Game Server
September 12, 2020
Last updated
September 12, 2020
Last updated
TASK I
In this write-up, I am doing a CTF that is based on gaining access to a game server and then escalating privileges to root.
The first thing I am going to do is look at the source of the webpage and see if any information is being hidden.
Perfect, TryHackMe usually uses simple login names so this comment section that has the username john is a great place to start if I get some access to the server.
Using Nmap
Next, I want to take a moment to run some reconnaissance against the given IP address.
In this scan, I use nmap to scan all ports with a few other options that can run other automated scripts to a port if a vulnerability is detected. (This will make your scan louder)
The only ports open on this server are port 22 and port 80, but nothing abnormal.
Using Gobuster
The next direction I take is to try and use something to discover the directories of the server. You can use burpsuite, dirbuster, or something similar. I went ahead and used gobuster for this task.
Awesome, gobuster gives us some directories labeled /uploads and /secret.
The directory has a secret key for us that looks really helpful but may need to be hashed out to be used as an actual private key for our user john.
The next directory /uploads have a few interesting items in its directory (like a meme and text story) but, my interest is in a file named dict.lst. This file is a dictionary list that will give me access to the private key passphrase. It is a good idea to copy the contents of the file and create a file within our attacker box.
John the Ripper
Once I have both the secret key and dictionary list saved on the attacker machine, I need to run a script that will decrypt the secret key.
First, install the addon script in CLI:
Now, create the hash file with the script.
Once the .hash file is made I can run the word list found earlier in uploads and run it against the .hash file to find the key passphrase.
Once that is complete make sure that your file permissions are set correctly, otherwise your private will not be trusted.\
Finally in and we receive our first flag.
TASK II
Privesc to Root
The first thing I am going to do is download LinPEAS for the attacker system. LinPEAS is going to show some attack vectors to gain root privileges to the server.
From your attacker machine you should clone and find linPEAS at this link: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
Once you have that cloned to your attacker machine, open a simple server on your attacker machine so your target machine can receive the shell script.
Then download the script from the target.
Next, Just run the script from the target machine.
Now that linpeas is done, I need to find anything red or highlighted. Most of the time highlighted items of the time privesc vectors and red should be investigated after. Our attack vector here is going to be lxd.
I am now going to get an exploit from the exploit database. In your victim machine make sure you create a file and copy the exploit into a .sh file.
Exploit here—-> https://www.exploit-db.com/exploits/46978
then, adjust the permissions on the file to make it an executable.
From our attacker machine, we need to grab the alpine build and compile it.
Once you compile the shell, send it over to the target machine the same way you sent linPEAS over.
Once you have the script on your target machine, run the script and you should obtain root privileges.
*Note that the line above is date sensitive, you cannot copy paste the exact line*
Once we have privileges just cd to the root.txt location.
Conclusion
This was a really fun challenge, the second half was difficult for me because I am still new to privilege escalation. However, I learned a lot and feel I learned much about the topic which makes me ready for the next challenge. I want to thank the user exhalior and the write-up they made. You can find it here if you wish to read it.
