{"id":742,"date":"2021-01-17T20:29:00","date_gmt":"2021-01-17T19:29:00","guid":{"rendered":"https:\/\/mikadmin.fr\/blog\/?p=742"},"modified":"2021-09-20T11:54:31","modified_gmt":"2021-09-20T09:54:31","slug":"tryhackme-overpass-3","status":"publish","type":"post","link":"https:\/\/mikadmin.fr\/blog\/tryhackme-overpass-3\/","title":{"rendered":"[TryHackme] \u2013 Overpass 3"},"content":{"rendered":"<\/span> 4<\/span> min read<\/span><\/span>

Views: 1988<\/p>\n

<\/div>\n\n\n\n
\"tryhackme\"<\/figure><\/div>\n\n\n\n

<\/p>\n\n\n\n

Lien : <\/strong>https:\/\/tryhackme.com\/room\/overpass3hosting<\/a><\/p>\n\n\n\n

\n\n\n\n

[Web]<\/h2>\n\n\n\n
<\/div>\n\n\n\n

Dans un premier temps, nous allons effectuer un scan nmap<\/span><\/strong> :<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"tryhackme\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\"tryhackme\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n

Rien \u00e0 signaler de particulier du c\u00f4t\u00e9 du site web nous allons donc \u00e9num\u00e9rer ce dernier avec l’outil ffuf<\/span><\/strong> :<\/p>\n\n\n\n

<\/div>\n\n\n\n
ffuf -u http:\/\/10.10.126.177\/FUZZ -c -w \/usr\/share\/seclists\/Discovery\/Web-Content\/common.txt<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Le fichier CustomerDetails.xlsx.gpg<\/strong> semble contenir des informations cruciales pour la suite.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Pour ce faire, nous d\u00e9chiffrons ce dernier \u00e0 l’aide des commandes suivantes :<\/p>\n\n\n\n
<\/div>\n\n\n\n
gpg --import priv.key\ngpg --decrypt CustomerDetails.xlsx.gpg > customer.xlsx<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Afin de lire ce fichier sans outil :<\/p>\n\n\n\n
<\/div>\n\n\n\n
https:\/\/sheet.zoho.com\/sheet\/excelviewer<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n
N’oublions pas que nous avons un service FTP<\/span><\/strong> qui tourne sur la machine TryHackMe<\/a><\/strong> !<\/p>\n\n\n\n
En testant les credentials<\/span><\/strong> trouv\u00e9s plus haut nous avons donc un acc\u00e8s au FTP<\/span><\/strong> avec paradox:password<\/strong> !<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\u00c0 ce stade l\u00e0 nous pouvons simplement upload<\/strong> sur le FTP<\/strong> <\/span>notre reverse shell<\/span><\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
https:\/\/raw.githubusercontent.com\/pentestmonkey\/php-reverse-shell\/master\/php-reverse-shell.php<\/a><\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n
Nous avons donc un acc\u00e8s \u00e0 la machine en tant qu’utilisateur apache<\/span><\/strong>, ce qui nous permet de r\u00e9cup\u00e9rer le premier flag<\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n
[User]<\/strong><\/h2>\n\n\n\n
<\/div>\n\n\n\n
En r\u00e9utilisant le mot de passe<\/strong> trouv\u00e9 plus haut nous sommes d\u00e9sormais paradox<\/strong> !<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n
Apr\u00e8s \u00e9num\u00e9ration<\/strong>, on peut voir que le r\u00e9pertoire courant de l’utilisateur James<\/span><\/strong> est partag\u00e9 avec l’argument no_root_squash<\/strong>.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n
Cependant nous avons un soucis ! NFS<\/span><\/strong> \u00e9coute seulement en local<\/strong> sur la machine cible mais pas de panique nous allons utiliser la m\u00e9thode du SSH Tunneling<\/a><\/strong>.<\/p>\n\n\n\n
<\/div>\n\n\n\n
Petit hic ! La connexion SSH<\/span><\/strong> pour l’utilisateur paradox<\/strong> n’est pas disponible par mot de passe mais nous pouvons g\u00e9n\u00e9rer les cl\u00e9s<\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
Sur votre machine :<\/strong><\/p>\n\n\n\n
<\/div>\n\n\n\n
ssh-keygen -f key_paradox<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Sur la machine cible<\/strong> il vous suffit de copier\/coller le contenu de key_paradox.pub<\/strong> dans \/home\/paradox\/.ssh\/authorized_keys<\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
La connexion est d\u00e9sormais possible  :<\/p>\n\n\n\n
<\/div>\n\n\n\n
ssh -i key_paradox paradox@10.10.126.177<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
C’est l’heure de forward le port 2049<\/span><\/strong> de notre c\u00f4t\u00e9.<\/p>\n\n\n\n
<\/div>\n\n\n\n
La commande est la suivante :<\/p>\n\n\n\n
<\/div>\n\n\n\n
ssh -i key_paradox paradox@10.10.126.177 -L 2049:127.0.0.1:2049<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n
Parfait ! C’est l’heure d’utiliser la technique sur le partage<\/strong> de l’utilisateur James<\/span><\/strong>.<\/p>\n\n\n\n
<\/div>\n\n\n\n
Attention dans cette room nous avons affaire \u00e0 du nfs4 !<\/span><\/em><\/p><\/blockquote>\n\n\n\n
<\/div>\n\n\n\n
La proc\u00e9dure est la suivante :<\/p>\n\n\n\n
<\/div>\n\n\n\n
mkdir \/tmp\/mikadmin.fr\nmount -v -t nfs4 127.0.0.1:\/ \/tmp\/mikadmin.fr\ncp \/bin\/bash .\nchmod +s bash<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n
Bingo, le flag user<\/strong> est \u00e0 nous et par la m\u00eame occasion nous avons un acc\u00e8s direct \u00e0 la machine gr\u00e2ce au cl\u00e9s ssh<\/a><\/strong> disponibles dans le dossier courant<\/strong> de James<\/span><\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n
[Root]<\/h2>\n\n\n\n
<\/div>\n\n\n\n
Il est d\u00e9sormais temps de se connecter en tant que James<\/strong> <\/span>:<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n
Afin d’achever cette privesc<\/strong> de la machine Overpass3 de TryHackMe<\/a><\/strong>, il suffit simplement d’ex\u00e9cuter le binaire bash<\/span> <\/strong>que nous avons pr\u00e9par\u00e9 un peu plus haut !<\/p>\n\n\n\n
<\/div>\n\n\n\n
.\/bash -p<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
<\/span>  4<\/span> min read<\/span><\/span>You know them, you love them, your favourite group of broke computer science students have another business venture! Show them that they probably should hire someone for security… Continuer la lecture →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":45,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[4],"tags":[44,39,48,43,45,22,63],"class_list":["post-742","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infosec","tag-centos","tag-forwarding","tag-gpg","tag-nfs","tag-pentest","tag-tryhackme","tag-writeup"],"aioseo_notices":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/742","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/comments?post=742"}],"version-history":[{"count":0,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/742\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media\/45"}],"wp:attachment":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media?parent=742"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/categories?post=742"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/tags?post=742"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}