GamingServer - tryhackme

go back / p4p1


Created on Fri 04 Sep 2020



I haven't done a proper Tryhackme writeup in a while! I was currently completing a lot of nice but very walk-through style rooms on tryhackme so a simple boot2root was probably the best way for me to release a little blog post.

Reconnaissance

Since last time I updated my style of recon I still use nmap but I do a little bash trick so that I save the output to a file and at the same time I can see the output. The command tee allows that by splitting the file streams

          
          #[p4p1@writeups untracked/]$ nmap -sC -sV -T 5 -vvv x.x.x.x | tee >(cat) > nmap_scan

          Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-04 22:12 CEST
          NSE: Loaded 151 scripts for scanning.
          NSE: Script Pre-scanning.
          NSE: Starting runlevel 1 (of 3) scan.
          Initiating NSE at 22:12
          Completed NSE at 22:12, 0.00s elapsed
          NSE: Starting runlevel 2 (of 3) scan.
          Initiating NSE at 22:12
          Completed NSE at 22:12, 0.00s elapsed
          NSE: Starting runlevel 3 (of 3) scan.
          Initiating NSE at 22:12
          Completed NSE at 22:12, 0.00s elapsed
          Initiating Ping Scan at 22:12
          Scanning 10.10.91.173 [2 ports]
          Completed Ping Scan at 22:12, 0.02s elapsed (1 total hosts)
          Initiating Parallel DNS resolution of 1 host. at 22:12
          Completed Parallel DNS resolution of 1 host. at 22:12, 0.00s elapsed
          DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
          Initiating Connect Scan at 22:12
          Scanning 10.10.91.173 [1000 ports]
          Discovered open port 22/tcp on 10.10.91.173
          Discovered open port 80/tcp on 10.10.91.173
          Completed Connect Scan at 22:12, 1.34s elapsed (1000 total ports)
          Initiating Service scan at 22:12
          Scanning 2 services on 10.10.91.173
          Completed Service scan at 22:12, 6.06s elapsed (2 services on 1 host)
          NSE: Script scanning 10.10.91.173.
          NSE: Starting runlevel 1 (of 3) scan.
          Initiating NSE at 22:12
          Completed NSE at 22:12, 0.94s elapsed
          NSE: Starting runlevel 2 (of 3) scan.
          Initiating NSE at 22:12
          Completed NSE at 22:12, 0.09s elapsed
          NSE: Starting runlevel 3 (of 3) scan.
          Initiating NSE at 22:12
          Completed NSE at 22:12, 0.00s elapsed
          Nmap scan report for 10.10.91.173
          Host is up, received syn-ack (0.038s latency).
          Scanned at 2020-09-04 22:12:00 CEST for 9s
          Not shown: 998 closed ports
          Reason: 998 conn-refused
          PORT   STATE SERVICE REASON  VERSION
          22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
          | ssh-hostkey: 
          |   2048 34:0e:fe:06:12:67:3e:a4:eb:ab:7a:c4:81:6d:fe:a9 (RSA)
          | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrmafoLXloHrZgpBrYym3Lpsxyn7RI2PmwRwBsj1OqlqiGiD4wE11NQy3KE3Pllc/C0WgLBCAAe+qHh3VqfR7d8uv1MbWx1mvmVxK8l29UH1rNT4mFPI3Xa0xqTZn4Iu5RwXXuM4H9OzDglZas6RIm6Gv+sbD2zPdtvo9zDNj0BJClxxB/SugJFMJ+nYfYHXjQFq+p1xayfo3YIW8tUIXpcEQ2kp74buDmYcsxZBarAXDHNhsEHqVry9I854UWXXCdbHveoJqLV02BVOqN3VOw5e1OMTqRQuUvM5V4iKQIUptFCObpthUqv9HeC/l2EZzJENh+PmaRu14izwhK0mxL
          |   256 49:61:1e:f4:52:6e:7b:29:98:db:30:2d:16:ed:f4:8b (ECDSA)
          | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEaXrFDvKLfEOlKLu6Y8XLGdBuZ2h/sbRwrHtzsyudARPC9et/zwmVaAR9F/QATWM4oIDxpaLhA7yyh8S8m0UOg=
          |   256 b8:60:c4:5b:b7:b2:d0:23:a0:c7:56:59:5c:63:1e:c4 (ED25519)
          |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOLrnjg+MVLy+IxVoSmOkAtdmtSWG0JzsWVDV2XvNwrY
          80/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
          | http-methods: 
          |_  Supported Methods: GET POST OPTIONS HEAD
          |_http-server-header: Apache/2.4.29 (Ubuntu)
          |_http-title: House of danak
          Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

