GamingServer TryHacKMe walkthrough
Another day another writeup hello guys hope you are all doing great today we are going to be solving gameserver from tryhackme a room that really teaches the basics of hacking or penetration testing. It also teaches the importance of trying to see if common file like robots.txt in a web server exists and also the importance of looking at the webpage source code. We go into cracking some ssh encrypted private keys and do some privilege escalation with a user who’s in a lxd group am sure it’s going to be fun without much say let’s jump in.
As always we are going to start off with a nmap scan of the box to see the services that are running
Looking at nmap results we see that two ports are open
Both secure shell and HTTP is running. SSH requires credentials so we can’t do anything with that port just yet let’s enumerate HTTP first. Opening the webpage using Mozilla we get a standard webpage
So i first decided to look at the source code of the webpage and see if i find something that stands out . I presses CTRL + U
And i found a comment that gave us a hint that there is a user in the box called john
Sweet next i tried to see if robots.txt existed on the web server and this time i got lucky and found the file
There is a folder called uploads let’s see what it has
Navigating to the uploads directory we get 3 files
Seeing this i knew that there would probably be more directories so before analyzing the files i decided to run gobuster in the background on the web server
Now let’s take a look at the files that were in the uploads directory
Looking at dict.lst we we if some kind of a password list file
Manifesto.txt is a file just containing hacker’s manifesto
And lastly meme.jpg is just a picture
But now we have more than enough info to do a SSH brute force on the web server SSH since we have a possible wordlist and a possible username [john]
Let’s do a ssh brute force using hydra
But looking at the screenshot below we see that hydra was not able to crack the password
But remembering what we found before. There was also an image and these days it’s common for information to be hidden in images a technique called stenography. That was the next theory i was going to test out.
I will use steghide and try to see if information was added to the image and if no passphrase was used. Steghide is a tool designed to be portable and configurable and features hiding data in bmp, jpeg, wav and au files, blowfish encryption, MD5 hashing of passphrases to blowfish keys, and pseudo-random distribution of hidden bits in the container data.
But looking at the screenshot below i didn’t get that lucky. We got the message
steghide: could not extract any data with that passphrase!
But that’s not all. We can brute force the passphrase for the image [meme.jpg] if there’s any using stegcracker. As you remember before we did find a possible wordlist. So i decided to try it an see if I’ll get lucky
Looking at the screenshot below i did not get lucky this time :( .
So i decided to go back to the gobuster that i ran and see if it had found anything useful
Looking at the gobuster result we see it had found a directory called secret
Let’s take a look at it
Looking at the screenshot below we see it has a file called secretkey
Opening it we see that it’s an encrypted SSH private key
So i downloaded it to my local box and since it’s encrypted we have to crack the passphrase using john the ripper
First we need to convert the ssh private key to a hash format that john the ripper can understand and crack. This can be done by using ssh2john script
I saved the hash to a file called key.hash then tried cracking it with john using the wordlist we had found on the web server
As as you see below i was able to crack the passphrase
Sorry i can’t display the passphrase since the writeup will be rejected by tryhackme
The passphrase is also available in rockyou wordlist so it shouldn’t be that hard to crack but now it’s time for us to log into the web server via SSH
After all that we finally have access to the server. And we also have the user flag. We can submit it and earn the points
Now we have to escalate our privileges to root on the box. So i downloaded linpeas from my box and ran it. Linpeas is a bash script that automatically checks for misconfigurations on a web server that could become a privilege escalation vector
First thing that stands out is that we are in the lxd group and this posses a risk since it leads to privilege escalation
We can just mount the file system in a container and have access to it.
I’ll use alpine to create a container
The command that i used to create the container is as seen below
First i downloaded alpine to my box using the link below
git clone https://github.com/saghul/lxd-alpine-builder
Next i created the container using the command below
./build-alpine -a i686After the command finished running it has created an alpine image in a compressed gunzip file
Next i uploaded the image to the server
Next i imported the image using the command below
lxc image import ./alpine-v3.11-i686-20200519_1656.tar.gz --alias myimage
Next i ran the image using the command
lxc init myimage mycontainer -c security.privileged=true
Next i did mount the root directory in the file system in /mnt using the command
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
Next i started the container using the command
lxc start mycontainer
Now i can finally interact with the container using the command
lxc exec mycontainer /bin/sh
And now we are root on the box sweet
But remember we mounted the root folder in /mnt
Let’s navigate to it and retrieve the flag
Looking at the root.txt below we have the root flag
We can read the root fag submit it and earn the points
And the box is done. Easy right??
Comments are highly welcomed and if you liked the walkthorough you can clap for me down below and don’t forget to follow me so that you don’t miss any upcoming articles