Exploiting the Gaming Server on TryHackMe

Summary

This machine is quite simple that can be exploited by beginners with little effort. However, the attacker would have to look within the victim machine and identify the red flags. The method of privilege escalation in this machine is also out of the ordinary, and you might have to look this up on google on how to exploit it.

However, turns out that this skill is very useful and would help you in your pentesting career.

In order to exploit this machine, a user would have to know how to:
• Be able to do a recon of the web directories and look for information that will be useful to exploit the machine.
• Identify and crack SSH Private Keys.
• Research upon exploits available publicly and use them to escalate your privileges

Link to the machine: https://tryhackme.com/room/gamingserver

Recon

In order to begin exploiting this machine we do a basic nmap scan. I've used nmapautomator for this task (and used only the most relevant results to add to this writeup), however feel free to use any tool that you are comfortable using.

We immediately see that there are two ports that are open. One being SSH and the other begin HTTP.

 

Since HTTP presents a large attack surface, we try to explore further on this and see what information it has for us.

Observing the scan below shows us that the uploads directory, secret directory and the robots.txt file are worth investigating.
 

 

 We try to initially look up on the website to see what information it presents.



The index.html page presents the above information to us. We try to see the page source to see if it presents any clues in our search.



Looking at the page source, we see that the developer has added a comment at the 76th line, from which we can deduce “john” must be a user. We shall make a note of this information.

We then go through the robots.txt file to see what information it provides us.



From the page above, it can be seen that there is nothing much to learn from the /robots.txt file. We then move on to the /secret directory.



From what we can see, it looks like some sort of private key to the machine. We further open this file to see if it is a ssh private key.



And confirmed that we have a private key with us. We could use this to further login to the machine as john. However, we might have to crack the private key to see the password. Let us also look around to see what more information we can obtain from this machine. We move to the /uploads/ directory to see what information it can provide us with.



From the page above, we can see that there is a file named dict.lst. We download this file to see if it can be of any help in cracking the ssh private key.



Reading the contents of the dict.lst file we see that it is some sort of wordlist. We then use ssh2john.py to obtain the hash value from the ssh private key.



Now that we have this stored within the secretKey.txt file, we use this file to crack the ssh private key password using john the ripper. We provide the dict.lst as the wordlist and use that to crack the ssh key.



Voila, we have the ssh private key password. The next step would be to use this to login to the machine.
 

Exploiting the Machine

In order to login to the machine as john, the first step what we woud have to do is to make the ssh private key readable and writable only by the root user (on the attacking machine). We do this as shown below.

 

Using ssh to login to the machine, we can see that the password is indeed correct, and that we have access to the machine as the user john.

 

From the OSCP Exam point of view, I would suggest that you dispay the user you are logged in as, and the IP address of the machine, since this is the format asked by Offensive Security when submitting the report.

 

As part of the effort to escalate our privileges, We begin trying to see what groups we are a part of.

 

We can see that we  are a part of the lxd group. LXD has an active working exploit which allows escalation of privileges. The only requirement is that the user must be a part of the the lxd group.

While trying to escalate privileges, I would recommend using an automated tool such as linpeas or unix exploit suggester to see what options are available to escalate your privileges. Once you have the results, you might have to do a manual verification of the findings to ensure that you have a defined path towards privilege escalation.

For your reference I am attaching links to the linpeas tool. Unix exploit suggester is already available on Kali Linux

Link: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite

Privilege Escalation

We do a google search for escalating our privileges. The first two links which I have given below provide us with enough information to help us with the privilege escalation process.

 

 https://www.hackingarticles.in/lxd-privilege-escalation/

https://github.com/carlospolop/hacktricks/blob/master/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md

I suggest that you follow the process given by the github link and once the lxd.tar.xz and rootfs.squashfs files are ready, then move them to the victim machine. You may the transfer the files via any method that you are okay with.

Again follow the instructions provided in the GitHub link to run the commands on the victim machine. At the end of it, you should have root user status.

At this point, all that we have to do would be to obtain the root flag, which the user would be able to easily do.

Recommendations for Hardening the System

In order to highlight the hardening techniques that one may use to make a better security posture on the machine, the following recommendations would be helpful:

• Ensure that files like private keys, text files that contain sensitive information are not publicly accessible.
• It is suggested that the security posture on the machine is regularly audited to ensure that the user is not placed in groups which may increase the chance of the user getting exploited.
• Further, system admins may also ensure that, in case sensitive files like, for example, the ssh private key need to be placed in publicly accessible locations, they need to be given passwords that cannot be cracked easily and follow best practices provided by NIST, or ISO 27001 etc.
• Further, educating users regarding the security posture of the organization would also be very helpful as it ensures the probability of them falling bait to phishing schemes reduces.