          NSE: Script Post-scanning.
          NSE: Starting runlevel 1 (of 3) scan.
          Initiating NSE at 22:12
          Completed NSE at 22:12, 0.00s elapsed
          NSE: Starting runlevel 2 (of 3) scan.
          Initiating NSE at 22:12
          Completed NSE at 22:12, 0.00s elapsed
          NSE: Starting runlevel 3 (of 3) scan.
          Initiating NSE at 22:12
          Completed NSE at 22:12, 0.00s elapsed
          Read data files from: /usr/bin/../share/nmap
          Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
          Nmap done: 1 IP address (1 host up) scanned in 8.88 seconds
          
        

Seeing port 80 open I directed myself to the website using burp and ran a quick nikto scan:

          
          #[p4p1@writeups untracked/]$ nikto -host http://x.x.x.x | tee >(cat) > nikto_scan

          - Nikto v2.1.6
          ---------------------------------------------------------------------------
          + Target IP:          10.10.91.173
          + Target Hostname:    10.10.91.173
          + Target Port:        80
          + Start Time:         2020-09-04 22:12:35 (GMT2)
          ---------------------------------------------------------------------------
          + Server: Apache/2.4.29 (Ubuntu)
          + Server leaks inodes via ETags, header found with file /, fields: 0xaca 0x59e40b71bc7ab 
          + The anti-clickjacking X-Frame-Options header is not present.
          + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
          + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
          + No CGI Directories found (use '-C all' to force check all possible dirs)
          + "robots.txt" contains 1 entry which should be manually viewed.
          + Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
          + OSVDB-3268: /secret/: Directory indexing found.
          + OSVDB-3092: /secret/: This might be interesting...
          + OSVDB-3233: /icons/README: Apache default file found.
          + 7517 requests: 0 error(s) and 9 item(s) reported on remote host
          + End Time:           2020-09-04 22:15:41 (GMT2) (186 seconds)
          ---------------------------------------------------------------------------
          + 1 host(s) tested


                *********************************************************************
                Portions of the server's headers (Apache/2.4.29) are not in
                the Nikto database or are newer than the known string. Would you like
                to submit this information (*no server specific data*) to CIRT.net
                for a Nikto update (or you may email to sullo@cirt.net) (y/n)? 
          + The anti-clickjacking X-Frame-Options header is not present.
          + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
          + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
          + ERROR 302: Update failed, please notify sullo@cirt.net of this code.
          
        

After visiting the webpage and seeing this I was a bit puzzled, I then started clicking on all of the links I then focused on guessing a few paths. Inside of the robots.txt file there was a mention of an upload/ directory going there I found a few interesting file but mainly a file called dict.lst I downloaded that file and moved to the nikto scan to see what came up. The nikto scan found a potentially interesting folder named secret/ looking at it there was a ssh private key I could use!

Exploitation

With that ssh key I ran it through john the ripper with the dictionary I found earlier as a wordlist. While that was running I went back to the page to see if I could find a username for that ssh key. In the source code of the main page there was a developer note signed to john.

With the ssh key cracked and the possible username found I just simply connected to the machine and retrieved the user flag.

Privilege Escalation

Now on this bit it's something I was familiar with since an other room that had the same vulnerability.

For more information about how I exploited lxd you can read my write up for the Anonymous room on tryhackme.


Thank you for reading, if you have any question about this writeup don't hesitate to contact me over twitter or other socials that are listed on this website. Check out my other blog posts if you liked this one I put a lot of effort into them :)

My tryhackme account