the context. We also have their username and password. I will try this in FTP, and my plan is that if the password does not work on FTP, then I will try SSH. In FTP, I got access using the credentials for "Par. A. Doxx":
FTP seemed to only work for that user. The other passwords did not work in FTP. When I tried for SSH, the credentials did not work there either. I then went back to the same write-up above and then realized that I had to upload a php-reverse-shell. Going to this GitHub page, I downloaded the reverse-shell script. In the script, I changed the IP address to my TryHackMe IP address. I then uploaded the file to the server:
I then ran nc -lvp 1234
on another terminal tab, and was listening for a connection. After visiting http://10.10.168.65/php-reverse-shell.php, I got a reverse shell:
After being stuck for a while, I viewed this write-up in order to see where to go next. I used the command the author of the write-up used:
This gave me the following output:
This file had the flag in it:
I then downloaded Linpeas to my local machine using wget. I then pushed that to the server using an http server:
I then ran linpeas on the remote machine. I then saw the following, when I also saw in other write-ups as well:
I then went back to the most recently mentioned write-up, in order to understand what I had to do next. Following this write-up, I uploaded my key to the remote server so I can connect in an easier method. Here are the commands I ran:
I was then able to ssh into the machine to the user paradox from my machine directly:
After a long time of being stuck, I finally found a solution reading this write-up. My mistake was running the wrong command. The following is what worked for me:
I changed 2049 before the IP to 20049, since I kept on getting errors that the port was already in use. I then ran the following command to mount the share to my local machine:
If we change directory into the nfs folder, we can see the file system mounted there:
I read the user flag. After that, the ssh authorized key I had uploaded to paradox earlier, I had not uploaded it to .ssh/authorized_keys in the mounted directory. I then was able to SSH to the machine:
I read up from this write-up that I can now use the no_root_squash exploit, something that linpeas.sh had shown us earlier. I followed the following commands from the write-up to get it to work:
This got me root user on the machine. I then got the root flag.
Last updated