Gaming Server CTF (THM)
Gaming server
————————————————————————————————————————————————————————————————————————————————————————
————————————————————————————————————————————————————————————————————————————————————————
SCANNING and ENUMERATION
————————————————————————————————————————————————————————————————————————————————————————
NMAP SCAN
————————————————————————————————————————————————————————————————————————————————————————

I found a http server running on port 80
And a ssh server running on port 22
————————————————————————————————————————————————————————————————————————————————————————
Gobuster Directory SCan

I found a ‘’ secret ‘’ directory and a ‘’uploads’’ directory.
————————————————————————————————————————————————————————————————————————————————————————
Enumerating the Website
————————————————————————————————————————————————————————————————————————————————————————

————————————————————————————————————————————————————————————————————————————————————————
I found a directory list with some common password and downloaded it.

————————————————————————————————————————————————————————————————————————————————————————
I found a private key for the user ‘’John’’ that we found in the source code of the website.

————————————————————————————————————————————————————————————————————————————————————————
————————————————————————————————————————————————————————————————————————————————————————
Logging in to shh
————————————————————————————————————————————————————————————————————————————————————————
The private key required a password which I found using ‘’John the Ripper’’.

————————————————————————————————————————————————————————————————————————————————————————
————————————————————————————————————————————————————————————————————————————————————————
Once I got into the machine, I did the typical priv esc enumeration, but didn't find much until I ran ID, and saw we were in the lxd group

From this article I found the following method for creating an alpine linux container and mounting it into the root directory.
I’ll used alpine to create a container

First i downloaded alpine to my box
Next i created the container
After the command finished running it has created an alpine image in a compressed gunzip file
Next i uploaded the image to the server


Next i ran the image.


Finally we got the root flag.
Was this helpful?