Gaming Server CTF (THM)
Gaming server
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SCANNING and ENUMERATION
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
NMAP SCAN
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ

I found a http server running on port 80
And a ssh server running on port 22
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Gobuster Directory SCan

I found a ββ secret ββ directory and a ββuploadsββ directory.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Enumerating the Website
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ

ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
I found a directory list with some common password and downloaded it.

ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
I found a private key for the user ββJohnββ that we found in the source code of the website.

ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Logging in to shh
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
The private key required a password which I found using ββJohn the Ripperββ.

ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Once I got into the machine, I did the typical priv esc enumeration, but didn't find much until I ran ID, and saw we were in the lxd group

From this article I found the following method for creating an alpine linux container and mounting it into the root directory.
Iβll used alpine to create a container

First i downloaded alpine to my box
Next i created the container
After the command finished running it has created an alpine image in a compressed gunzip file
Next i uploaded the image to the server


Next i ran the image.


Finally we got the root flag.
Was this helpful?