GamingServer-TryHackMe
This write-up is based on TryHackMe's room named Gaming Server and can be found at:-
Description says that is an easy Boot2Root box and the task is simple to get both the user and root flags.
Lets begin with a simple NMAP scan by using the command:
nmap -sC -sV 10.10.221.152
Port 22 and 80 are open. Lets check the Web-Page first:
Seems to be a simple website and the page source of the main page reveals a potential username - "john"
Lets do some directory busting using the dirsearch (https://github.com/maurosoria/dirsearch):
/opt/tools/dirsearch/dirsearch.py -u 10.10.221.152 -E -x 400,500 -r -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Check what is in these two links on the website:
http://10.10.221.152/uploads/ ==> A potential password list - dict.lst
http://10.10.221.152/secret/ ==> A potential SSH key - may be for user - john
Used hydra to brute force both the users john and root using dict.lst, but no success. Used the following commands:
hydra -s 22 -v -q -l john -P dict.lst -e nsr -t 4 -w 5 10.10.221.152 ssh
hydra -s 22 -v -q -l root -P dict.lst -e nsr -t 4 -w 5 10.10.221.152 ssh
It seems like we need to used ssh2john to crack the passphrase for the ssh key for user john. Lets try this:
sudo python /opt/tools/ssh2john.py secretKey > crack.txt
and then
sudo john --wordlist=dict.lst crack.txt
This gives us the secret key- the Pass-Phrase, now lets try to SSH with the private key and the pass phrase using the following commands:
chmod 600 secretKey
ssh -i secretKey john@10.10.221.152
We get the user flag in john's home directory.
Now lets try to do Privilege Escalation to get the root flag. Lets run linPEAS.sh first(https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) and we will find:
Lets use the steps mentioned on this website to escalate privilege as our user is part of "lxd" group which can be (ab)used to gain root shell:-
And we will get our root flag:
Thanks for reading. See you next time :)
Comments
Post a Comment