GamingServer TryHacKMe walkthrough

Another day another writeup hello guys hope you are all doing great today we are going to be solving gameserver from tryhackme a room that really teaches the basics of hacking or penetration testing. It also teaches the importance of trying to see if common file like robots.txt in a web server exists and also the importance of looking at the webpage source code. We go into cracking some ssh encrypted private keys and do some privilege escalation with a user who’s in a lxd group am sure it’s going to be fun without much say let’s jump in.

As always we are going to start off with a nmap scan of the box to see the services that are running

Looking at nmap results we see that two ports are open

Both secure shell and HTTP is running. SSH requires credentials so we can’t do anything with that port just yet let’s enumerate HTTP first. Opening the webpage using Mozilla we get a standard webpage

So i first decided to look at the source code of the webpage and see if i find something that stands out . I presses CTRL + U

And i found a comment that gave us a hint that there is a user in the box called john

Sweet next i tried to see if robots.txt existed on the web server and this time i got lucky and found the file

There is a folder called uploads let’s see what it has

Navigating to the uploads directory we get 3 files

Seeing this i knew that there would probably be more directories so before analyzing the files i decided to run gobuster in the background on the web server

Now let’s take a look at the files that were in the uploads directory

Looking at dict.lst we we if some kind of a password list file

Manifesto.txt is a file just containing hacker’s manifesto

And lastly meme.jpg is just a picture

But now we have more than enough info to do a SSH brute force on the web server SSH since we have a possible wordlist and a possible username [john]

Let’s do a ssh brute force using hydra

But looking at the screenshot below we see that hydra was not able to crack the password

But remembering what we found before. There was also an image and these days it’s common for information to be hidden in images a technique called stenography. That was the next theory i was going to test out.

I will use steghide and try to see if information was added to the image and if no passphrase was used. Steghide is a tool designed to be portable and configurable and features hiding data in bmp, jpeg, wav and au files, blowfish encryption, MD5 hashing of passphrases to blowfish keys, and pseudo-random distribution of hidden bits in the container data.

But looking at the screenshot below i didn’t get that lucky. We got the message

steghide: could not extract any data with that passphrase!

But that’s not all. We can brute force the passphrase for the image [meme.jpg] if there’s any using stegcracker. As you remember before we did find a possible wordlist. So i decided to try it an see if I’ll get lucky

Looking at the screenshot below i did not get lucky this time :( .

So i decided to go back to the gobuster that i ran and see if it had found anything useful

Looking at the gobuster result we see it had found a directory called secret

Let’s take a look at it

Looking at the screenshot below we see it has a file called secretkey

Opening it we see that it’s an encrypted SSH private key

So i downloaded it to my local box and since it’s encrypted we have to crack the passphrase using john the ripper

First we need to convert the ssh private key to a hash format that john the ripper can understand and crack. This can be done by using ssh2john script

I saved the hash to a file called key.hash then tried cracking it with john using the wordlist we had found on the web server

As as you see below i was able to crack the passphrase

Sorry i can’t display the passphrase since the writeup will be rejected by tryhackme

The passphrase is also available in rockyou wordlist so it shouldn’t be that hard to crack but now it’s time for us to log into the web server via SSH

After all that we finally have access to the server. And we also have the user flag. We can submit it and earn the points

Now we have to escalate our privileges to root on the box. So i downloaded linpeas from my box and ran it. Linpeas is a bash script that automatically checks for misconfigurations on a web server that could become a privilege escalation vector

First thing that stands out is that we are in the lxd group and this posses a risk since it leads to privilege escalation

We can just mount the file system in a container and have access to it.

I’ll use alpine to create a container

The command that i used to create the container is as seen below

First i downloaded alpine to my box using the link below

git clone https://github.com/saghul/lxd-alpine-builder

Next i created the container using the command below

./build-alpine -a i686

After the command finished running it has created an alpine image in a compressed gunzip file

Next i uploaded the image to the server

Next i imported the image using the command below

lxc image import ./alpine-v3.11-i686-20200519_1656.tar.gz --alias myimage

Next i ran the image using the command

lxc init myimage mycontainer -c security.privileged=true

Next i did mount the root directory in the file system in /mnt using the command

lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true

Next i started the container using the command

lxc start mycontainer

Now i can finally interact with the container using the command

lxc exec mycontainer /bin/sh

And now we are root on the box sweet

But remember we mounted the root folder in /mnt

Let’s navigate to it and retrieve the flag

Looking at the root.txt below we have the root flag

We can read the root fag submit it and earn the points

And the box is done. Easy right??

Comments are highly welcomed and if you liked the walkthorough you can clap for me down below and don’t forget to follow me so that you don’t miss any upcoming articles

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How Decentralization Will Completely Change the Internet as We Know It Today

Developers need to stop fearing the InfoSec Mafia

Proxmark 3, Cloning a Mifare Classic 1K

How to spot and exploit postMessage vulnerablities?

Welcome to #Gamejet NFT Platform Airdrop Is Live

What Are The Highlights Of The Kaseya Ransomware Attack?

Deterministic accounts

Fastest Fix on Open Bug Bounty Platform

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Musyoka Ian

Musyoka Ian

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

More from Medium

HackTheBox-Search

TryHackMe: [Day 21] Blue Teaming Needles In Computer Stacks

PickleRick TryHackMe WriteUp

Gallery TryHackMe Walkthrough